From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752618AbcHAOn6 (ORCPT ); Mon, 1 Aug 2016 10:43:58 -0400 Received: from mx2.suse.de ([195.135.220.15]:39232 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751587AbcHAOnv (ORCPT ); Mon, 1 Aug 2016 10:43:51 -0400 Subject: Re: [PATCH 08/10] x86, pkeys: default to a restrictive init PKRU To: Dave Hansen , linux-kernel@vger.kernel.org References: <20160729163009.5EC1D38C@viggo.jf.intel.com> <20160729163021.F3C25D4A@viggo.jf.intel.com> Cc: x86@kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, torvalds@linux-foundation.org, akpm@linux-foundation.org, luto@kernel.org, mgorman@techsingularity.net, dave.hansen@linux.intel.com, arnd@arndb.de From: Vlastimil Babka Message-ID: Date: Mon, 1 Aug 2016 16:42:51 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2 MIME-Version: 1.0 In-Reply-To: <20160729163021.F3C25D4A@viggo.jf.intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 07/29/2016 06:30 PM, Dave Hansen wrote: > From: Dave Hansen > > PKRU is the register that lets you disallow writes or all access > to a given protection key. > > The XSAVE hardware defines an "init state" of 0 for PKRU: its > most permissive state, allowing access/writes to everything. > Since we start off all new processes with the init state, we > start all processes off with the most permissive possible PKRU. > > This is unfortunate. If a thread is clone()'d [1] before a > program has time to set PKRU to a restrictive value, that thread > will be able to write to all data, no matter what pkey is set on > it. This weakens any integrity guarantees that we want pkeys to > provide. > > To fix this, we define a very restrictive PKRU to override the > XSAVE-provided value when we create a new FPU context. We choose > a value that only allows access to pkey 0, which is as > restrictive as we can practically make it. > > This does not cause any practical problems with applications > using protection keys because we require them to specify initial > permissions for each key when it is allocated, which override the > restrictive default. Here you mean the init_access_rights parameter of pkey_alloc()? So will children of fork() after that pkey_alloc() inherit the new value or go default? > In the end, this ensures that threads which do not know how to > manage their own pkey rights can not do damage to data which is > pkey-protected. > > 1. I would have thought this was a pretty contrived scenario, > except that I heard a bug report from an MPX user who was > creating threads in some very early code before main(). It > may be crazy, but folks evidently _do_ it. > > Signed-off-by: Dave Hansen