From: Andy Lutomirski <luto@amacapital.net>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Oleg Nesterov <oleg@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@kernel.org>, Borislav Petkov <bp@alien8.de>,
Brian Gerst <brgerst@gmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Christoph Hellwig <hch@lst.de>
Subject: Re: Rethinking sigcontext's xfeatures slightly for PKRU's benefit?
Date: Fri, 18 Dec 2015 14:28:45 -0800 [thread overview]
Message-ID: <CALCETrVj51q3=AkP2PGFOKPqv0CxukbUEhvv0n6+XT+OngJK2Q@mail.gmail.com> (raw)
In-Reply-To: <CA+55aFyVJF48-QwZBD++1u8CB7EYrO1rMnwsZFW4rTBFoNXSZw@mail.gmail.com>
On Fri, Dec 18, 2015 at 1:45 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Fri, Dec 18, 2015 at 1:12 PM, Dave Hansen
> <dave.hansen@linux.intel.com> wrote:
>>
>> But, if we are picking out an execute-only pkey more dynamically, we've
>> got to keep the default value for the entire process somewhere.
>
> How dynamic do we want to make this, though?
>
> I haven't looked at the details, and perhaps more importantly, I don't
> know what exactly are the requirements you've gotten from the people
> who are expected to actually use this.
>
> I think we might want to hardcode a couple of keys as "kernel
> reserved". And I'd rather reserve them up-front than have some user
> program be unhappy later when we want to use them.
>
> I guess we want to leave key #0 for "normal page", so my suggesting to
> use that for the execute-only was probably misguided.
>
> But I do think we might want to have that "no read access" as a real
> fixed key too, because I think the kernel itself would want to use it:
>
> (a) to make sure that it gets the right fault when user space passes
> in a execute-only address to a system call.
>
> (b) for much more efficient PAGEALLOC_DEBUG for kernel mappings.
>
> so I do think that we'd want to reserve two of the 16 keys up front.
>
> Would it be ok for the expected users to have those keys simply be
> fixed? With key 0 being used for all default pages, and key 1 being
> used for all execute-only pages? And then defaulting PKRU to 4,
> disallowing access to that key #1?
>
> I could imagine that some kernel person would want to use even more
> keys, but I think two fixed keys are kind of the minimal we'd want to
> use.
I imagine we'd reserve key 0 for normal page and key 1 for deny-read.
Let me be a bit more concrete about what I'm suggesting:
We'd have thread_struct.baseline_pkru. It would start with key 0
allowing all access and key 1 denying reads.
We'd have a syscall like set_protection_key that could allocate unused
keys and change the values of keys that have been allocated. Those
changes would be reflected in baseline_pkru. Changes to keys 0 and 1
in baseline_pkru would not be allowed.
Signal delivery would load baseline_pkru into the PKRU register.
Signal restore would restore PKRU to its previous value.
WRPKRU would, of course, override baseline_pkru, but it wouldn't
change baseline_pkru. The set_protection_key syscall would modify
*both* real PKRU and baseline_pkru.
Apps that don't want to use the baseline_pkru mechanism could use
syscalls to claim ownership of protection keys but then manage them
purely with WRPKRU directly. We could optionally disallow
mprotect_key on keys that weren't allocated in advance.
Does that seem sane?
--Andy
next prev parent reply other threads:[~2015-12-18 22:29 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-18 1:48 Rethinking sigcontext's xfeatures slightly for PKRU's benefit? Andy Lutomirski
2015-12-18 2:13 ` Dave Hansen
2015-12-18 2:32 ` Andy Lutomirski
2015-12-18 2:52 ` Dave Hansen
2015-12-18 5:29 ` Andy Lutomirski
2015-12-18 6:43 ` H. Peter Anvin
2015-12-18 16:04 ` Andy Lutomirski
2015-12-18 16:56 ` Dave Hansen
2015-12-18 18:42 ` Dave Hansen
2015-12-18 19:21 ` Andy Lutomirski
2015-12-18 20:07 ` Dave Hansen
2015-12-18 20:28 ` Andy Lutomirski
2015-12-18 20:37 ` Linus Torvalds
2015-12-18 20:49 ` Andy Lutomirski
2015-12-18 20:58 ` H. Peter Anvin
2015-12-18 21:02 ` Andy Lutomirski
2015-12-18 21:08 ` Dave Hansen
2015-12-18 21:04 ` Linus Torvalds
2015-12-18 21:09 ` Linus Torvalds
2015-12-18 21:12 ` Dave Hansen
2015-12-18 21:45 ` Linus Torvalds
2015-12-18 22:28 ` Andy Lutomirski [this message]
2015-12-18 23:08 ` Linus Torvalds
2015-12-18 23:16 ` Andy Lutomirski
2015-12-18 23:20 ` Linus Torvalds
2015-12-21 17:04 ` Dave Hansen
2015-12-21 22:52 ` Andy Lutomirski
2015-12-21 23:00 ` Dave Hansen
2015-12-21 23:02 ` Andy Lutomirski
2015-12-21 23:05 ` Dave Hansen
2015-12-21 23:04 ` Dave Hansen
2015-12-21 23:07 ` Andy Lutomirski
2016-06-30 17:36 ` Andy Lutomirski
2016-06-30 21:25 ` Dave Hansen
2016-07-01 16:30 ` Andy Lutomirski
2015-12-29 23:48 ` Dave Hansen
2015-12-18 8:32 ` Ingo Molnar
2015-12-18 8:59 ` Christoph Hellwig
2015-12-18 12:57 ` Borislav Petkov
2016-01-12 13:38 ` Ingo Molnar
2016-01-12 13:42 ` Christoph Hellwig
2016-01-13 10:48 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrVj51q3=AkP2PGFOKPqv0CxukbUEhvv0n6+XT+OngJK2Q@mail.gmail.com' \
--to=luto@amacapital.net \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=dave.hansen@linux.intel.com \
--cc=hch@lst.de \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=oleg@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).