From: Igor Stoppa <igor.stoppa@huawei.com>
To: <willy@infradead.org>, <keescook@chromium.org>, <mhocko@kernel.org>
Cc: <david@fromorbit.com>, <rppt@linux.vnet.ibm.com>,
<labbott@redhat.com>, <linux-security-module@vger.kernel.org>,
<linux-mm@kvack.org>, <linux-kernel@vger.kernel.org>,
<kernel-hardening@lists.openwall.com>, <igor.stoppa@gmail.com>,
Igor Stoppa <igor.stoppa@huawei.com>
Subject: [PATCH 6/6] Documentation for Pmalloc
Date: Tue, 27 Mar 2018 04:55:24 +0300 [thread overview]
Message-ID: <20180327015524.14318-7-igor.stoppa@huawei.com> (raw)
In-Reply-To: <20180327015524.14318-1-igor.stoppa@huawei.com>
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
---
Documentation/core-api/index.rst | 1 +
Documentation/core-api/pmalloc.rst | 101 +++++++++++++++++++++++++++++++++++++
2 files changed, 102 insertions(+)
create mode 100644 Documentation/core-api/pmalloc.rst
diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst
index c670a8031786..8f5de42d6571 100644
--- a/Documentation/core-api/index.rst
+++ b/Documentation/core-api/index.rst
@@ -25,6 +25,7 @@ Core utilities
genalloc
errseq
printk-formats
+ pmalloc
Interfaces for kernel debugging
===============================
diff --git a/Documentation/core-api/pmalloc.rst b/Documentation/core-api/pmalloc.rst
new file mode 100644
index 000000000000..3d2c19e5deaf
--- /dev/null
+++ b/Documentation/core-api/pmalloc.rst
@@ -0,0 +1,101 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+.. _pmalloc:
+
+Protectable memory allocator
+============================
+
+Purpose
+-------
+
+The pmalloc library is meant to provide read-only status to data that,
+for some reason, could neither be declared as constant, nor could it take
+advantage of the qualifier __ro_after_init, but is write-once and
+read-only in spirit.
+It protects data from both accidental and malicious overwrites.
+
+Example: A policy that is loaded from userspace.
+
+
+Concept
+-------
+
+The MMU available in the system can be used to write protect memory pages.
+Unfortunately this feature cannot be used as-it-is, to protect sensitive
+data, because it is typically interleaved with data that must stay
+writeable.
+
+pmalloc introduces the concept of protectable memory pools.
+Each pool contains a list of areas of virtually contiguous pages of
+memory. An area is the minimum amount of memory that pmalloc allows to
+protect, because the data it contains can be larger than a single page.
+
+When an allocation is performed, if there is not enough memory already
+available in the pool, a new area of suitable size is allocated.
+The size chosen is the largest between the roundup (to PAGE_SIZE) of
+the request from pmalloc and friends and the refill parameter specified
+when creating the pool.
+
+When a pool is created, it is possible to specify two parameters:
+- refill size: the minimum size of the memory area to allocate when needed
+- align_order: the default alignment to use when returning to pmalloc
+
+Caveats
+-------
+
+- To facilitate the conversion of existing code to pmalloc pools, several
+ helper functions are provided, mirroring their k/vmalloc counterparts.
+ In particular, pfree(), which is mostly meant for error paths, when one
+ or more previous allocations must be rolled back.
+
+- Whatever memory was still available in the previous area (where
+ applicable) is relinquished.
+
+- Freeing of memory is not supported. Pages will be returned to the
+ system upon destruction of the memory pool.
+
+- Considering that not much data is supposed to be dynamically allocated
+ and then marked as read-only, it shouldn't be an issue that the address
+ range for pmalloc is limited, on 32-bit systems.
+
+- Regarding SMP systems, the allocations are expected to happen mostly
+ during an initial transient, after which there should be no more need to
+ perform cross-processor synchronizations of page tables.
+
+
+Use
+---
+
+The typical sequence, when using pmalloc, is:
+
+#. create a pool
+
+ :c:func:`pmalloc_create_pool`
+
+#. [optional] pre-allocate some memory in the pool
+
+ :c:func:`pmalloc_prealloc`
+
+#. issue one or more allocation requests to the pool with locking as needed
+
+ :c:func:`pmalloc`
+
+ :c:func:`pzalloc`
+
+#. initialize the memory obtained with desired values
+
+#. write-protect the memory so far allocated
+
+ :c::func:`pmalloc_protect_pool`
+
+#. iterate over the last 3 points as needed
+
+#. [optional] destroy the pool
+
+ :c:func:`pmalloc_destroy_pool`
+
+API
+---
+
+.. kernel-doc:: include/linux/pmalloc.h
+.. kernel-doc:: mm/pmalloc.c
--
2.14.1
WARNING: multiple messages have this Message-ID (diff)
From: igor.stoppa@huawei.com (Igor Stoppa)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 6/6] Documentation for Pmalloc
Date: Tue, 27 Mar 2018 04:55:24 +0300 [thread overview]
Message-ID: <20180327015524.14318-7-igor.stoppa@huawei.com> (raw)
In-Reply-To: <20180327015524.14318-1-igor.stoppa@huawei.com>
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
---
Documentation/core-api/index.rst | 1 +
Documentation/core-api/pmalloc.rst | 101 +++++++++++++++++++++++++++++++++++++
2 files changed, 102 insertions(+)
create mode 100644 Documentation/core-api/pmalloc.rst
diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst
index c670a8031786..8f5de42d6571 100644
--- a/Documentation/core-api/index.rst
+++ b/Documentation/core-api/index.rst
@@ -25,6 +25,7 @@ Core utilities
genalloc
errseq
printk-formats
+ pmalloc
Interfaces for kernel debugging
===============================
diff --git a/Documentation/core-api/pmalloc.rst b/Documentation/core-api/pmalloc.rst
new file mode 100644
index 000000000000..3d2c19e5deaf
--- /dev/null
+++ b/Documentation/core-api/pmalloc.rst
@@ -0,0 +1,101 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+.. _pmalloc:
+
+Protectable memory allocator
+============================
+
+Purpose
+-------
+
+The pmalloc library is meant to provide read-only status to data that,
+for some reason, could neither be declared as constant, nor could it take
+advantage of the qualifier __ro_after_init, but is write-once and
+read-only in spirit.
+It protects data from both accidental and malicious overwrites.
+
+Example: A policy that is loaded from userspace.
+
+
+Concept
+-------
+
+The MMU available in the system can be used to write protect memory pages.
+Unfortunately this feature cannot be used as-it-is, to protect sensitive
+data, because it is typically interleaved with data that must stay
+writeable.
+
+pmalloc introduces the concept of protectable memory pools.
+Each pool contains a list of areas of virtually contiguous pages of
+memory. An area is the minimum amount of memory that pmalloc allows to
+protect, because the data it contains can be larger than a single page.
+
+When an allocation is performed, if there is not enough memory already
+available in the pool, a new area of suitable size is allocated.
+The size chosen is the largest between the roundup (to PAGE_SIZE) of
+the request from pmalloc and friends and the refill parameter specified
+when creating the pool.
+
+When a pool is created, it is possible to specify two parameters:
+- refill size: the minimum size of the memory area to allocate when needed
+- align_order: the default alignment to use when returning to pmalloc
+
+Caveats
+-------
+
+- To facilitate the conversion of existing code to pmalloc pools, several
+ helper functions are provided, mirroring their k/vmalloc counterparts.
+ In particular, pfree(), which is mostly meant for error paths, when one
+ or more previous allocations must be rolled back.
+
+- Whatever memory was still available in the previous area (where
+ applicable) is relinquished.
+
+- Freeing of memory is not supported. Pages will be returned to the
+ system upon destruction of the memory pool.
+
+- Considering that not much data is supposed to be dynamically allocated
+ and then marked as read-only, it shouldn't be an issue that the address
+ range for pmalloc is limited, on 32-bit systems.
+
+- Regarding SMP systems, the allocations are expected to happen mostly
+ during an initial transient, after which there should be no more need to
+ perform cross-processor synchronizations of page tables.
+
+
+Use
+---
+
+The typical sequence, when using pmalloc, is:
+
+#. create a pool
+
+ :c:func:`pmalloc_create_pool`
+
+#. [optional] pre-allocate some memory in the pool
+
+ :c:func:`pmalloc_prealloc`
+
+#. issue one or more allocation requests to the pool with locking as needed
+
+ :c:func:`pmalloc`
+
+ :c:func:`pzalloc`
+
+#. initialize the memory obtained with desired values
+
+#. write-protect the memory so far allocated
+
+ :c::func:`pmalloc_protect_pool`
+
+#. iterate over the last 3 points as needed
+
+#. [optional] destroy the pool
+
+ :c:func:`pmalloc_destroy_pool`
+
+API
+---
+
+.. kernel-doc:: include/linux/pmalloc.h
+.. kernel-doc:: mm/pmalloc.c
--
2.14.1
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Igor Stoppa <igor.stoppa@huawei.com>
To: willy@infradead.org, keescook@chromium.org, mhocko@kernel.org
Cc: david@fromorbit.com, rppt@linux.vnet.ibm.com, labbott@redhat.com,
linux-security-module@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, igor.stoppa@gmail.com,
Igor Stoppa <igor.stoppa@huawei.com>
Subject: [PATCH 6/6] Documentation for Pmalloc
Date: Tue, 27 Mar 2018 04:55:24 +0300 [thread overview]
Message-ID: <20180327015524.14318-7-igor.stoppa@huawei.com> (raw)
In-Reply-To: <20180327015524.14318-1-igor.stoppa@huawei.com>
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
---
Documentation/core-api/index.rst | 1 +
Documentation/core-api/pmalloc.rst | 101 +++++++++++++++++++++++++++++++++++++
2 files changed, 102 insertions(+)
create mode 100644 Documentation/core-api/pmalloc.rst
diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst
index c670a8031786..8f5de42d6571 100644
--- a/Documentation/core-api/index.rst
+++ b/Documentation/core-api/index.rst
@@ -25,6 +25,7 @@ Core utilities
genalloc
errseq
printk-formats
+ pmalloc
Interfaces for kernel debugging
===============================
diff --git a/Documentation/core-api/pmalloc.rst b/Documentation/core-api/pmalloc.rst
new file mode 100644
index 000000000000..3d2c19e5deaf
--- /dev/null
+++ b/Documentation/core-api/pmalloc.rst
@@ -0,0 +1,101 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+.. _pmalloc:
+
+Protectable memory allocator
+============================
+
+Purpose
+-------
+
+The pmalloc library is meant to provide read-only status to data that,
+for some reason, could neither be declared as constant, nor could it take
+advantage of the qualifier __ro_after_init, but is write-once and
+read-only in spirit.
+It protects data from both accidental and malicious overwrites.
+
+Example: A policy that is loaded from userspace.
+
+
+Concept
+-------
+
+The MMU available in the system can be used to write protect memory pages.
+Unfortunately this feature cannot be used as-it-is, to protect sensitive
+data, because it is typically interleaved with data that must stay
+writeable.
+
+pmalloc introduces the concept of protectable memory pools.
+Each pool contains a list of areas of virtually contiguous pages of
+memory. An area is the minimum amount of memory that pmalloc allows to
+protect, because the data it contains can be larger than a single page.
+
+When an allocation is performed, if there is not enough memory already
+available in the pool, a new area of suitable size is allocated.
+The size chosen is the largest between the roundup (to PAGE_SIZE) of
+the request from pmalloc and friends and the refill parameter specified
+when creating the pool.
+
+When a pool is created, it is possible to specify two parameters:
+- refill size: the minimum size of the memory area to allocate when needed
+- align_order: the default alignment to use when returning to pmalloc
+
+Caveats
+-------
+
+- To facilitate the conversion of existing code to pmalloc pools, several
+ helper functions are provided, mirroring their k/vmalloc counterparts.
+ In particular, pfree(), which is mostly meant for error paths, when one
+ or more previous allocations must be rolled back.
+
+- Whatever memory was still available in the previous area (where
+ applicable) is relinquished.
+
+- Freeing of memory is not supported. Pages will be returned to the
+ system upon destruction of the memory pool.
+
+- Considering that not much data is supposed to be dynamically allocated
+ and then marked as read-only, it shouldn't be an issue that the address
+ range for pmalloc is limited, on 32-bit systems.
+
+- Regarding SMP systems, the allocations are expected to happen mostly
+ during an initial transient, after which there should be no more need to
+ perform cross-processor synchronizations of page tables.
+
+
+Use
+---
+
+The typical sequence, when using pmalloc, is:
+
+#. create a pool
+
+ :c:func:`pmalloc_create_pool`
+
+#. [optional] pre-allocate some memory in the pool
+
+ :c:func:`pmalloc_prealloc`
+
+#. issue one or more allocation requests to the pool with locking as needed
+
+ :c:func:`pmalloc`
+
+ :c:func:`pzalloc`
+
+#. initialize the memory obtained with desired values
+
+#. write-protect the memory so far allocated
+
+ :c::func:`pmalloc_protect_pool`
+
+#. iterate over the last 3 points as needed
+
+#. [optional] destroy the pool
+
+ :c:func:`pmalloc_destroy_pool`
+
+API
+---
+
+.. kernel-doc:: include/linux/pmalloc.h
+.. kernel-doc:: mm/pmalloc.c
--
2.14.1
next prev parent reply other threads:[~2018-03-27 1:55 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-27 1:55 [RFC PATCH v20 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` [PATCH 1/6] struct page: add field for vm_struct Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` [PATCH 2/6] vmalloc: rename llist field in vmap_area Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` [PATCH 3/6] Protectable Memory Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 2:31 ` Matthew Wilcox
2018-03-27 2:31 ` Matthew Wilcox
2018-03-27 11:43 ` Igor Stoppa
2018-03-27 11:43 ` Igor Stoppa
2018-03-27 11:43 ` Igor Stoppa
2018-03-27 21:57 ` kbuild test robot
2018-03-27 21:57 ` kbuild test robot
2018-03-27 21:57 ` kbuild test robot
2018-03-27 1:55 ` [PATCH 4/6] Pmalloc selftest Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` [PATCH 5/6] lkdtm: crash on overwriting protected pmalloc var Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa [this message]
2018-03-27 1:55 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa
-- strict thread matches above, loose matches on Subject: below --
2018-03-27 15:37 [RFC PATCH v21 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-03-27 15:37 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-03-27 15:37 ` Igor Stoppa
2018-03-27 15:37 ` Igor Stoppa
2018-02-12 16:52 [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-02-12 16:53 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-02-12 16:53 ` Igor Stoppa
2018-02-12 16:53 ` Igor Stoppa
2018-02-12 16:53 ` Igor Stoppa
2018-02-11 3:19 [RFC PATCH v15 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-02-11 3:19 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-02-11 3:19 ` Igor Stoppa
2018-02-11 3:19 ` Igor Stoppa
2018-02-11 3:19 ` Igor Stoppa
2018-02-11 21:17 ` Matthew Wilcox
2018-02-11 21:17 ` Matthew Wilcox
2018-02-11 21:17 ` Matthew Wilcox
2018-02-12 11:28 ` Igor Stoppa
2018-02-12 11:28 ` Igor Stoppa
2018-02-12 11:28 ` Igor Stoppa
2018-02-12 11:28 ` Igor Stoppa
2018-02-04 16:47 [RFC PATCH v14 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-02-04 17:00 ` [PATCH 5/6] Pmalloc: self-test Igor Stoppa
2018-02-04 17:00 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-02-04 17:00 ` Igor Stoppa
2018-02-04 17:00 ` Igor Stoppa
2018-02-04 17:00 ` Igor Stoppa
2018-02-04 21:37 ` Randy Dunlap
2018-02-04 21:37 ` Randy Dunlap
2018-02-04 21:37 ` Randy Dunlap
2018-02-09 16:41 ` Igor Stoppa
2018-02-09 16:41 ` Igor Stoppa
2018-02-09 16:41 ` Igor Stoppa
2018-02-09 16:41 ` Igor Stoppa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180327015524.14318-7-igor.stoppa@huawei.com \
--to=igor.stoppa@huawei.com \
--cc=david@fromorbit.com \
--cc=igor.stoppa@gmail.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mhocko@kernel.org \
--cc=rppt@linux.vnet.ibm.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.