From: Ram Pai <linuxram@us.ibm.com>
To: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org, x86@kernel.org,
linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org
Cc: benh@kernel.crashing.org, paulus@samba.org, mpe@ellerman.id.au,
khandual@linux.vnet.ibm.com, aneesh.kumar@linux.vnet.ibm.com,
bsingharora@gmail.com, dave.hansen@intel.com, hbabu@us.ibm.com,
linuxram@us.ibm.com, arnd@arndb.de, akpm@linux-foundation.org,
corbet@lwn.net, mingo@redhat.com
Subject: [RFC v5 38/38] Documentation: PowerPC specific updates to memory protection keys
Date: Wed, 5 Jul 2017 14:22:15 -0700 [thread overview]
Message-ID: <1499289735-14220-39-git-send-email-linuxram@us.ibm.com> (raw)
In-Reply-To: <1499289735-14220-1-git-send-email-linuxram@us.ibm.com>
Add documentation updates that capture PowerPC specific changes.
Signed-off-by: Ram Pai <linuxram@us.ibm.com>
---
Documentation/vm/protection-keys.txt | 85 ++++++++++++++++++++++++++--------
1 files changed, 65 insertions(+), 20 deletions(-)
diff --git a/Documentation/vm/protection-keys.txt b/Documentation/vm/protection-keys.txt
index b643045..d50b6ab 100644
--- a/Documentation/vm/protection-keys.txt
+++ b/Documentation/vm/protection-keys.txt
@@ -1,21 +1,46 @@
-Memory Protection Keys for Userspace (PKU aka PKEYs) is a CPU feature
-which will be found on future Intel CPUs.
+Memory Protection Keys for Userspace (PKU aka PKEYs) is a CPU feature found in
+new generation of intel CPUs and on PowerPC 7 and higher CPUs.
Memory Protection Keys provides a mechanism for enforcing page-based
-protections, but without requiring modification of the page tables
-when an application changes protection domains. It works by
-dedicating 4 previously ignored bits in each page table entry to a
-"protection key", giving 16 possible keys.
-
-There is also a new user-accessible register (PKRU) with two separate
-bits (Access Disable and Write Disable) for each key. Being a CPU
-register, PKRU is inherently thread-local, potentially giving each
-thread a different set of protections from every other thread.
-
-There are two new instructions (RDPKRU/WRPKRU) for reading and writing
-to the new register. The feature is only available in 64-bit mode,
-even though there is theoretically space in the PAE PTEs. These
-permissions are enforced on data access only and have no effect on
+protections, but without requiring modification of the page tables when an
+application changes protection domains.
+
+
+On Intel:
+
+ It works by dedicating 4 previously ignored bits in each page table
+ entry to a "protection key", giving 16 possible keys.
+
+ There is also a new user-accessible register (PKRU) with two separate
+ bits (Access Disable and Write Disable) for each key. Being a CPU
+ register, PKRU is inherently thread-local, potentially giving each
+ thread a different set of protections from every other thread.
+
+ There are two new instructions (RDPKRU/WRPKRU) for reading and writing
+ to the new register. The feature is only available in 64-bit mode,
+ even though there is theoretically space in the PAE PTEs. These
+ permissions are enforced on data access only and have no effect on
+ instruction fetches.
+
+
+On PowerPC:
+
+ It works by dedicating 5 page table entry bits to a "protection key",
+ giving 32 possible keys.
+
+ There is a user-accessible register (AMR) with two separate bits;
+ Access Disable and Write Disable, for each key. Being a CPU
+ register, AMR is inherently thread-local, potentially giving each
+ thread a different set of protections from every other thread. NOTE:
+ Disabling read permission does not disable write and vice-versa.
+
+ The feature is available on 64-bit HPTE mode only.
+ 'mtspr 0xd, mem' reads the AMR register
+ 'mfspr mem, 0xd' writes into the AMR register.
+
+
+
+Permissions are enforced on data access only and have no effect on
instruction fetches.
=========================== Syscalls ===========================
@@ -28,9 +53,9 @@ There are 3 system calls which directly interact with pkeys:
unsigned long prot, int pkey);
Before a pkey can be used, it must first be allocated with
-pkey_alloc(). An application calls the WRPKRU instruction
+pkey_alloc(). An application calls the WRPKRU/AMR instruction
directly in order to change access permissions to memory covered
-with a key. In this example WRPKRU is wrapped by a C function
+with a key. In this example WRPKRU/AMR is wrapped by a C function
called pkey_set().
int real_prot = PROT_READ|PROT_WRITE;
@@ -52,11 +77,11 @@ is no longer in use:
munmap(ptr, PAGE_SIZE);
pkey_free(pkey);
-(Note: pkey_set() is a wrapper for the RDPKRU and WRPKRU instructions.
+(Note: pkey_set() is a wrapper for the RDPKRU,WRPKRU or AMR instructions.
An example implementation can be found in
tools/testing/selftests/x86/protection_keys.c)
-=========================== Behavior ===========================
+=========================== Behavior =================================
The kernel attempts to make protection keys consistent with the
behavior of a plain mprotect(). For instance if you do this:
@@ -83,3 +108,23 @@ with a read():
The kernel will send a SIGSEGV in both cases, but si_code will be set
to SEGV_PKERR when violating protection keys versus SEGV_ACCERR when
the plain mprotect() permissions are violated.
+
+
+====================================================================
+ Semantic differences
+
+The following semantic differences exist between x86 and power.
+
+a) powerpc allows creation of a key with execute-disabled. The following
+ is allowed on powerpc.
+ pkey = pkey_alloc(0, PKEY_DISABLE_WRITE | PKEY_DISABLE_ACCESS |
+ PKEY_DISABLE_EXECUTE);
+ x86 disallows PKEY_DISABLE_EXECUTE during key creation.
+
+b) changing the permission bits of a key from a signal handler does not
+ persist on x86. The PKRU specific fpregs entry needs to be modified
+ for it to persist. On powerpc the permission bits of the key can be
+ modified by programming the AMR register from the signal handler.
+ The changes persists across signal boundaries.
+
+=====================================================================
--
1.7.1
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-07-05 21:24 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-05 21:21 [RFC v5 00/38] powerpc: Memory Protection Keys Ram Pai
2017-07-05 21:21 ` [RFC v5 01/38] powerpc: Free up four 64K PTE bits in 4K backed HPTE pages Ram Pai
2017-07-07 7:25 ` Balbir Singh
2017-07-05 21:21 ` [RFC v5 02/38] powerpc: Free up four 64K PTE bits in 64K " Ram Pai
2017-07-11 5:59 ` Balbir Singh
2017-07-11 15:44 ` Ram Pai
2017-07-12 3:10 ` Balbir Singh
2017-07-13 7:39 ` Ram Pai
2017-07-05 21:21 ` [RFC v5 03/38] powerpc: introduce pte_set_hash_slot() helper Ram Pai
2017-07-05 21:21 ` [RFC v5 04/38] powerpc: introduce pte_get_hash_gslot() helper Ram Pai
2017-07-05 21:21 ` [RFC v5 05/38] powerpc: capture the PTE format changes in the dump pte report Ram Pai
2017-07-05 21:21 ` [RFC v5 06/38] powerpc: use helper functions in __hash_page_64K() for 64K PTE Ram Pai
2017-07-05 21:21 ` [RFC v5 07/38] powerpc: use helper functions in __hash_page_huge() " Ram Pai
2017-07-05 21:21 ` [RFC v5 08/38] powerpc: use helper functions in __hash_page_4K() " Ram Pai
2017-07-05 21:21 ` [RFC v5 09/38] powerpc: use helper functions in __hash_page_4K() for 4K PTE Ram Pai
2017-07-05 21:21 ` [RFC v5 10/38] powerpc: use helper functions in flush_hash_page() Ram Pai
2017-07-05 21:21 ` [RFC v5 11/38] mm: introduce an additional vma bit for powerpc pkey Ram Pai
2017-07-11 18:10 ` Dave Hansen
2017-07-12 22:23 ` Ram Pai
2017-07-12 22:40 ` Benjamin Herrenschmidt
2017-07-05 21:21 ` [RFC v5 12/38] mm: ability to disable execute permission on a key at creation Ram Pai
2017-07-11 18:11 ` Dave Hansen
2017-07-11 21:29 ` Benjamin Herrenschmidt
2017-07-11 21:51 ` Ram Pai
2017-07-11 21:57 ` Dave Hansen
2017-07-11 22:14 ` Ram Pai
2017-07-11 22:19 ` Dave Hansen
2017-07-11 22:08 ` Benjamin Herrenschmidt
2017-07-11 22:19 ` Ram Pai
2017-07-05 21:21 ` [RFC v5 13/38] x86: disallow pkey creation with PKEY_DISABLE_EXECUTE Ram Pai
2017-07-11 18:12 ` Dave Hansen
2017-07-05 21:21 ` [RFC v5 14/38] powerpc: initial plumbing for key management Ram Pai
2017-07-12 3:28 ` Balbir Singh
2017-07-13 7:45 ` Ram Pai
2017-07-13 20:37 ` Ram Pai
2017-07-13 21:30 ` Balbir Singh
2017-07-05 21:21 ` [RFC v5 15/38] powerpc: helper function to read,write AMR,IAMR,UAMOR registers Ram Pai
2017-07-12 5:26 ` Balbir Singh
2017-07-13 7:55 ` Ram Pai
2017-07-13 9:49 ` Balbir Singh
2017-07-13 23:29 ` Ram Pai
2017-07-05 21:21 ` [RFC v5 16/38] powerpc: implementation for arch_set_user_pkey_access() Ram Pai
2017-07-05 21:21 ` [RFC v5 17/38] powerpc: sys_pkey_alloc() and sys_pkey_free() system calls Ram Pai
2017-07-05 21:21 ` [RFC v5 18/38] powerpc: store and restore the pkey state across context switches Ram Pai
2017-07-05 21:21 ` [RFC v5 19/38] powerpc: introduce execute-only pkey Ram Pai
2017-07-05 21:21 ` [RFC v5 20/38] powerpc: ability to associate pkey to a vma Ram Pai
2017-07-05 21:21 ` [RFC v5 21/38] powerpc: implementation for arch_override_mprotect_pkey() Ram Pai
2017-07-05 21:21 ` [RFC v5 22/38] powerpc: map vma key-protection bits to pte key bits Ram Pai
2017-07-05 21:22 ` [RFC v5 23/38] powerpc: sys_pkey_mprotect() system call Ram Pai
2017-07-05 21:22 ` [RFC v5 24/38] powerpc: Program HPTE key protection bits Ram Pai
2017-07-05 21:22 ` [RFC v5 25/38] powerpc: helper to validate key-access permissions of a pte Ram Pai
2017-07-05 21:22 ` [RFC v5 26/38] powerpc: check key protection for user page access Ram Pai
2017-07-05 21:22 ` [RFC v5 27/38] powerpc: Macro the mask used for checking DSI exception Ram Pai
2017-07-05 21:22 ` [RFC v5 28/38] powerpc: implementation for arch_vma_access_permitted() Ram Pai
2017-07-05 21:22 ` [RFC v5 29/38] powerpc: Handle exceptions caused by pkey violation Ram Pai
2017-07-05 21:22 ` [RFC v5 30/38] powerpc: capture AMR register content on " Ram Pai
2017-07-05 21:22 ` [RFC v5 31/38] powerpc: introduce get_pte_pkey() helper Ram Pai
2017-07-10 3:11 ` Anshuman Khandual
2017-07-10 5:55 ` Ram Pai
2017-07-11 11:22 ` Anshuman Khandual
2017-07-05 21:22 ` [RFC v5 32/38] powerpc: capture the violated protection key on fault Ram Pai
2017-07-10 3:10 ` Anshuman Khandual
2017-07-10 5:49 ` Ram Pai
2017-07-05 21:22 ` [RFC v5 33/38] powerpc: Deliver SEGV signal on pkey violation Ram Pai
2017-07-10 3:08 ` Anshuman Khandual
2017-07-05 21:22 ` [RFC v5 34/38] procfs: display the protection-key number associated with a vma Ram Pai
2017-07-10 3:07 ` Anshuman Khandual
2017-07-10 6:01 ` Ram Pai
2017-07-11 18:13 ` Dave Hansen
2017-07-13 8:03 ` Ram Pai
2017-07-13 14:07 ` Dave Hansen
2017-07-13 17:04 ` Ram Pai
2017-07-05 21:22 ` [RFC v5 35/38] selftest: Move protecton key selftest to arch neutral directory Ram Pai
2017-07-05 21:22 ` [RFC v5 36/38] selftest: PowerPC specific test updates to memory protection keys Ram Pai
2017-07-11 17:33 ` Dave Hansen
2017-07-12 21:57 ` Ram Pai
2017-07-05 21:22 ` [RFC v5 37/38] Documentation: Move protecton key documentation to arch neutral directory Ram Pai
2017-07-05 21:22 ` Ram Pai [this message]
2017-07-10 3:07 ` [RFC v5 38/38] Documentation: PowerPC specific updates to memory protection keys Anshuman Khandual
2017-07-10 5:59 ` Ram Pai
2017-07-11 18:23 ` Dave Hansen
2017-07-13 19:56 ` Ram Pai
2017-07-10 5:43 ` [RFC v5 00/38] powerpc: Memory Protection Keys Anshuman Khandual
2017-07-10 6:05 ` Ram Pai
2017-07-10 17:15 ` Ram Pai
2017-07-11 14:52 ` Michal Hocko
2017-07-11 19:32 ` Ram Pai
2017-07-11 21:30 ` Benjamin Herrenschmidt
2017-07-12 7:23 ` Michal Hocko
2017-07-12 7:39 ` Michal Hocko
2017-07-12 22:53 ` Benjamin Herrenschmidt
2017-07-13 6:20 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1499289735-14220-39-git-send-email-linuxram@us.ibm.com \
--to=linuxram@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=arnd@arndb.de \
--cc=benh@kernel.crashing.org \
--cc=bsingharora@gmail.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=hbabu@us.ibm.com \
--cc=khandual@linux.vnet.ibm.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).