From: "Michal Suchánek" <msuchanek@suse.de>
To: Ram Pai <linuxram@us.ibm.com>
Cc: fweimer@redhat.com, Thomas Gleixner <tglx@linutronix.de>,
Ulrich.Weigand@de.ibm.com, mhocko@kernel.org,
Dave Hansen <dave.hansen@intel.com>,
paulus@samba.org, aneesh.kumar@linux.vnet.ibm.com,
bauerman@linux.vnet.ibm.com,
Andrew Morton <akpm@linux-foundation.org>,
linuxppc-dev@lists.ozlabs.org, Ingo Molnar <mingo@kernel.org>
Subject: Re: [PATCH v3] powerpc, pkey: make protection key 0 less special
Date: Mon, 7 May 2018 13:21:49 +0200 [thread overview]
Message-ID: <20180507132149.3fc1dcc5@kitsune.suse.cz> (raw)
In-Reply-To: <20180506201043.GE5617@ram.oc3035372033.ibm.com>
On Sun, 6 May 2018 13:10:43 -0700
Ram Pai <linuxram@us.ibm.com> wrote:
> On Sat, May 05, 2018 at 02:39:56PM +0200, Michal Such=C3=A1nek wrote:
> > On Fri, 4 May 2018 14:45:07 -0700
> > Ram Pai <linuxram@us.ibm.com> wrote:
> > =20
> > > On Fri, May 04, 2018 at 02:31:10PM -0700, Dave Hansen wrote: =20
> > > > On 05/04/2018 02:26 PM, Michal Such=C3=A1nek wrote: =20
> > > > > If it is not ok to change permissions of pkey 0 is it ok to
> > > > > free it? =20
> > > >=20
> > > > It's pretty much never OK to free it on x86 or ppc. But, we're
> > > > not going to put code in to keep userspace from shooting itself
> > > > in the foot, at least on x86. =20
> > >=20
> > > and on powerpc aswell. =20
> >=20
> > But once it's free it can be re-allocated. So you are moving the
> > special-casing from free code to code dealing with allocation. =20
>=20
> Actually if an application frees key-0, it has potentially opened up a
> can-of-worms. It could step on anything that explodes.=20
>=20
> Its choice between imposing policies on an application v/s freeing it
> up to choose its own policy. I think the kernel should impose some
> form of mild-policy. But others think there should be none.
It is a problem of the application when it frees a key it still needs.
I am not for or against allowing that. The problem is with the
interface change once the key is freed.
>=20
> >=20
> > If you want something like allocate_exec_only_pkey then the function
> > (either in kernel or in userspace) needs to make sure it is not
> > getting/requesting key 0 on powerpc. =20
>=20
> Yes. makes sense. I will put in some checks towards that.
Suppose an application is adapted to take advantage of freeing key
0, perhaps to revoke access to any code and data used at runtime
initialization which is not longer needed.=20
As I understand it with the proposed change any address range not
associated with non-default key becomes inaccessible and key 0 becomes
available for allocation again. This is fine on x86 where key 0 is
fully functional.=20
However, on powerpc the application now has key 0 available and it is
not fully a fully functional key. So the application now needs to check
that the key it is allocating is not key 0. Otherwise further key
operations may unexpectedly fail.
To prevent this I would suggest
a) do not allow allocating key 0. If it is freed it becomes reserved
b) never expose key 0 to applications. Allocate key 2 as the default
key and present the key numbers with an offset to userspace so key 2
appears as key 0 to user applications.
Thanks
Michal
next prev parent reply other threads:[~2018-05-07 11:21 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-04 19:22 [PATCH v3] powerpc, pkey: make protection key 0 less special Ram Pai
2018-05-04 19:59 ` Dave Hansen
2018-05-04 20:21 ` Ram Pai
2018-05-04 21:26 ` Michal Suchánek
2018-05-04 21:31 ` Dave Hansen
2018-05-04 21:45 ` Ram Pai
2018-05-05 12:39 ` Michal Suchánek
2018-05-06 20:10 ` Ram Pai
2018-05-07 11:21 ` Michal Suchánek [this message]
2018-05-08 16:38 ` Ram Pai
2018-05-08 17:03 ` Michal Suchánek
2018-05-08 18:38 ` Ram Pai
2018-05-09 15:43 ` Michal Suchánek
2018-05-09 15:46 ` Dave Hansen
2018-05-09 15:56 ` Michal Suchánek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180507132149.3fc1dcc5@kitsune.suse.cz \
--to=msuchanek@suse.de \
--cc=Ulrich.Weigand@de.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=bauerman@linux.vnet.ibm.com \
--cc=dave.hansen@intel.com \
--cc=fweimer@redhat.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=linuxram@us.ibm.com \
--cc=mhocko@kernel.org \
--cc=mingo@kernel.org \
--cc=paulus@samba.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.