From: Catalin Marinas <catalin.marinas@arm.com>
To: Joey Gouly <joey.gouly@arm.com>
Cc: linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org,
aneesh.kumar@linux.ibm.com, broonie@kernel.org,
dave.hansen@linux.intel.com, maz@kernel.org,
oliver.upton@linux.dev, shuah@kernel.org, will@kernel.org,
kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, linux-kselftest@vger.kernel.org,
James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>
Subject: Re: [PATCH v3 14/25] arm64: implement PKEYS support
Date: Mon, 11 Dec 2023 18:49:37 +0000 [thread overview]
Message-ID: <ZXdZwRcc0BaEq-Uv@arm.com> (raw)
In-Reply-To: <20231124163510.1835740-15-joey.gouly@arm.com>
On Fri, Nov 24, 2023 at 04:34:59PM +0000, Joey Gouly wrote:
> @@ -211,11 +212,24 @@ init_new_context(struct task_struct *tsk, struct mm_struct *mm)
> {
> atomic64_set(&mm->context.id, 0);
> refcount_set(&mm->context.pinned, 0);
> +
> + // pkey 0 is the default, so always reserve it.
> + mm->context.pkey_allocation_map = 0x1;
Nit: use /* */ style comments.
> @@ -151,7 +170,9 @@ static inline pteval_t __phys_to_pte_val(phys_addr_t phys)
> * PTE_VALID bit set.
> */
> #define pte_access_permitted(pte, write) \
> - (((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER)) && (!(write) || pte_write(pte)))
> + (((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER)) && \
> + (!(write) || pte_write(pte)) && \
> + por_el0_allows_pkey(FIELD_GET(PTE_PO_IDX_MASK, pte_val(pte)), write, false))
Do not change pte_access_permitted(), just let it handle the base
permissions. This check is about the mm tables, not some current POR_EL0
setting of the thread.
As an example, with this change Linux may decide not to clear the MTE
tags just because the current POR_EL0 says no-access. The thread
subsequently changes POR_EL0 and it can read the stale tags.
I haven't checked what x86 and powerpc do here. There may be some
implications on GUP but I'd rather ignore POE for this case.
> #define pmd_access_permitted(pmd, write) \
> (pte_access_permitted(pmd_pte(pmd), (write)))
> #define pud_access_permitted(pud, write) \
> diff --git a/arch/arm64/include/asm/pkeys.h b/arch/arm64/include/asm/pkeys.h
> index 5761fb48fd53..a80c654da93d 100644
> --- a/arch/arm64/include/asm/pkeys.h
> +++ b/arch/arm64/include/asm/pkeys.h
[...]
> static inline int execute_only_pkey(struct mm_struct *mm)
> {
> + // Execute-only mappings are handled by EPAN/FEAT_PAN3.
> + WARN_ON_ONCE(!cpus_have_final_cap(ARM64_HAS_EPAN));
> +
> return -1;
> }
Why the WARN_ON_ONCE() here? It will trigger if the user asks for
PROT_EXEC and I can't see any subsequent patch that changes the core
code not to call it. I think we need some arch_has_execute_only_pkey()
to avoid going on this path. Our arch would support exec-only with any
pkey.
> @@ -1490,6 +1491,38 @@ void ptep_modify_prot_commit(struct vm_area_struct *vma, unsigned long addr, pte
> #ifdef CONFIG_ARCH_HAS_PKEYS
> int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, unsigned long init_val)
> {
> - return -ENOSPC;
> + u64 new_por = POE_RXW;
> + u64 old_por;
> + u64 pkey_shift;
> +
> + if (!arch_pkeys_enabled())
> + return -ENOSPC;
> +
> + /*
> + * This code should only be called with valid 'pkey'
> + * values originating from in-kernel users. Complain
> + * if a bad value is observed.
> + */
> + if (WARN_ON_ONCE(pkey >= arch_max_pkey()))
> + return -EINVAL;
> +
> + /* Set the bits we need in POR: */
> + if (init_val & PKEY_DISABLE_ACCESS)
> + new_por = POE_X;
Does PKEY_DISABLE_ACCESS mean allow execute? Or does x86 not have a way
to disable execution?
> + else if (init_val & PKEY_DISABLE_WRITE)
> + new_por = POE_RX;
> +
> + /* Shift the bits in to the correct place in POR for pkey: */
> + pkey_shift = pkey * POR_BITS_PER_PKEY;
> + new_por <<= pkey_shift;
> +
> + /* Get old POR and mask off any old bits in place: */
> + old_por = read_sysreg_s(SYS_POR_EL0);
> + old_por &= ~(POE_MASK << pkey_shift);
> +
> + /* Write old part along with new part: */
> + write_sysreg_s(old_por | new_por, SYS_POR_EL0);
> +
> + return 0;
> }
> #endif
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Joey Gouly <joey.gouly@arm.com>
Cc: linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org,
aneesh.kumar@linux.ibm.com, broonie@kernel.org,
dave.hansen@linux.intel.com, maz@kernel.org,
oliver.upton@linux.dev, shuah@kernel.org, will@kernel.org,
kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, linux-kselftest@vger.kernel.org,
James Morse <james.morse@arm.com>,
Suzuki K Poulose <suzuki.poulose@arm.com>,
Zenghui Yu <yuzenghui@huawei.com>
Subject: Re: [PATCH v3 14/25] arm64: implement PKEYS support
Date: Mon, 11 Dec 2023 18:49:37 +0000 [thread overview]
Message-ID: <ZXdZwRcc0BaEq-Uv@arm.com> (raw)
In-Reply-To: <20231124163510.1835740-15-joey.gouly@arm.com>
On Fri, Nov 24, 2023 at 04:34:59PM +0000, Joey Gouly wrote:
> @@ -211,11 +212,24 @@ init_new_context(struct task_struct *tsk, struct mm_struct *mm)
> {
> atomic64_set(&mm->context.id, 0);
> refcount_set(&mm->context.pinned, 0);
> +
> + // pkey 0 is the default, so always reserve it.
> + mm->context.pkey_allocation_map = 0x1;
Nit: use /* */ style comments.
> @@ -151,7 +170,9 @@ static inline pteval_t __phys_to_pte_val(phys_addr_t phys)
> * PTE_VALID bit set.
> */
> #define pte_access_permitted(pte, write) \
> - (((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER)) && (!(write) || pte_write(pte)))
> + (((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER)) && \
> + (!(write) || pte_write(pte)) && \
> + por_el0_allows_pkey(FIELD_GET(PTE_PO_IDX_MASK, pte_val(pte)), write, false))
Do not change pte_access_permitted(), just let it handle the base
permissions. This check is about the mm tables, not some current POR_EL0
setting of the thread.
As an example, with this change Linux may decide not to clear the MTE
tags just because the current POR_EL0 says no-access. The thread
subsequently changes POR_EL0 and it can read the stale tags.
I haven't checked what x86 and powerpc do here. There may be some
implications on GUP but I'd rather ignore POE for this case.
> #define pmd_access_permitted(pmd, write) \
> (pte_access_permitted(pmd_pte(pmd), (write)))
> #define pud_access_permitted(pud, write) \
> diff --git a/arch/arm64/include/asm/pkeys.h b/arch/arm64/include/asm/pkeys.h
> index 5761fb48fd53..a80c654da93d 100644
> --- a/arch/arm64/include/asm/pkeys.h
> +++ b/arch/arm64/include/asm/pkeys.h
[...]
> static inline int execute_only_pkey(struct mm_struct *mm)
> {
> + // Execute-only mappings are handled by EPAN/FEAT_PAN3.
> + WARN_ON_ONCE(!cpus_have_final_cap(ARM64_HAS_EPAN));
> +
> return -1;
> }
Why the WARN_ON_ONCE() here? It will trigger if the user asks for
PROT_EXEC and I can't see any subsequent patch that changes the core
code not to call it. I think we need some arch_has_execute_only_pkey()
to avoid going on this path. Our arch would support exec-only with any
pkey.
> @@ -1490,6 +1491,38 @@ void ptep_modify_prot_commit(struct vm_area_struct *vma, unsigned long addr, pte
> #ifdef CONFIG_ARCH_HAS_PKEYS
> int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, unsigned long init_val)
> {
> - return -ENOSPC;
> + u64 new_por = POE_RXW;
> + u64 old_por;
> + u64 pkey_shift;
> +
> + if (!arch_pkeys_enabled())
> + return -ENOSPC;
> +
> + /*
> + * This code should only be called with valid 'pkey'
> + * values originating from in-kernel users. Complain
> + * if a bad value is observed.
> + */
> + if (WARN_ON_ONCE(pkey >= arch_max_pkey()))
> + return -EINVAL;
> +
> + /* Set the bits we need in POR: */
> + if (init_val & PKEY_DISABLE_ACCESS)
> + new_por = POE_X;
Does PKEY_DISABLE_ACCESS mean allow execute? Or does x86 not have a way
to disable execution?
> + else if (init_val & PKEY_DISABLE_WRITE)
> + new_por = POE_RX;
> +
> + /* Shift the bits in to the correct place in POR for pkey: */
> + pkey_shift = pkey * POR_BITS_PER_PKEY;
> + new_por <<= pkey_shift;
> +
> + /* Get old POR and mask off any old bits in place: */
> + old_por = read_sysreg_s(SYS_POR_EL0);
> + old_por &= ~(POE_MASK << pkey_shift);
> +
> + /* Write old part along with new part: */
> + write_sysreg_s(old_por | new_por, SYS_POR_EL0);
> +
> + return 0;
> }
> #endif
--
Catalin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2023-12-11 18:49 UTC|newest]
Thread overview: 122+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-24 16:34 [PATCH v3 00/25] Permission Overlay Extension Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-11-24 16:34 ` [PATCH v3 01/25] arm64/sysreg: add system register POR_EL{0,1} Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-04 18:40 ` Catalin Marinas
2023-12-04 18:40 ` Catalin Marinas
2023-11-24 16:34 ` [PATCH v3 02/25] arm64/sysreg: update CPACR_EL1 register Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-04 18:41 ` Catalin Marinas
2023-12-04 18:41 ` Catalin Marinas
2023-11-24 16:34 ` [PATCH v3 03/25] arm64: cpufeature: add Permission Overlay Extension cpucap Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-11-25 12:11 ` Mark Brown
2023-11-25 12:11 ` Mark Brown
2023-12-04 18:46 ` Catalin Marinas
2023-12-04 18:46 ` Catalin Marinas
2023-11-24 16:34 ` [PATCH v3 04/25] arm64: disable trapping of POR_EL0 to EL2 Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-07 13:37 ` Catalin Marinas
2023-12-07 13:37 ` Catalin Marinas
2023-11-24 16:34 ` [PATCH v3 05/25] arm64: context switch POR_EL0 register Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-11-25 12:02 ` Mark Brown
2023-11-25 12:02 ` Mark Brown
2023-12-07 13:55 ` Catalin Marinas
2023-12-07 13:55 ` Catalin Marinas
2023-12-07 14:12 ` Mark Brown
2023-12-07 14:12 ` Mark Brown
2023-12-07 13:51 ` Catalin Marinas
2023-12-07 13:51 ` Catalin Marinas
2023-11-24 16:34 ` [PATCH v3 06/25] KVM: arm64: Save/restore POE registers Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-11-27 18:01 ` Marc Zyngier
2023-11-27 18:01 ` Marc Zyngier
2023-11-29 15:11 ` Joey Gouly
2023-11-29 15:11 ` Joey Gouly
2023-11-29 19:47 ` Marc Zyngier
2023-11-29 19:47 ` Marc Zyngier
2023-11-30 15:51 ` Marc Zyngier
2023-11-30 15:51 ` Marc Zyngier
2023-11-24 16:34 ` [PATCH v3 07/25] arm64: enable the Permission Overlay Extension for EL0 Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-07 14:08 ` Catalin Marinas
2023-12-07 14:08 ` Catalin Marinas
2023-11-24 16:34 ` [PATCH v3 08/25] arm64: add POIndex defines Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-11-24 16:34 ` [PATCH v3 09/25] arm64: define VM_PKEY_BIT* for arm64 Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-07 15:10 ` Catalin Marinas
2023-12-07 15:10 ` Catalin Marinas
2023-11-24 16:34 ` [PATCH v3 10/25] arm64: mask out POIndex when modifying a PTE Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-07 15:11 ` Catalin Marinas
2023-12-07 15:11 ` Catalin Marinas
2023-11-24 16:34 ` [PATCH v3 11/25] arm64: enable ARCH_HAS_PKEYS on arm64 Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-07 15:25 ` Catalin Marinas
2023-12-07 15:25 ` Catalin Marinas
2023-12-07 15:44 ` Joey Gouly
2023-12-07 15:44 ` Joey Gouly
2023-11-24 16:34 ` [PATCH v3 12/25] arm64: handle PKEY/POE faults Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-11 18:18 ` Catalin Marinas
2023-12-11 18:18 ` Catalin Marinas
2023-12-13 15:02 ` Joey Gouly
2023-12-13 15:02 ` Joey Gouly
2023-11-24 16:34 ` [PATCH v3 13/25] arm64: stop using generic mm_hooks.h Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-11 18:22 ` Catalin Marinas
2023-12-11 18:22 ` Catalin Marinas
2023-11-24 16:34 ` [PATCH v3 14/25] arm64: implement PKEYS support Joey Gouly
2023-11-24 16:34 ` Joey Gouly
2023-12-11 18:49 ` Catalin Marinas [this message]
2023-12-11 18:49 ` Catalin Marinas
2023-12-14 13:47 ` Joey Gouly
2023-12-14 13:47 ` Joey Gouly
2023-11-24 16:35 ` [PATCH v3 15/25] arm64: add POE signal support Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-12-11 18:53 ` Catalin Marinas
2023-12-11 18:53 ` Catalin Marinas
2023-12-12 12:03 ` Szabolcs Nagy
2023-12-12 12:03 ` Szabolcs Nagy
2023-11-24 16:35 ` [PATCH v3 16/25] arm64: enable PKEY support for CPUs with S1POE Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-12-11 18:53 ` Catalin Marinas
2023-12-11 18:53 ` Catalin Marinas
2023-11-24 16:35 ` [PATCH v3 17/25] arm64: enable POE and PIE to coexist Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-12-11 18:57 ` Catalin Marinas
2023-12-11 18:57 ` Catalin Marinas
2023-11-24 16:35 ` [PATCH v3 18/25] arm64/ptrace: add support for FEAT_POE Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-11-24 17:18 ` Mark Brown
2023-11-24 17:18 ` Mark Brown
2023-12-11 18:58 ` Catalin Marinas
2023-12-11 18:58 ` Catalin Marinas
2023-11-24 16:35 ` [PATCH v3 19/25] kselftest/arm64: move get_header() Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-11-24 17:16 ` Mark Brown
2023-11-24 17:16 ` Mark Brown
2023-11-24 16:35 ` [PATCH v3 20/25] selftests: mm: move fpregs printing Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-11-24 16:35 ` [PATCH v3 21/25] selftests: mm: make protection_keys test work on arm64 Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-11-24 16:35 ` [PATCH v3 22/25] kselftest/arm64: add HWCAP test for FEAT_S1POE Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-11-24 17:02 ` Mark Brown
2023-11-24 17:02 ` Mark Brown
2023-11-24 16:35 ` [PATCH v3 23/25] kselftest/arm64: parse POE_MAGIC in a signal frame Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-11-24 16:35 ` [PATCH v3 24/25] kselftest/arm64: Add test case for POR_EL0 signal frame records Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-11-24 17:04 ` Mark Brown
2023-11-24 17:04 ` Mark Brown
2023-11-24 16:35 ` [PATCH v3 25/25] KVM: selftests: get-reg-list: add Permission Overlay registers Joey Gouly
2023-11-24 16:35 ` Joey Gouly
2023-11-24 17:07 ` Mark Brown
2023-11-24 17:07 ` Mark Brown
2023-12-04 11:03 ` [PATCH v3 00/25] Permission Overlay Extension Marc Zyngier
2023-12-04 11:03 ` Marc Zyngier
2023-12-05 15:41 ` Joey Gouly
2023-12-05 15:41 ` Joey Gouly
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZXdZwRcc0BaEq-Uv@arm.com \
--to=catalin.marinas@arm.com \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@linux.ibm.com \
--cc=broonie@kernel.org \
--cc=dave.hansen@linux.intel.com \
--cc=james.morse@arm.com \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maz@kernel.org \
--cc=oliver.upton@linux.dev \
--cc=shuah@kernel.org \
--cc=suzuki.poulose@arm.com \
--cc=will@kernel.org \
--cc=yuzenghui@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.