From: Dave Hansen <dave.hansen@intel.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Ingo Molnar <mingo@kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Mel Gorman <mgorman@techsingularity.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linux API <linux-api@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Hugh Dickins <hughd@google.com>, "H. Peter Anvin" <hpa@zytor.com>,
X86 ML <x86@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>
Subject: Re: [PATCH 6/9] x86, pkeys: add pkey set/get syscalls
Date: Mon, 11 Jul 2016 08:48:00 -0700 [thread overview]
Message-ID: <5783BFB0.70203@intel.com> (raw)
In-Reply-To: <CALCETrW1qLZE_cq1CvmLkdnFyKRWVZuah29xERTC7o0eZ8DbwQ@mail.gmail.com>
On 07/11/2016 07:45 AM, Andy Lutomirski wrote:
> On Mon, Jul 11, 2016 at 7:34 AM, Dave Hansen <dave@sr71.net> wrote:
>> Should we instead just recommend to userspace that they lock down access
>> to keys by default in all threads as a best practice?
>
> Is that really better than doing it in-kernel? My concern is that
> we'll find library code that creates a thread, and that code could run
> before the pkey-aware part of the program even starts running.
Yeah, so let's assume we have some pkey-unaware thread. The upside of a
scheme where the kernel preemptively (and transparently to the thread)
locks down PKRU is that the thread can't go corrupting any non-zero-pkey
structures that came from other threads.
But, the downside is that the thread can not access any non-zero-pkey
structures without taking some kind of action with PKRU. That obviously
won't happen since the thread is pkeys-unaware to begin with. Would
that break these libraries unless everything using pkeys knows to only
share pkey=0 data with those threads?
> So how is user code supposed lock down all of its threads?
>
> seccomp has TSYNC for this, but I don't think that PKRU allows
> something like that.
I'm not sure this is possible for PKRU. Think of a simple PKRU
manipulation in userspace:
pkru = rdpkru();
pkru |= PKEY_DENY_ACCESS<<key*2;
wrpkru(pkru);
If we push a PKRU value into a thread between the rdpkru() and wrpkru(),
we'll lose the content of that "push". I'm not sure there's any way to
guarantee this with a user-controlled register.
WARNING: multiple messages have this Message-ID (diff)
From: Dave Hansen <dave.hansen@intel.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Ingo Molnar <mingo@kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
Mel Gorman <mgorman@techsingularity.net>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linux API <linux-api@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Hugh Dickins <hughd@google.com>, "H. Peter Anvin" <hpa@zytor.com>,
X86 ML <x86@kernel.org>,
Dave Hansen <dave.hansen@linux.intel.com>
Subject: Re: [PATCH 6/9] x86, pkeys: add pkey set/get syscalls
Date: Mon, 11 Jul 2016 08:48:00 -0700 [thread overview]
Message-ID: <5783BFB0.70203@intel.com> (raw)
In-Reply-To: <CALCETrW1qLZE_cq1CvmLkdnFyKRWVZuah29xERTC7o0eZ8DbwQ@mail.gmail.com>
On 07/11/2016 07:45 AM, Andy Lutomirski wrote:
> On Mon, Jul 11, 2016 at 7:34 AM, Dave Hansen <dave@sr71.net> wrote:
>> Should we instead just recommend to userspace that they lock down access
>> to keys by default in all threads as a best practice?
>
> Is that really better than doing it in-kernel? My concern is that
> we'll find library code that creates a thread, and that code could run
> before the pkey-aware part of the program even starts running.
Yeah, so let's assume we have some pkey-unaware thread. The upside of a
scheme where the kernel preemptively (and transparently to the thread)
locks down PKRU is that the thread can't go corrupting any non-zero-pkey
structures that came from other threads.
But, the downside is that the thread can not access any non-zero-pkey
structures without taking some kind of action with PKRU. That obviously
won't happen since the thread is pkeys-unaware to begin with. Would
that break these libraries unless everything using pkeys knows to only
share pkey=0 data with those threads?
> So how is user code supposed lock down all of its threads?
>
> seccomp has TSYNC for this, but I don't think that PKRU allows
> something like that.
I'm not sure this is possible for PKRU. Think of a simple PKRU
manipulation in userspace:
pkru = rdpkru();
pkru |= PKEY_DENY_ACCESS<<key*2;
wrpkru(pkru);
If we push a PKRU value into a thread between the rdpkru() and wrpkru(),
we'll lose the content of that "push". I'm not sure there's any way to
guarantee this with a user-controlled register.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-07-11 15:48 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-07 12:47 [PATCH 0/9] [REVIEW-REQUEST] [v4] System Calls for Memory Protection Keys Dave Hansen
2016-07-07 12:47 ` Dave Hansen
2016-07-07 12:47 ` [PATCH 1/9] x86, pkeys: add fault handling for PF_PK page fault bit Dave Hansen
2016-07-07 12:47 ` Dave Hansen
2016-07-07 14:40 ` Mel Gorman
2016-07-07 14:40 ` Mel Gorman
2016-07-07 15:42 ` Dave Hansen
2016-07-07 15:42 ` Dave Hansen
2016-07-07 12:47 ` [PATCH 2/9] mm: implement new pkey_mprotect() system call Dave Hansen
2016-07-07 12:47 ` Dave Hansen
2016-07-07 14:40 ` Mel Gorman
2016-07-07 14:40 ` Mel Gorman
2016-07-07 16:51 ` Dave Hansen
2016-07-07 16:51 ` Dave Hansen
2016-07-08 10:15 ` Mel Gorman
2016-07-08 10:15 ` Mel Gorman
2016-07-07 12:47 ` [PATCH 3/9] x86, pkeys: make mprotect_key() mask off additional vm_flags Dave Hansen
2016-07-07 12:47 ` Dave Hansen
2016-07-07 12:47 ` [PATCH 4/9] x86: wire up mprotect_key() system call Dave Hansen
2016-07-07 12:47 ` Dave Hansen
2016-07-07 12:47 ` [PATCH 5/9] x86, pkeys: allocation/free syscalls Dave Hansen
2016-07-07 12:47 ` Dave Hansen
2016-07-07 14:40 ` Mel Gorman
2016-07-07 14:40 ` Mel Gorman
2016-07-07 15:38 ` Dave Hansen
2016-07-07 15:38 ` Dave Hansen
2016-07-07 12:47 ` [PATCH 6/9] x86, pkeys: add pkey set/get syscalls Dave Hansen
2016-07-07 12:47 ` Dave Hansen
2016-07-07 14:45 ` Mel Gorman
2016-07-07 14:45 ` Mel Gorman
2016-07-07 17:33 ` Dave Hansen
2016-07-07 17:33 ` Dave Hansen
2016-07-08 7:18 ` Ingo Molnar
2016-07-08 7:18 ` Ingo Molnar
[not found] ` <20160708071810.GA27457-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-07-08 16:32 ` Dave Hansen
2016-07-08 16:32 ` Dave Hansen
2016-07-08 16:32 ` Dave Hansen
2016-07-09 8:37 ` Ingo Molnar
2016-07-09 8:37 ` Ingo Molnar
2016-07-09 8:37 ` Ingo Molnar
2016-07-11 4:25 ` Andy Lutomirski
2016-07-11 4:25 ` Andy Lutomirski
[not found] ` <CALCETrXJhVz6Za4=oidiM2Vfbb+XdggFBYiVyvOCcia+w064aQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-07-11 7:35 ` Ingo Molnar
2016-07-11 7:35 ` Ingo Molnar
2016-07-11 7:35 ` Ingo Molnar
2016-07-11 14:28 ` Dave Hansen
2016-07-11 14:28 ` Dave Hansen
2016-07-12 7:13 ` Ingo Molnar
2016-07-12 7:13 ` Ingo Molnar
2016-07-12 15:39 ` Dave Hansen
2016-07-12 15:39 ` Dave Hansen
2016-07-11 14:50 ` Andy Lutomirski
2016-07-11 14:50 ` Andy Lutomirski
2016-07-11 14:34 ` Dave Hansen
2016-07-11 14:34 ` Dave Hansen
2016-07-11 14:34 ` Dave Hansen
2016-07-11 14:45 ` Andy Lutomirski
2016-07-11 14:45 ` Andy Lutomirski
2016-07-11 15:48 ` Dave Hansen [this message]
2016-07-11 15:48 ` Dave Hansen
2016-07-12 16:32 ` Andy Lutomirski
2016-07-12 16:32 ` Andy Lutomirski
2016-07-12 17:12 ` Dave Hansen
2016-07-12 17:12 ` Dave Hansen
2016-07-12 22:55 ` Andy Lutomirski
2016-07-12 22:55 ` Andy Lutomirski
2016-07-13 7:56 ` Ingo Molnar
2016-07-13 7:56 ` Ingo Molnar
2016-07-13 18:43 ` Andy Lutomirski
2016-07-13 18:43 ` Andy Lutomirski
2016-07-14 8:07 ` Ingo Molnar
2016-07-14 8:07 ` Ingo Molnar
2016-07-18 4:43 ` Andy Lutomirski
2016-07-18 4:43 ` Andy Lutomirski
2016-07-18 9:56 ` Ingo Molnar
2016-07-18 9:56 ` Ingo Molnar
[not found] ` <20160709083715.GA29939-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-07-18 18:02 ` Dave Hansen
2016-07-18 18:02 ` Dave Hansen
2016-07-18 18:02 ` Dave Hansen
2016-07-18 20:12 ` Dave Hansen
2016-07-18 20:12 ` Dave Hansen
2016-07-18 20:12 ` Dave Hansen
2016-07-08 19:26 ` Dave Hansen
2016-07-08 19:26 ` Dave Hansen
[not found] ` <577E924C.6010406-gkUM19QKKo4@public.gmane.org>
2016-07-08 10:22 ` Mel Gorman
2016-07-08 10:22 ` Mel Gorman
2016-07-08 10:22 ` Mel Gorman
2016-07-07 12:47 ` [PATCH 7/9] generic syscalls: wire up memory protection keys syscalls Dave Hansen
2016-07-07 12:47 ` Dave Hansen
2016-07-07 12:47 ` [PATCH 8/9] pkeys: add details of system call use to Documentation/ Dave Hansen
2016-07-07 12:47 ` Dave Hansen
2016-07-07 12:47 ` [PATCH 9/9] x86, pkeys: add self-tests Dave Hansen
2016-07-07 12:47 ` Dave Hansen
[not found] ` <20160707124719.3F04C882-LXbPSdftPKxrdx17CPfAsdBPR1lH4CV8@public.gmane.org>
2016-07-07 14:47 ` [PATCH 0/9] [REVIEW-REQUEST] [v4] System Calls for Memory Protection Keys Mel Gorman
2016-07-07 14:47 ` Mel Gorman
2016-07-07 14:47 ` Mel Gorman
2016-07-08 18:38 ` Hugh Dickins
2016-07-08 18:38 ` Hugh Dickins
2016-07-08 18:38 ` Hugh Dickins
-- strict thread matches above, loose matches on Subject: below --
2016-06-09 0:01 [PATCH 0/9] [v3] " Dave Hansen
2016-06-09 0:01 ` [PATCH 6/9] x86, pkeys: add pkey set/get syscalls Dave Hansen
2016-06-09 0:01 ` Dave Hansen
2016-06-07 20:47 [PATCH 0/9] [v2] System Calls for Memory Protection Keys Dave Hansen
2016-06-07 20:47 ` [PATCH 6/9] x86, pkeys: add pkey set/get syscalls Dave Hansen
2016-06-07 20:47 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5783BFB0.70203@intel.com \
--to=dave.hansen@intel.com \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=hughd@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mgorman@techsingularity.net \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.