[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5678856A.5020509@linux.intel.com>
Date: Mon, 21 Dec 2015 15:04:10 -0800
From: Dave Hansen <dave.hansen@...ux.intel.com>
To: Andy Lutomirski <luto@...capital.net>,
Linus Torvalds <torvalds@...ux-foundation.org>
Cc: "H. Peter Anvin" <hpa@...or.com>, Oleg Nesterov <oleg@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>,
Brian Gerst <brgerst@...il.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Christoph Hellwig <hch@....de>
Subject: Re: Rethinking sigcontext's xfeatures slightly for PKRU's benefit?
On 12/18/2015 02:28 PM, Andy Lutomirski wrote:
...
>> I could imagine that some kernel person would want to use even more
>> keys, but I think two fixed keys are kind of the minimal we'd want to
>> use.
>
> I imagine we'd reserve key 0 for normal page and key 1 for deny-read.
> Let me be a bit more concrete about what I'm suggesting:
>
> We'd have thread_struct.baseline_pkru. It would start with key 0
> allowing all access and key 1 denying reads.
Are you sure thread_struct is the right place for this? I think of
signal handlers as a process-wide thing, and it seems a bit goofy if we
have the PKRU value in a signal handler depend on the PKRU of the thread
that got interrupted.
> We'd have a syscall like set_protection_key that could allocate unused
> keys and change the values of keys that have been allocated. Those
> changes would be reflected in baseline_pkru. Changes to keys 0 and 1
> in baseline_pkru would not be allowed.
FWIW, I think we can do this without *actually* dedicating key 1 to
execute-only. But that's a side issue.
> Signal delivery would load baseline_pkru into the PKRU register.
> Signal restore would restore PKRU to its previous value.
Do you really mean "its previous value" or are you OK with the existing
behavior which restores PKRU from the XSAVE buffer in the sigcontext?
> WRPKRU would, of course, override baseline_pkru, but it wouldn't
> change baseline_pkru. The set_protection_key syscall would modify
> *both* real PKRU and baseline_pkru.
How about this:
We make baseline_pkru a process-wide baseline and store it in
mm->context. That way, no matter which thread gets interrupted for a
signal, they see consistent values. We only write to it when an app
_specifically_ asks for it to be updated with a special flag to
sys_pkey_set().
When an app uses the execute-only support, we implicitly set the
read-disable bit in baseline_pkru for the execute-only pkey.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists