lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20180122183351.GQ5612@ram.oc3035372033.ibm.com>
Date:   Mon, 22 Jan 2018 10:33:51 -0800
From:   Ram Pai <linuxram@...ibm.com>
To:     corbet@....net, linux-doc@...r.kernel.org
Cc:     mpe@...erman.id.au, linuxppc-dev@...ts.ozlabs.org,
        linux-mm@...ck.org, x86@...nel.org, linux-arch@...r.kernel.org,
        linux-kernel@...r.kernel.org, mingo@...hat.com,
        akpm@...ux-foundation.org, dave.hansen@...el.com,
        benh@...nel.crashing.org, paulus@...ba.org,
        khandual@...ux.vnet.ibm.com, aneesh.kumar@...ux.vnet.ibm.com,
        bsingharora@...il.com, hbabu@...ibm.com, mhocko@...nel.org,
        bauerman@...ux.vnet.ibm.com, ebiederm@...ssion.com, arnd@...db.de
Subject: Re: [PATCH v10 00/27] powerpc, mm: Memory Protection Keys


Sorry please ignore this series. It was a duplication mistake.
I aborted the send midway, but a few escaped into the cyber.

RP

On Mon, Jan 22, 2018 at 10:26:29AM -0800, Ram Pai wrote:
> Memory protection keys enable applications to protect its
> address space from inadvertent access from or corruption
> by itself.
> 
> These patches along with the pte-bit freeing patch series
> enables the protection key feature on powerpc; 4k and 64k
> hashpage kernels.
> 
> Will send the documentation and selftest patches separately
> 
> All patches can be found at --
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_rampai_memorykeys.git&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=m-UrKChQVkZtnPpjbF6YY99NbT8FBByQ-E-ygV8luxw&m=Swwnka5M5weiMNnxmx35NOJUSSC3s8iQYEH4hsrCNSw&s=h7BFHYo7gWvagk3xbtcifI_3xFOO1CyWzfOtLBjWLcQ&e= memkey.v10
> 
> 
> The overall idea:
> -----------------
>  A process allocates a key and associates it with
>  an address range within its address space.
>  The process then can dynamically set read/write 
>  permissions on the key without involving the 
>  kernel. Any code that violates the permissions
>  of the address space; as defined by its associated
>  key, will receive a segmentation fault.
> 
> This patch series enables the feature on PPC64 HPTE
> platform.
> 
> ISA3.0 section 5.7.13 describes the detailed
> specifications.
> 
> 
> Highlevel view of the design:
> ---------------------------
> When an application associates a key with a address
> address range, program the key in the Linux PTE.
> When the MMU detects a page fault, allocate a hash
> page and program the key into HPTE. And finally
> when the MMU detects a key violation; due to
> invalid application access, invoke the registered
> signal handler and provide the violated key number.
> 
> 
> Testing:
> -------
> This patch series has passed all the protection key
> tests available in the selftest directory.The
> tests are updated to work on both x86 and powerpc.
> The selftests have passed on x86 and powerpc hardware.
> 
> History:
> -------
> version v10:
> 	(1) key-fault in page-fault handler
> 		is handled as normal fault
> 		and not as a bad fault.
> 	(2) changed device tree scanning to 
> 		unflattened device tree.
> 	(3) fixed a bug in the logic that detected
> 		the total number of available pkeys.
> 	(4) dropped two patches. (i) sysfs interface
> 		(ii) sys_pkey_modif() syscall
> 
> version v9:
> 	(1) used jump-labels to optimize code
> 		-- Balbir
> 	(2) fixed a register initialization bug noted
> 		by Balbir
> 	(3) fixed inappropriate use of paca to pass
> 		siginfo and keys to signal handler
> 	(4) Cleanup of comment style not to be right 
> 		justified -- mpe
> 	(5) restructured the patches to depend on the
> 		availability of VM_PKEY_BIT4 in
> 		include/linux/mm.h
> 	(6) Incorporated comments from Dave Hansen
> 		towards changes to selftest and got
> 		them tested on x86.
> 
> version v8:
> 	(1) Contents of the AMR register withdrawn from
> 	the siginfo structure. Applications can always
> 	read the AMR register.
> 	(2) AMR/IAMR/UAMOR are now available through 
> 		ptrace system call. -- thanks to Thiago
> 	(3) code changes to handle legacy power cpus
> 	that do not support execute-disable.
> 	(4) incorporates many code improvement
> 		suggestions.
> 
> version v7:
> 	(1) refers to device tree property to enable
> 		protection keys.
> 	(2) adds 4K PTE support.
> 	(3) fixes a couple of bugs noticed by Thiago
> 	(4) decouples this patch series from arch-
> 	 independent code. This patch series can
> 	 now stand by itself, with one kludge
> 	patch(2).
> version v7:
> 	(1) refers to device tree property to enable
> 		protection keys.
> 	(2) adds 4K PTE support.
> 	(3) fixes a couple of bugs noticed by Thiago
> 	(4) decouples this patch series from arch-
> 	 independent code. This patch series can
> 	 now stand by itself, with one kludge
> 	 patch(2).
> 
> version v6:
> 	(1) selftest changes are broken down into 20
> 		incremental patches.
> 	(2) A separate key allocation mask that
> 		includes PKEY_DISABLE_EXECUTE is 
> 		added for powerpc
> 	(3) pkey feature is enabled for 64K HPT case
> 		only. RPT and 4k HPT is disabled.
> 	(4) Documentation is updated to better 
> 		capture the semantics.
> 	(5) introduced arch_pkeys_enabled() to find
> 		if an arch enables pkeys. Correspond-
> 		ing change the logic that displays
> 		key value in smaps.
> 	(6) code rearranged in many places based on
> 		comments from Dave Hansen, Balbir,
> 		Anshuman.	
> 	(7) fixed one bug where a bogus key could be
> 		associated successfully in
> 		pkey_mprotect().
> 
> version v5:
> 	(1) reverted back to the old design -- store
> 	 the key in the pte, instead of bypassing
> 	 it. The v4 design slowed down the hash
> 	 page path.
> 	(2) detects key violation when kernel is told
> 		to access user pages.
> 	(3) further refined the patches into smaller
> 		consumable units
> 	(4) page faults handlers captures the fault-
> 		ing key 
> 	 from the pte instead of the vma. This
> 	 closes a race between where the key 
> 	 update in the vma and a key fault caused
> 	 by the key programmed in the pte.
> 	(5) a key created with access-denied should
> 	 also set it up to deny write. Fixed it.
> 	(6) protection-key number is displayed in
>  		smaps the x86 way.
> 
> version v4:
> 	(1) patches no more depend on the pte bits
> 		to program the hpte
> 			-- comment by Balbir
> 	(2) documentation updates
> 	(3) fixed a bug in the selftest.
> 	(4) unlike x86, powerpc lets signal handler
> 		change key permission bits; the
> 		change will persist across signal
> 		handler boundaries. Earlier we
> 		allowed the signal handler to
> 		modify a field in the siginfo
> 		structure which would than be used
> 		by the kernel to program the key
> 		protection register (AMR)
> 		 -- resolves a issue raised by Ben.
> 		"Calls to sys_swapcontext with a
> 		made-up context will end up with a
> 		crap AMR if done by code who didn't
> 		know about that register".
> 	(5) these changes enable protection keys on
>  		4k-page kernel aswell.
> 
> version v3:
> 	(1) split the patches into smaller consumable
> 		patches.
> 	(2) added the ability to disable execute
> 		permission on a key at creation.
> 	(3) rename calc_pte_to_hpte_pkey_bits() to
> 	pte_to_hpte_pkey_bits()
> 		-- suggested by Anshuman
> 	(4) some code optimization and clarity in
> 		do_page_fault()
> 	(5) A bug fix while invalidating a hpte slot
> 		in __hash_page_4K()
> 		-- noticed by Aneesh
> 	
> 
> version v2:
> 	(1) documentation and selftest added.
>  	(2) fixed a bug in 4k hpte backed 64k pte
> 		where page invalidation was not
> 		done correctly, and initialization
> 		of second-part-of-the-pte was not
> 		done correctly if the pte was not
> 		yet Hashed with a hpte.
> 		--	Reported by Aneesh.
> 	(3) Fixed ABI breakage caused in siginfo
> 		structure.
> 		-- Reported by Anshuman.
> 	
> 
> version v1: Initial version
> 
> 
> Ram Pai (26):
>   mm, powerpc, x86: define VM_PKEY_BITx bits if CONFIG_ARCH_HAS_PKEYS
>     is enabled
>   mm, powerpc, x86: introduce an additional vma bit for powerpc pkey
>   powerpc: initial pkey plumbing
>   powerpc: track allocation status of all pkeys
>   powerpc: helper function to read,write AMR,IAMR,UAMOR registers
>   powerpc: helper functions to initialize AMR, IAMR and UAMOR registers
>   powerpc: cleanup AMR, IAMR when a key is allocated or freed
>   powerpc: implementation for arch_set_user_pkey_access()
>   powerpc: ability to create execute-disabled pkeys
>   powerpc: store and restore the pkey state across context switches
>   powerpc: introduce execute-only pkey
>   powerpc: ability to associate pkey to a vma
>   powerpc: implementation for arch_override_mprotect_pkey()
>   powerpc: map vma key-protection bits to pte key bits.
>   powerpc: Program HPTE key protection bits
>   powerpc: helper to validate key-access permissions of a pte
>   powerpc: check key protection for user page access
>   powerpc: implementation for arch_vma_access_permitted()
>   powerpc: Handle exceptions caused by pkey violation
>   powerpc: introduce get_mm_addr_key() helper
>   powerpc: Deliver SEGV signal on pkey violation
>   powerpc: Enable pkey subsystem
>   powerpc: sys_pkey_alloc() and sys_pkey_free() system calls
>   powerpc: sys_pkey_mprotect() system call
>   mm, x86 : introduce arch_pkeys_enabled()
>   mm: display pkey in smaps if arch_pkeys_enabled() is true
> 
> Thiago Jung Bauermann (1):
>   powerpc/ptrace: Add memory protection key regset
> 
>  arch/powerpc/Kconfig                          |   15 +
>  arch/powerpc/include/asm/book3s/64/mmu-hash.h |    5 +
>  arch/powerpc/include/asm/book3s/64/mmu.h      |   10 +
>  arch/powerpc/include/asm/book3s/64/pgtable.h  |   48 +++-
>  arch/powerpc/include/asm/bug.h                |    1 +
>  arch/powerpc/include/asm/cputable.h           |   16 +-
>  arch/powerpc/include/asm/mman.h               |   13 +-
>  arch/powerpc/include/asm/mmu.h                |    9 +
>  arch/powerpc/include/asm/mmu_context.h        |   22 ++
>  arch/powerpc/include/asm/pkeys.h              |  229 ++++++++++++
>  arch/powerpc/include/asm/processor.h          |    5 +
>  arch/powerpc/include/asm/reg.h                |    1 -
>  arch/powerpc/include/asm/systbl.h             |    3 +
>  arch/powerpc/include/asm/unistd.h             |    6 +-
>  arch/powerpc/include/uapi/asm/elf.h           |    1 +
>  arch/powerpc/include/uapi/asm/mman.h          |    6 +
>  arch/powerpc/include/uapi/asm/unistd.h        |    3 +
>  arch/powerpc/kernel/exceptions-64s.S          |    2 +-
>  arch/powerpc/kernel/process.c                 |    7 +
>  arch/powerpc/kernel/ptrace.c                  |   66 ++++
>  arch/powerpc/kernel/traps.c                   |   19 +-
>  arch/powerpc/mm/Makefile                      |    1 +
>  arch/powerpc/mm/fault.c                       |   49 +++-
>  arch/powerpc/mm/hash_utils_64.c               |   26 ++
>  arch/powerpc/mm/mmu_context_book3s64.c        |    2 +
>  arch/powerpc/mm/pkeys.c                       |  469 +++++++++++++++++++++++++
>  arch/x86/include/asm/pkeys.h                  |    1 +
>  arch/x86/kernel/fpu/xstate.c                  |    5 +
>  arch/x86/kernel/setup.c                       |    8 -
>  fs/proc/task_mmu.c                            |   16 +-
>  include/linux/mm.h                            |   12 +-
>  include/linux/pkeys.h                         |    5 +
>  include/uapi/linux/elf.h                      |    1 +
>  33 files changed, 1040 insertions(+), 42 deletions(-)
>  create mode 100644 arch/powerpc/include/asm/pkeys.h
>  create mode 100644 arch/powerpc/mm/pkeys.c

-- 
Ram Pai

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ