From: Ram Pai <linuxram@us.ibm.com>
To: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
linux-arch@vger.kernel.org, linux-mm@kvack.org, x86@kernel.org,
linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org
Cc: benh@kernel.crashing.org, paulus@samba.org, mpe@ellerman.id.au,
khandual@linux.vnet.ibm.com, aneesh.kumar@linux.vnet.ibm.com,
bsingharora@gmail.com, dave.hansen@intel.com, hbabu@us.ibm.com,
linuxram@us.ibm.com, arnd@arndb.de, akpm@linux-foundation.org,
corbet@lwn.net, mingo@redhat.com, mhocko@kernel.org
Subject: [RFC v6 00/62] powerpc: Memory Protection Keys
Date: Sat, 15 Jul 2017 20:56:02 -0700 [thread overview]
Message-ID: <1500177424-13695-1-git-send-email-linuxram@us.ibm.com> (raw)
Memory protection keys enable applications to protect its
address space from inadvertent access or corruption from
itself.
The overall idea:
-----------------
A process allocates a key and associates it with
an address range within its address space.
The process then can dynamically set read/write
permissions on the key without involving the
kernel. Any code that violates the permissions
of the address space; as defined by its associated
key, will receive a segmentation fault.
This patch series enables the feature on PPC64 HPTE
platform.
ISA3.0 section 5.7.13 describes the detailed
specifications.
Highlevel view of the design:
---------------------------
When an application associates a key with a address
address range, program the key in the Linux PTE.
When the MMU detects a page fault, allocate a hash
page and program the key into HPTE. And finally
when the MMU detects a key violation; due to
invalid application access, invoke the registered
signal handler and provide the violated key number
as well as the state of the key register (AMR), at
the time it faulted.
Testing:
-------
This patch series has passed all the protection key
tests available in the selftests directory.The
tests are updated to work on both x86 and powerpc.
Outstanding issues:
-------------------
How will the application know if pkey is enabled, if
so how many pkeys are available? Is
PKEY_DISABLE_EXECUTE supported? - Ben.
History:
-------
version v6:
(1) selftest changes are broken down into 20
incremental patches.
(2) A separate key allocation mask that
includes PKEY_DISABLE_EXECUTE is
added for powerpc
(3) pkey feature is enabled for 64K HPT case
only. RPT and 4k HPT is disabled.
(4) Documentation is updated to better
capture the semantics.
(5) introduced arch_pkeys_enabled() to find
if an arch enables pkeys. Correspond-
ing change the logic that displays
key value in smaps.
(6) code rearranged in many places based on
comments from Dave Hansen, Balbir,
Anshuman.
(7) fixed one bug where a bogus key could be
associated successfully in
pkey_mprotect().
version v5:
(1) reverted back to the old design -- store
the key in the pte, instead of bypassing
it. The v4 design slowed down the hash
page path.
(2) detects key violation when kernel is told
to access user pages.
(3) further refined the patches into smaller
consumable units
(4) page faults handlers captures the fault-
ing key
from the pte instead of the vma. This
closes a race between where the key
update in the vma and a key fault caused
by the key programmed in the pte.
(5) a key created with access-denied should
also set it up to deny write. Fixed it.
(6) protection-key number is displayed in
smaps the x86 way.
version v4:
(1) patches no more depend on the pte bits
to program the hpte
-- comment by Balbir
(2) documentation updates
(3) fixed a bug in the selftest.
(4) unlike x86, powerpc lets signal handler
change key permission bits; the
change will persist across signal
handler boundaries. Earlier we
allowed the signal handler to
modify a field in the siginfo
structure which would than be used
by the kernel to program the key
protection register (AMR)
-- resolves a issue raised by Ben.
"Calls to sys_swapcontext with a
made-up context will end up with a
crap AMR if done by code who didn't
know about that register".
(5) these changes enable protection keys on
4k-page kernel aswell.
version v3:
(1) split the patches into smaller consumable
patches.
(2) added the ability to disable execute
permission on a key at creation.
(3) rename calc_pte_to_hpte_pkey_bits() to
pte_to_hpte_pkey_bits()
-- suggested by Anshuman
(4) some code optimization and clarity in
do_page_fault()
(5) A bug fix while invalidating a hpte slot
in __hash_page_4K()
-- noticed by Aneesh
version v2:
(1) documentation and selftest added.
(2) fixed a bug in 4k hpte backed 64k pte
where page invalidation was not
done correctly, and initialization
of second-part-of-the-pte was not
done correctly if the pte was not
yet Hashed with a hpte.
-- Reported by Aneesh.
(3) Fixed ABI breakage caused in siginfo
structure.
-- Reported by Anshuman.
version v1: Initial version
Ram Pai (62):
powerpc: Free up four 64K PTE bits in 4K backed HPTE pages
powerpc: Free up four 64K PTE bits in 64K backed HPTE pages
powerpc: introduce pte_set_hash_slot() helper
powerpc: introduce pte_get_hash_gslot() helper
powerpc: capture the PTE format changes in the dump pte report
powerpc: use helper functions in __hash_page_64K() for 64K PTE
powerpc: use helper functions in __hash_page_huge() for 64K PTE
powerpc: use helper functions in __hash_page_4K() for 64K PTE
powerpc: use helper functions in __hash_page_4K() for 4K PTE
powerpc: use helper functions in flush_hash_page()
powerpc: initial pkey plumbing
mm: introduce an additional vma bit for powerpc pkey
powerpc: track allocation status of all pkeys
powerpc: helper function to read,write AMR,IAMR,UAMOR registers
powerpc: helper functions to initialize AMR, IAMR and UMOR registers
powerpc: cleaup AMR,iAMR when a key is allocated or freed
powerpc: implementation for arch_set_user_pkey_access()
powerpc: sys_pkey_alloc() and sys_pkey_free() system calls
powerpc: ability to create execute-disabled pkeys
powerpc: store and restore the pkey state across context switches
powerpc: introduce execute-only pkey
powerpc: ability to associate pkey to a vma
powerpc: implementation for arch_override_mprotect_pkey()
powerpc: map vma key-protection bits to pte key bits.
powerpc: sys_pkey_mprotect() system call
powerpc: Program HPTE key protection bits
powerpc: helper to validate key-access permissions of a pte
powerpc: check key protection for user page access
powerpc: Macro the mask used for checking DSI exception
powerpc: implementation for arch_vma_access_permitted()
powerpc: Handle exceptions caused by pkey violation
powerpc: capture AMR register content on pkey violation
powerpc: introduce get_pte_pkey() helper
powerpc: capture the violated protection key on fault
powerpc: Deliver SEGV signal on pkey violation
mm: introduce arch_pkeys_enabled()
x86: implementation for arch_pkeys_enabled()
powerpc: implementation for arch_pkeys_enabled()
mm: display pkey in smaps if arch_pkeys_enabled() is true
x86: delete arch_show_smap()
selftest/x86: Move protecton key selftest to arch neutral directory
selftest/vm: rename all references to pkru to a generic name
selftest/vm: move generic definitions to header file
selftest/vm: typecast the pkey register
selftest/vm: generics function to handle shadow key register
selftest/vm: fix the wrong assert in pkey_disable_set()
selftest/vm: fixed bugs in pkey_disable_clear()
selftest/vm: clear the bits in shadow reg when a pkey is freed.
selftest/vm: fix alloc_random_pkey() to make it really random
selftest/vm: introduce two arch independent abstraction
selftest/vm: pkey register should match shadow pkey
selftest/vm: generic cleanup
selftest/vm: powerpc implementation for generic abstraction
selftest/vm: fix an assertion in test_pkey_alloc_exhaust()
selftest/vm: associate key on a mapped page and detect access
violation
selftest/vm: detect no key violation on a freed key
selftest/vm: associate key on a mapped page and detect write
violation
selftest/vm: detect no write key-violation on a freed key
selftest/vm: detect write violation on a mapped access-denied-key
page
selftest/vm: sub-page allocator
Documentation/x86: Move protecton key documentation to arch neutral
directory
Documentation/vm: PowerPC specific updates to memory protection keys
Documentation/vm/protection-keys.txt | 125 ++
Documentation/x86/protection-keys.txt | 85 --
arch/powerpc/Kconfig | 16 +
arch/powerpc/include/asm/book3s/64/hash-4k.h | 20 +
arch/powerpc/include/asm/book3s/64/hash-64k.h | 60 +-
arch/powerpc/include/asm/book3s/64/hash.h | 7 +-
arch/powerpc/include/asm/book3s/64/mmu-hash.h | 10 +
arch/powerpc/include/asm/book3s/64/mmu.h | 10 +
arch/powerpc/include/asm/book3s/64/pgtable.h | 64 +-
arch/powerpc/include/asm/mman.h | 16 +-
arch/powerpc/include/asm/mmu_context.h | 14 +
arch/powerpc/include/asm/paca.h | 4 +
arch/powerpc/include/asm/pkeys.h | 226 ++++
arch/powerpc/include/asm/processor.h | 5 +
arch/powerpc/include/asm/reg.h | 8 +-
arch/powerpc/include/asm/systbl.h | 3 +
arch/powerpc/include/asm/unistd.h | 6 +-
arch/powerpc/include/uapi/asm/ptrace.h | 1 +
arch/powerpc/include/uapi/asm/unistd.h | 3 +
arch/powerpc/kernel/asm-offsets.c | 6 +
arch/powerpc/kernel/exceptions-64s.S | 2 +-
arch/powerpc/kernel/process.c | 18 +
arch/powerpc/kernel/setup_64.c | 4 +
arch/powerpc/kernel/signal_32.c | 5 +
arch/powerpc/kernel/signal_64.c | 4 +
arch/powerpc/kernel/traps.c | 15 +
arch/powerpc/mm/Makefile | 1 +
arch/powerpc/mm/dump_linuxpagetables.c | 3 +-
arch/powerpc/mm/fault.c | 31 +
arch/powerpc/mm/hash64_4k.c | 14 +-
arch/powerpc/mm/hash64_64k.c | 124 ++-
arch/powerpc/mm/hash_utils_64.c | 65 +-
arch/powerpc/mm/hugetlbpage-hash64.c | 16 +-
arch/powerpc/mm/mmu_context_book3s64.c | 2 +
arch/powerpc/mm/pkeys.c | 279 +++++
arch/x86/include/asm/pkeys.h | 1 +
arch/x86/kernel/fpu/xstate.c | 5 +
arch/x86/kernel/setup.c | 8 -
fs/proc/task_mmu.c | 15 +-
include/linux/mm.h | 20 +-
include/linux/pkeys.h | 5 +
tools/testing/selftests/vm/Makefile | 1 +
tools/testing/selftests/vm/pkey-helpers.h | 394 +++++++
tools/testing/selftests/vm/protection_keys.c | 1500 +++++++++++++++++++++++++
tools/testing/selftests/x86/Makefile | 2 +-
tools/testing/selftests/x86/pkey-helpers.h | 219 ----
tools/testing/selftests/x86/protection_keys.c | 1395 -----------------------
47 files changed, 2993 insertions(+), 1844 deletions(-)
create mode 100644 Documentation/vm/protection-keys.txt
delete mode 100644 Documentation/x86/protection-keys.txt
create mode 100644 arch/powerpc/include/asm/pkeys.h
create mode 100644 arch/powerpc/mm/pkeys.c
create mode 100644 tools/testing/selftests/vm/pkey-helpers.h
create mode 100644 tools/testing/selftests/vm/protection_keys.c
delete mode 100644 tools/testing/selftests/x86/pkey-helpers.h
delete mode 100644 tools/testing/selftests/x86/protection_keys.c
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next reply other threads:[~2017-07-16 3:58 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-16 3:56 Ram Pai [this message]
2017-07-16 3:56 ` [RFC v6 01/62] powerpc: Free up four 64K PTE bits in 4K backed HPTE pages Ram Pai
2017-07-20 5:51 ` Aneesh Kumar K.V
2017-07-20 22:03 ` Ram Pai
2017-07-16 3:56 ` [RFC v6 02/62] powerpc: Free up four 64K PTE bits in 64K " Ram Pai
2017-07-20 5:53 ` Aneesh Kumar K.V
2017-07-16 3:56 ` [RFC v6 03/62] powerpc: introduce pte_set_hash_slot() helper Ram Pai
2017-07-20 5:56 ` Aneesh Kumar K.V
2017-07-16 3:56 ` [RFC v6 04/62] powerpc: introduce pte_get_hash_gslot() helper Ram Pai
2017-07-20 5:57 ` Aneesh Kumar K.V
2017-07-16 3:56 ` [RFC v6 05/62] powerpc: capture the PTE format changes in the dump pte report Ram Pai
2017-07-20 5:56 ` Aneesh Kumar K.V
2017-07-16 3:56 ` [RFC v6 06/62] powerpc: use helper functions in __hash_page_64K() for 64K PTE Ram Pai
2017-07-20 5:58 ` Aneesh Kumar K.V
2017-07-16 3:56 ` [RFC v6 07/62] powerpc: use helper functions in __hash_page_huge() " Ram Pai
2017-07-20 5:58 ` Aneesh Kumar K.V
2017-07-16 3:56 ` [RFC v6 08/62] powerpc: use helper functions in __hash_page_4K() " Ram Pai
2017-07-16 3:56 ` [RFC v6 09/62] powerpc: use helper functions in __hash_page_4K() for 4K PTE Ram Pai
2017-07-16 3:56 ` [RFC v6 10/62] powerpc: use helper functions in flush_hash_page() Ram Pai
2017-07-16 3:56 ` [RFC v6 11/62] powerpc: initial pkey plumbing Ram Pai
2017-07-20 6:04 ` Aneesh Kumar K.V
2017-07-20 22:11 ` Ram Pai
2017-07-16 3:56 ` [RFC v6 12/62] mm: introduce an additional vma bit for powerpc pkey Ram Pai
2017-07-16 3:56 ` [RFC v6 13/62] powerpc: track allocation status of all pkeys Ram Pai
2017-07-27 14:01 ` Thiago Jung Bauermann
2017-07-29 22:43 ` Ram Pai
2017-07-31 18:15 ` Thiago Jung Bauermann
2017-07-16 3:56 ` [RFC v6 14/62] powerpc: helper function to read,write AMR,IAMR,UAMOR registers Ram Pai
2017-07-16 3:56 ` [RFC v6 15/62] powerpc: helper functions to initialize AMR, IAMR and UMOR registers Ram Pai
2017-07-27 20:40 ` Thiago Jung Bauermann
2017-07-30 0:38 ` Ram Pai
2017-07-16 3:56 ` [RFC v6 16/62] powerpc: cleaup AMR,iAMR when a key is allocated or freed Ram Pai
2017-07-16 3:56 ` [RFC v6 17/62] powerpc: implementation for arch_set_user_pkey_access() Ram Pai
2017-07-27 14:15 ` Thiago Jung Bauermann
2017-07-29 22:59 ` Ram Pai
2017-07-16 3:56 ` [RFC v6 18/62] powerpc: sys_pkey_alloc() and sys_pkey_free() system calls Ram Pai
2017-07-16 3:56 ` [RFC v6 19/62] powerpc: ability to create execute-disabled pkeys Ram Pai
2017-07-27 14:54 ` Thiago Jung Bauermann
2017-07-27 15:34 ` Thiago Jung Bauermann
2017-07-29 23:24 ` Ram Pai
2017-07-31 12:59 ` Michael Ellerman
2017-07-16 3:56 ` [RFC v6 20/62] powerpc: store and restore the pkey state across context switches Ram Pai
2017-07-27 17:32 ` Thiago Jung Bauermann
2017-07-29 23:31 ` Ram Pai
2017-07-31 13:00 ` Michael Ellerman
2017-07-16 3:56 ` [RFC v6 21/62] powerpc: introduce execute-only pkey Ram Pai
2017-07-28 22:17 ` Thiago Jung Bauermann
2017-07-30 0:51 ` Ram Pai
2017-07-31 16:19 ` Thiago Jung Bauermann
2017-08-01 6:46 ` Michael Ellerman
2017-08-01 16:14 ` Thiago Jung Bauermann
2017-08-02 9:40 ` Michael Ellerman
[not found] ` <20170817233555.GC5427@ram.oc3035372033.ibm.com>
2017-08-17 23:42 ` Ram Pai
2017-07-16 3:56 ` [RFC v6 22/62] powerpc: ability to associate pkey to a vma Ram Pai
2017-07-16 3:56 ` [RFC v6 23/62] powerpc: implementation for arch_override_mprotect_pkey() Ram Pai
2017-07-16 3:56 ` [RFC v6 24/62] powerpc: map vma key-protection bits to pte key bits Ram Pai
2017-07-16 3:56 ` [RFC v6 25/62] powerpc: sys_pkey_mprotect() system call Ram Pai
2017-07-16 3:56 ` [RFC v6 26/62] powerpc: Program HPTE key protection bits Ram Pai
2017-07-20 6:28 ` Aneesh Kumar K.V
2017-07-16 3:56 ` [RFC v6 27/62] powerpc: helper to validate key-access permissions of a pte Ram Pai
2017-07-20 6:42 ` Aneesh Kumar K.V
2017-07-20 22:15 ` Ram Pai
2017-07-21 6:51 ` Aneesh Kumar K.V
2017-07-21 16:42 ` Ram Pai
2017-07-28 21:00 ` Thiago Jung Bauermann
2017-07-30 0:39 ` Ram Pai
2017-07-16 3:56 ` [RFC v6 28/62] powerpc: check key protection for user page access Ram Pai
2017-07-16 3:56 ` [RFC v6 29/62] powerpc: Macro the mask used for checking DSI exception Ram Pai
2017-07-16 3:56 ` [RFC v6 30/62] powerpc: implementation for arch_vma_access_permitted() Ram Pai
2017-07-16 3:56 ` [RFC v6 31/62] powerpc: Handle exceptions caused by pkey violation Ram Pai
2017-07-16 3:56 ` [RFC v6 32/62] powerpc: capture AMR register content on " Ram Pai
2017-07-16 3:56 ` [RFC v6 33/62] powerpc: introduce get_pte_pkey() helper Ram Pai
2017-07-16 3:56 ` [RFC v6 34/62] powerpc: capture the violated protection key on fault Ram Pai
2017-07-16 3:56 ` [RFC v6 35/62] powerpc: Deliver SEGV signal on pkey violation Ram Pai
2017-08-19 19:09 ` Eric W. Biederman
2017-08-22 18:06 ` Ram Pai
2017-07-16 3:56 ` [RFC v6 36/62] mm: introduce arch_pkeys_enabled() Ram Pai
2017-07-16 3:56 ` [RFC v6 37/62] x86: implementation for arch_pkeys_enabled() Ram Pai
2017-07-16 3:56 ` [RFC v6 38/62] powerpc: " Ram Pai
2017-07-16 3:56 ` [RFC v6 39/62] mm: display pkey in smaps if arch_pkeys_enabled() is true Ram Pai
2017-07-16 3:56 ` [RFC v6 40/62] x86: delete arch_show_smap() Ram Pai
2017-07-16 3:56 ` [RFC v6 41/62] selftest/x86: Move protecton key selftest to arch neutral directory Ram Pai
2017-07-16 3:56 ` [RFC v6 42/62] selftest/vm: rename all references to pkru to a generic name Ram Pai
2017-07-16 3:56 ` [RFC v6 43/62] selftest/vm: move generic definitions to header file Ram Pai
2017-07-16 3:56 ` [RFC v6 44/62] selftest/vm: typecast the pkey register Ram Pai
2017-07-16 3:56 ` [RFC v6 45/62] selftest/vm: generics function to handle shadow key register Ram Pai
2017-07-16 3:56 ` [RFC v6 46/62] selftest/vm: fix the wrong assert in pkey_disable_set() Ram Pai
2017-07-16 3:56 ` [RFC v6 47/62] selftest/vm: fixed bugs in pkey_disable_clear() Ram Pai
2017-07-16 3:56 ` [RFC v6 48/62] selftest/vm: clear the bits in shadow reg when a pkey is freed Ram Pai
2017-07-16 3:56 ` [RFC v6 49/62] selftest/vm: fix alloc_random_pkey() to make it really random Ram Pai
2017-07-16 3:56 ` [RFC v6 50/62] selftest/vm: introduce two arch independent abstraction Ram Pai
2017-07-16 3:56 ` [RFC v6 51/62] selftest/vm: pkey register should match shadow pkey Ram Pai
2017-07-16 3:56 ` [RFC v6 52/62] selftest/vm: generic cleanup Ram Pai
2017-07-16 3:56 ` [RFC v6 53/62] selftest/vm: powerpc implementation for generic abstraction Ram Pai
2017-07-16 3:56 ` [RFC v6 54/62] selftest/vm: fix an assertion in test_pkey_alloc_exhaust() Ram Pai
2017-07-16 3:56 ` [RFC v6 55/62] selftest/vm: associate key on a mapped page and detect access violation Ram Pai
2017-07-16 3:56 ` [RFC v6 56/62] selftest/vm: detect no key violation on a freed key Ram Pai
2017-07-16 3:56 ` [RFC v6 57/62] selftest/vm: associate key on a mapped page and detect write violation Ram Pai
2017-07-16 3:57 ` [RFC v6 58/62] selftest/vm: detect no write key-violation on a freed key Ram Pai
2017-07-16 3:57 ` [RFC v6 59/62] selftest/vm: detect write violation on a mapped access-denied-key page Ram Pai
2017-07-16 3:57 ` [RFC v6 60/62] selftest/vm: sub-page allocator Ram Pai
2017-07-16 3:57 ` [RFC v6 61/62] Documentation/x86: Move protecton key documentation to arch neutral directory Ram Pai
2017-07-16 3:57 ` [RFC v6 62/62] Documentation/vm: PowerPC specific updates to memory protection keys Ram Pai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1500177424-13695-1-git-send-email-linuxram@us.ibm.com \
--to=linuxram@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@linux.vnet.ibm.com \
--cc=arnd@arndb.de \
--cc=benh@kernel.crashing.org \
--cc=bsingharora@gmail.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@intel.com \
--cc=hbabu@us.ibm.com \
--cc=khandual@linux.vnet.ibm.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mhocko@kernel.org \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).