From: Dave Hansen <dave@sr71.net> To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, torvalds@linux-foundation.org, akpm@linux-foundation.org, luto@kernel.org, mgorman@techsingularity.net, Dave Hansen <dave@sr71.net>, dave.hansen@linux.intel.com, arnd@arndb.de Subject: [PATCH 07/10] pkeys: add details of system call use to Documentation/ Date: Fri, 29 Jul 2016 09:30:20 -0700 [thread overview] Message-ID: <20160729163020.59350E33@viggo.jf.intel.com> (raw) In-Reply-To: <20160729163009.5EC1D38C@viggo.jf.intel.com> From: Dave Hansen <dave.hansen@linux.intel.com> This spells out all of the pkey-related system calls that we have and provides some example code fragments to demonstrate how we expect them to be used. Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-api@vger.kernel.org Cc: linux-arch@vger.kernel.org Cc: linux-mm@kvack.org Cc: x86@kernel.org Cc: torvalds@linux-foundation.org Cc: akpm@linux-foundation.org Cc: Arnd Bergmann <arnd@arndb.de> Cc: mgorman@techsingularity.net --- b/Documentation/x86/protection-keys.txt | 62 ++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff -puN Documentation/x86/protection-keys.txt~pkeys-120-syscall-docs Documentation/x86/protection-keys.txt --- a/Documentation/x86/protection-keys.txt~pkeys-120-syscall-docs 2016-07-29 09:18:58.863582283 -0700 +++ b/Documentation/x86/protection-keys.txt 2016-07-29 09:18:58.866582419 -0700 @@ -18,6 +18,68 @@ even though there is theoretically space permissions are enforced on data access only and have no effect on instruction fetches. +=========================== Syscalls =========================== + +There are 2 system calls which directly interact with pkeys: + + int pkey_alloc(unsigned long flags, unsigned long init_access_rights) + int pkey_free(int pkey); + int pkey_mprotect(unsigned long start, size_t len, + unsigned long prot, int pkey); + +Before a pkey can be used, it must first be allocated with +pkey_alloc(). An application calls the WRPKRU instruction +directly in order to change access permissions to memory covered +with a key. In this example WRPKRU is wrapped by a C function +called pkey_set(). + + int real_prot = PROT_READ|PROT_WRITE; + pkey = pkey_alloc(0, PKEY_DENY_WRITE); + ptr = mmap(NULL, PAGE_SIZE, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); + ret = pkey_mprotect(ptr, PAGE_SIZE, real_prot, pkey); + ... application runs here + +Now, if the application needs to update the data at 'ptr', it can +gain access, do the update, then remove its write access: + + pkey_set(pkey, 0); // clear PKEY_DENY_WRITE + *ptr = foo; // assign something + pkey_set(pkey, PKEY_DENY_WRITE); // set PKEY_DENY_WRITE again + +Now when it frees the memory, it will also free the pkey since it +is no longer in use: + + munmap(ptr, PAGE_SIZE); + pkey_free(pkey); + +=========================== Behavior =========================== + +The kernel attempts to make protection keys consistent with the +behavior of a plain mprotect(). For instance if you do this: + + mprotect(ptr, size, PROT_NONE); + something(ptr); + +you can expect the same effects with protection keys when doing this: + + pkey = pkey_alloc(0, PKEY_DISABLE_WRITE | PKEY_DISABLE_READ); + pkey_mprotect(ptr, size, PROT_READ|PROT_WRITE, pkey); + something(ptr); + +That should be true whether something() is a direct access to 'ptr' +like: + + *ptr = foo; + +or when the kernel does the access on the application's behalf like +with a read(): + + read(fd, ptr, 1); + +The kernel will send a SIGSEGV in both cases, but si_code will be set +to SEGV_PKERR when violating protection keys versus SEGV_ACCERR when +the plain mprotect() permissions are violated. + =========================== Config Option =========================== This config option adds approximately 1.5kb of text. and 50 bytes of _
WARNING: multiple messages have this Message-ID (diff)
From: Dave Hansen <dave@sr71.net> To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, torvalds@linux-foundation.org, akpm@linux-foundation.org, luto@kernel.org, mgorman@techsingularity.net, Dave Hansen <dave@sr71.net>, dave.hansen@linux.intel.com, arnd@arndb.de Subject: [PATCH 07/10] pkeys: add details of system call use to Documentation/ Date: Fri, 29 Jul 2016 09:30:20 -0700 [thread overview] Message-ID: <20160729163020.59350E33@viggo.jf.intel.com> (raw) In-Reply-To: <20160729163009.5EC1D38C@viggo.jf.intel.com> From: Dave Hansen <dave.hansen@linux.intel.com> This spells out all of the pkey-related system calls that we have and provides some example code fragments to demonstrate how we expect them to be used. Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-api@vger.kernel.org Cc: linux-arch@vger.kernel.org Cc: linux-mm@kvack.org Cc: x86@kernel.org Cc: torvalds@linux-foundation.org Cc: akpm@linux-foundation.org Cc: Arnd Bergmann <arnd@arndb.de> Cc: mgorman@techsingularity.net --- b/Documentation/x86/protection-keys.txt | 62 ++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff -puN Documentation/x86/protection-keys.txt~pkeys-120-syscall-docs Documentation/x86/protection-keys.txt --- a/Documentation/x86/protection-keys.txt~pkeys-120-syscall-docs 2016-07-29 09:18:58.863582283 -0700 +++ b/Documentation/x86/protection-keys.txt 2016-07-29 09:18:58.866582419 -0700 @@ -18,6 +18,68 @@ even though there is theoretically space permissions are enforced on data access only and have no effect on instruction fetches. +=========================== Syscalls =========================== + +There are 2 system calls which directly interact with pkeys: + + int pkey_alloc(unsigned long flags, unsigned long init_access_rights) + int pkey_free(int pkey); + int pkey_mprotect(unsigned long start, size_t len, + unsigned long prot, int pkey); + +Before a pkey can be used, it must first be allocated with +pkey_alloc(). An application calls the WRPKRU instruction +directly in order to change access permissions to memory covered +with a key. In this example WRPKRU is wrapped by a C function +called pkey_set(). + + int real_prot = PROT_READ|PROT_WRITE; + pkey = pkey_alloc(0, PKEY_DENY_WRITE); + ptr = mmap(NULL, PAGE_SIZE, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); + ret = pkey_mprotect(ptr, PAGE_SIZE, real_prot, pkey); + ... application runs here + +Now, if the application needs to update the data at 'ptr', it can +gain access, do the update, then remove its write access: + + pkey_set(pkey, 0); // clear PKEY_DENY_WRITE + *ptr = foo; // assign something + pkey_set(pkey, PKEY_DENY_WRITE); // set PKEY_DENY_WRITE again + +Now when it frees the memory, it will also free the pkey since it +is no longer in use: + + munmap(ptr, PAGE_SIZE); + pkey_free(pkey); + +=========================== Behavior =========================== + +The kernel attempts to make protection keys consistent with the +behavior of a plain mprotect(). For instance if you do this: + + mprotect(ptr, size, PROT_NONE); + something(ptr); + +you can expect the same effects with protection keys when doing this: + + pkey = pkey_alloc(0, PKEY_DISABLE_WRITE | PKEY_DISABLE_READ); + pkey_mprotect(ptr, size, PROT_READ|PROT_WRITE, pkey); + something(ptr); + +That should be true whether something() is a direct access to 'ptr' +like: + + *ptr = foo; + +or when the kernel does the access on the application's behalf like +with a read(): + + read(fd, ptr, 1); + +The kernel will send a SIGSEGV in both cases, but si_code will be set +to SEGV_PKERR when violating protection keys versus SEGV_ACCERR when +the plain mprotect() permissions are violated. + =========================== Config Option =========================== This config option adds approximately 1.5kb of text. and 50 bytes of _ -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-07-29 16:30 UTC|newest] Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-07-29 16:30 [PATCH 00/10] [v6] System Calls for Memory Protection Keys Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-07-29 16:30 ` [PATCH 01/10] x86, pkeys: add fault handling for PF_PK page fault bit Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-09-09 11:10 ` [tip:mm/pkeys] x86/pkeys: Add " tip-bot for Dave Hansen 2016-07-29 16:30 ` [PATCH 02/10] mm: implement new pkey_mprotect() system call Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-09-09 11:11 ` [tip:mm/pkeys] mm: Implement " tip-bot for Dave Hansen 2016-07-29 16:30 ` [PATCH 03/10] x86, pkeys: make mprotect_key() mask off additional vm_flags Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-09-09 11:11 ` [tip:mm/pkeys] x86/pkeys: Make " tip-bot for Dave Hansen 2016-07-29 16:30 ` [PATCH 04/10] x86, pkeys: allocation/free syscalls Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-09-09 11:12 ` [tip:mm/pkeys] x86/pkeys: Allocation/free syscalls tip-bot for Dave Hansen 2016-07-29 16:30 ` [PATCH 05/10] x86: wire up protection keys system calls Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-09-09 11:12 ` [tip:mm/pkeys] x86: Wire " tip-bot for Dave Hansen 2016-07-29 16:30 ` [PATCH 06/10] generic syscalls: wire up memory protection keys syscalls Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-09-09 11:12 ` [tip:mm/pkeys] generic syscalls: Wire " tip-bot for Dave Hansen 2016-07-29 16:30 ` Dave Hansen [this message] 2016-07-29 16:30 ` [PATCH 07/10] pkeys: add details of system call use to Documentation/ Dave Hansen 2016-09-09 11:13 ` [tip:mm/pkeys] pkeys: Add " tip-bot for Dave Hansen 2016-07-29 16:30 ` [PATCH 08/10] x86, pkeys: default to a restrictive init PKRU Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-07-29 17:29 ` Andy Lutomirski 2016-07-29 17:29 ` Andy Lutomirski 2016-07-29 17:50 ` Dave Hansen 2016-07-29 17:50 ` Dave Hansen 2016-07-29 19:44 ` Andy Lutomirski 2016-07-29 19:44 ` Andy Lutomirski 2016-08-01 14:42 ` Vlastimil Babka 2016-08-01 14:42 ` Vlastimil Babka 2016-08-01 14:58 ` Dave Hansen 2016-08-01 14:58 ` Dave Hansen 2016-08-02 8:20 ` Vlastimil Babka 2016-08-02 8:20 ` Vlastimil Babka 2016-09-09 11:13 ` [tip:mm/pkeys] x86/pkeys: Default " tip-bot for Dave Hansen 2016-07-29 16:30 ` [PATCH 09/10] x86, pkeys: allow configuration of init_pkru Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-08-02 8:28 ` Vlastimil Babka 2016-08-02 8:28 ` Vlastimil Babka 2016-08-02 14:37 ` Dave Hansen 2016-08-02 14:37 ` Dave Hansen 2016-09-09 11:14 ` [tip:mm/pkeys] x86/pkeys: Allow " tip-bot for Dave Hansen 2016-07-29 16:30 ` [PATCH 10/10] x86, pkeys: add self-tests Dave Hansen 2016-07-29 16:30 ` Dave Hansen 2016-09-09 11:14 ` [tip:mm/pkeys] x86/pkeys: Add self-tests tip-bot for Dave Hansen 2016-08-08 23:18 [PATCH 00/10] [v6] System Calls for Memory Protection Keys Dave Hansen 2016-08-08 23:18 ` [PATCH 07/10] pkeys: add details of system call use to Documentation/ Dave Hansen 2016-08-08 23:18 ` Dave Hansen
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20160729163020.59350E33@viggo.jf.intel.com \ --to=dave@sr71.net \ --cc=akpm@linux-foundation.org \ --cc=arnd@arndb.de \ --cc=dave.hansen@linux.intel.com \ --cc=linux-api@vger.kernel.org \ --cc=linux-arch@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-mm@kvack.org \ --cc=luto@kernel.org \ --cc=mgorman@techsingularity.net \ --cc=torvalds@linux-foundation.org \ --cc=x86@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.