From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 0D28D3DE450 for ; Tue, 26 May 2026 11:18:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779794297; cv=none; b=IE4Lvf9uBJvuuG0XeNPZJST03LStow6q2/27NKmHTFCYq4ppgZWj7n7PwytoJRTN6ac65wugnaxTuL//HjOtr/n7nNefXgwO/M1/v+9O0PHwHKXol6jwkpc6uI5HUUU1QwkeIZRarCAuFRcl6KXFGi2Ps8f+HpKneIhg37/7quI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779794297; c=relaxed/simple; bh=fwOalTBtBiQy7yflhfOV/Fg5vwBSEwk71GDTKgEw42M=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bApY2w2LzWVS+iUkT15NZojlAyS6jnXKm2McE2JgfzG9F1hx7aATeYUodEHxAvI2/JeUe5qJ0MgE86Y3Xr8/U/e40O1atp6eZpl/fQSfo3ipfvb0T5Uz7sh4RnbKV6RRKwnvhIzmYMzVoj0IZWupZ7hPOnmrlUaWnS1vNX5Z7XU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; dkim=pass (1024-bit key) header.d=arm.com header.i=@arm.com header.b=WdoT247x; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=arm.com header.i=@arm.com header.b="WdoT247x" Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 86AA516F2; Tue, 26 May 2026 04:18:10 -0700 (PDT) Received: from localhost.localdomain (e123572-lin.cambridge.arm.com [10.1.194.54]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BAA1E3F7D8; Tue, 26 May 2026 04:18:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=arm.com; s=foss; t=1779794295; bh=fwOalTBtBiQy7yflhfOV/Fg5vwBSEwk71GDTKgEw42M=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=WdoT247xqLwcDzKYB5w6TPdxIOv/0hLDrcKqU8ZAHJCGdXfBctoo3NhSKbRnpq0Ug F/NUOOlXrOb+e0+ob5vMB94B1mOPwSc/16y1H8q+MXP4y8TxN2oiSEAr+nnmxJotaO o3pLtWLCTfqcm12bllcOL3Qt37kL4HYv4xx4UVeo= From: Kevin Brodsky Date: Tue, 26 May 2026 12:16:04 +0100 Subject: [PATCH RFC v8 15/24] mm: kpkeys: Introduce hook for protecting static page tables Precedence: bulk X-Mailing-List: linux-hardening@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260526-kpkeys-v8-15-eaaacdacc67c@arm.com> References: <20260526-kpkeys-v8-0-eaaacdacc67c@arm.com> In-Reply-To: <20260526-kpkeys-v8-0-eaaacdacc67c@arm.com> To: linux-hardening@vger.kernel.org Cc: Kevin Brodsky , Andrew Morton , Andy Lutomirski , Catalin Marinas , Dave Hansen , "David Hildenbrand (Arm)" , Ira Weiny , Jann Horn , Jeff Xu , Joey Gouly , Kees Cook , Linus Walleij , Marc Zyngier , Mark Brown , Matthew Wilcox , Maxwell Bland , "Mike Rapoport (IBM)" , Peter Zijlstra , Pierre Langlois , Quentin Perret , Rick Edgecombe , Ryan Roberts , Vlastimil Babka , Will Deacon , Yang Shi , Yeoreum Yun , linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, x86@kernel.org, Lorenzo Stoakes , Thomas Gleixner X-Mailer: b4 0.15.2 X-Developer-Signature: v=1; a=ed25519-sha256; t=1779794212; l=1755; i=kevin.brodsky@arm.com; s=20260427; h=from:subject:message-id; bh=fwOalTBtBiQy7yflhfOV/Fg5vwBSEwk71GDTKgEw42M=; b=MMyRKvdFbw5n0x3BHWmzUFGalBCYk15D1iFtFV5PFtnL2Q/OnmlCMdgahosi4QTWrGRCjLb0L zTuUX9EBU6gAFV3rMWNqK2an5ARmHiiZM6pxuyHLuVyTgRogpP4Z0AA X-Developer-Key: i=kevin.brodsky@arm.com; a=ed25519; pk=N2QG+eJKrvkNovwhhwJhnJ4+ScVfsGCHldmqLfcMTFs= The kpkeys_hardened_pgtables infrastructure introduced so far allows compatible architectures to protect all page table pages (PTPs) allocated at runtime (first via memblock, then the buddy allocator). Some PTPs are however required even earlier, before any allocator is available. This is typically needed for mapping the kernel image itself. These PTPs are at least as sensitive as those allocated later on, and should be protected by mapping them with the privileged pkey. Exactly how these pages are obtained is entirely arch-specific, so we introduce a hook to let architectures that implement kpkeys_hardened_pgtables do the right thing. Signed-off-by: Kevin Brodsky --- include/linux/kpkeys.h | 4 ++++ mm/kpkeys_hardened_pgtables.c | 1 + 2 files changed, 5 insertions(+) diff --git a/include/linux/kpkeys.h b/include/linux/kpkeys.h index 0e246354e95c..c0ae7e1fc382 100644 --- a/include/linux/kpkeys.h +++ b/include/linux/kpkeys.h @@ -146,6 +146,10 @@ void kpkeys_hardened_pgtables_init(void); phys_addr_t kpkeys_physmem_pgtable_alloc(void); +#ifndef arch_kpkeys_protect_static_pgtables +static inline void arch_kpkeys_protect_static_pgtables(void) {} +#endif + #else /* CONFIG_KPKEYS_HARDENED_PGTABLES */ static inline bool kpkeys_hardened_pgtables_enabled(void) diff --git a/mm/kpkeys_hardened_pgtables.c b/mm/kpkeys_hardened_pgtables.c index 13af4930db3d..269de610d744 100644 --- a/mm/kpkeys_hardened_pgtables.c +++ b/mm/kpkeys_hardened_pgtables.c @@ -66,6 +66,7 @@ void __init kpkeys_hardened_pgtables_init(void) static_branch_enable(&kpkeys_hardened_pgtables_key); ppa_finalize(); + arch_kpkeys_protect_static_pgtables(); } /* -- 2.51.2