From: Christophe Leroy <christophe.leroy@c-s.fr>
To: Michael Ellerman <mpe@ellerman.id.au>,
linuxppc-dev@ozlabs.org, Russell Currey <ruscur@russell.cc>
Subject: Re: [PATCH v6 09/10] powerpc/64s: Implement KUAP for Radix MMU
Date: Fri, 17 Apr 2020 12:10:00 +0200 [thread overview]
Message-ID: <41c548be-e5f1-c8cb-4cdc-27bf360d3f70@c-s.fr> (raw)
In-Reply-To: <20190418065125.2687-9-mpe@ellerman.id.au>
Le 18/04/2019 à 08:51, Michael Ellerman a écrit :
> Kernel Userspace Access Prevention utilises a feature of the Radix MMU
> which disallows read and write access to userspace addresses. By
> utilising this, the kernel is prevented from accessing user data from
> outside of trusted paths that perform proper safety checks, such as
> copy_{to/from}_user() and friends.
>
> Userspace access is disabled from early boot and is only enabled when
> performing an operation like copy_{to/from}_user(). The register that
> controls this (AMR) does not prevent userspace from accessing itself,
> so there is no need to save and restore when entering and exiting
> userspace.
>
> When entering the kernel from the kernel we save AMR and if it is not
> blocking user access (because eg. we faulted doing a user access) we
> reblock user access for the duration of the exception (ie. the page
> fault) and then restore the AMR when returning back to the kernel.
>
> This feature can be tested by using the lkdtm driver (CONFIG_LKDTM=y)
> and performing the following:
>
> # (echo ACCESS_USERSPACE) > [debugfs]/provoke-crash/DIRECT
>
> If enabled, this should send SIGSEGV to the thread.
>
> We also add paranoid checking of AMR in switch and syscall return
> under CONFIG_PPC_KUAP_DEBUG.
>
> Co-authored-by: Michael Ellerman <mpe@ellerman.id.au>
> Signed-off-by: Russell Currey <ruscur@russell.cc>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[...]
> diff --git a/arch/powerpc/kernel/entry_64.S b/arch/powerpc/kernel/entry_64.S
> index 15c67d2c0534..7cc25389c6bd 100644
> --- a/arch/powerpc/kernel/entry_64.S
> +++ b/arch/powerpc/kernel/entry_64.S
[...]
> @@ -594,6 +606,8 @@ _GLOBAL(_switch)
> std r23,_CCR(r1)
> std r1,KSP(r3) /* Set old stack pointer */
>
> + kuap_check_amr r9, r10
> +
> FLUSH_COUNT_CACHE
>
> /*
I'm having a problem with this check. As you know I implemented the
exact same check in _switch() in entry_32.S. After adding some printk
inside an user_access_begin()/user_access_end() section, I started to
get valid user accesses blocked by KUAP. Then I activated
CONFIG_PPC_KUAP_DEBUG which led me to WARNINGs on this check.
This is due to schedule() being called by printk() inside the section
where user access is unlocked. How is this supposed to work ? When
scheduling via the decrementer interrupt, the value of the KUAP register
is saved on stack at interrupt entry and the one from the new task is
restored at interrupt exit, but I can't see where it is done when
schedule() is called directly.
Did I miss something when implementing KUAP for PPC32 ?
Christophe
next prev parent reply other threads:[~2020-04-17 10:12 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-18 6:51 [PATCH v6 01/10] powerpc/powernv/idle: Restore IAMR after idle Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 02/10] powerpc/powernv/idle: Restore AMR/UAMOR/AMOR " Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 03/10] powerpc: Add framework for Kernel Userspace Protection Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 04/10] powerpc: Add skeleton for Kernel Userspace Execution Prevention Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 05/10] powerpc: Add a framework for Kernel Userspace Access Protection Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 06/10] powerpc/64: Setup KUP on secondary CPUs Michael Ellerman
2019-04-24 6:03 ` Christophe Leroy
2019-04-18 6:51 ` [PATCH v6 07/10] powerpc/mm/radix: Use KUEP API for Radix MMU Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 08/10] powerpc/lib: Refactor __patch_instruction() to use __put_user_asm() Michael Ellerman
2019-04-18 6:51 ` [PATCH v6 09/10] powerpc/64s: Implement KUAP for Radix MMU Michael Ellerman
2020-04-17 10:10 ` Christophe Leroy [this message]
2020-04-17 10:39 ` Nicholas Piggin
2020-04-17 12:02 ` Christophe Leroy
2019-04-18 6:51 ` [PATCH v6 10/10] powerpc/mm: Detect bad KUAP faults Michael Ellerman
2019-04-21 14:19 ` [v6,01/10] powerpc/powernv/idle: Restore IAMR after idle Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41c548be-e5f1-c8cb-4cdc-27bf360d3f70@c-s.fr \
--to=christophe.leroy@c-s.fr \
--cc=linuxppc-dev@ozlabs.org \
--cc=mpe@ellerman.id.au \
--cc=ruscur@russell.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.