From: Igor Stoppa <igor.stoppa@huawei.com>
To: willy@infradead.org, keescook@chromium.org, mhocko@kernel.org
Cc: david@fromorbit.com, rppt@linux.vnet.ibm.com, labbott@redhat.com,
linux-security-module@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com, igor.stoppa@gmail.com,
Igor Stoppa <igor.stoppa@huawei.com>
Subject: [PATCH 6/6] Documentation for Pmalloc
Date: Tue, 27 Mar 2018 04:55:24 +0300 [thread overview]
Message-ID: <20180327015524.14318-7-igor.stoppa@huawei.com> (raw)
In-Reply-To: <20180327015524.14318-1-igor.stoppa@huawei.com>
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa <igor.stoppa@huawei.com>
---
Documentation/core-api/index.rst | 1 +
Documentation/core-api/pmalloc.rst | 101 +++++++++++++++++++++++++++++++++++++
2 files changed, 102 insertions(+)
create mode 100644 Documentation/core-api/pmalloc.rst
diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst
index c670a8031786..8f5de42d6571 100644
--- a/Documentation/core-api/index.rst
+++ b/Documentation/core-api/index.rst
@@ -25,6 +25,7 @@ Core utilities
genalloc
errseq
printk-formats
+ pmalloc
Interfaces for kernel debugging
===============================
diff --git a/Documentation/core-api/pmalloc.rst b/Documentation/core-api/pmalloc.rst
new file mode 100644
index 000000000000..3d2c19e5deaf
--- /dev/null
+++ b/Documentation/core-api/pmalloc.rst
@@ -0,0 +1,101 @@
+.. SPDX-License-Identifier: GPL-2.0
+
+.. _pmalloc:
+
+Protectable memory allocator
+============================
+
+Purpose
+-------
+
+The pmalloc library is meant to provide read-only status to data that,
+for some reason, could neither be declared as constant, nor could it take
+advantage of the qualifier __ro_after_init, but is write-once and
+read-only in spirit.
+It protects data from both accidental and malicious overwrites.
+
+Example: A policy that is loaded from userspace.
+
+
+Concept
+-------
+
+The MMU available in the system can be used to write protect memory pages.
+Unfortunately this feature cannot be used as-it-is, to protect sensitive
+data, because it is typically interleaved with data that must stay
+writeable.
+
+pmalloc introduces the concept of protectable memory pools.
+Each pool contains a list of areas of virtually contiguous pages of
+memory. An area is the minimum amount of memory that pmalloc allows to
+protect, because the data it contains can be larger than a single page.
+
+When an allocation is performed, if there is not enough memory already
+available in the pool, a new area of suitable size is allocated.
+The size chosen is the largest between the roundup (to PAGE_SIZE) of
+the request from pmalloc and friends and the refill parameter specified
+when creating the pool.
+
+When a pool is created, it is possible to specify two parameters:
+- refill size: the minimum size of the memory area to allocate when needed
+- align_order: the default alignment to use when returning to pmalloc
+
+Caveats
+-------
+
+- To facilitate the conversion of existing code to pmalloc pools, several
+ helper functions are provided, mirroring their k/vmalloc counterparts.
+ In particular, pfree(), which is mostly meant for error paths, when one
+ or more previous allocations must be rolled back.
+
+- Whatever memory was still available in the previous area (where
+ applicable) is relinquished.
+
+- Freeing of memory is not supported. Pages will be returned to the
+ system upon destruction of the memory pool.
+
+- Considering that not much data is supposed to be dynamically allocated
+ and then marked as read-only, it shouldn't be an issue that the address
+ range for pmalloc is limited, on 32-bit systems.
+
+- Regarding SMP systems, the allocations are expected to happen mostly
+ during an initial transient, after which there should be no more need to
+ perform cross-processor synchronizations of page tables.
+
+
+Use
+---
+
+The typical sequence, when using pmalloc, is:
+
+#. create a pool
+
+ :c:func:`pmalloc_create_pool`
+
+#. [optional] pre-allocate some memory in the pool
+
+ :c:func:`pmalloc_prealloc`
+
+#. issue one or more allocation requests to the pool with locking as needed
+
+ :c:func:`pmalloc`
+
+ :c:func:`pzalloc`
+
+#. initialize the memory obtained with desired values
+
+#. write-protect the memory so far allocated
+
+ :c::func:`pmalloc_protect_pool`
+
+#. iterate over the last 3 points as needed
+
+#. [optional] destroy the pool
+
+ :c:func:`pmalloc_destroy_pool`
+
+API
+---
+
+.. kernel-doc:: include/linux/pmalloc.h
+.. kernel-doc:: mm/pmalloc.c
--
2.14.1
next prev parent reply other threads:[~2018-03-27 1:57 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-27 1:55 [RFC PATCH v20 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-03-27 1:55 ` [PATCH 1/6] struct page: add field for vm_struct Igor Stoppa
2018-03-27 1:55 ` [PATCH 2/6] vmalloc: rename llist field in vmap_area Igor Stoppa
2018-03-27 1:55 ` [PATCH 3/6] Protectable Memory Igor Stoppa
2018-03-27 2:31 ` Matthew Wilcox
2018-03-27 11:43 ` Igor Stoppa
2018-03-27 21:57 ` kbuild test robot
2018-03-27 1:55 ` [PATCH 4/6] Pmalloc selftest Igor Stoppa
2018-03-27 1:55 ` [PATCH 5/6] lkdtm: crash on overwriting protected pmalloc var Igor Stoppa
2018-03-27 1:55 ` Igor Stoppa [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-03-27 15:37 [RFC PATCH v21 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-03-27 15:37 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-02-12 16:52 [RFC PATCH v16 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-02-12 16:53 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-02-11 3:19 [RFC PATCH v15 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-02-11 3:19 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-02-11 21:17 ` Matthew Wilcox
2018-02-12 11:28 ` Igor Stoppa
2018-02-04 16:47 [RFC PATCH v14 0/6] mm: security: ro protection for dynamic data Igor Stoppa
2018-02-04 17:00 ` [PATCH 5/6] Pmalloc: self-test Igor Stoppa
2018-02-04 17:00 ` [PATCH 6/6] Documentation for Pmalloc Igor Stoppa
2018-02-04 21:37 ` Randy Dunlap
2018-02-09 16:41 ` Igor Stoppa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180327015524.14318-7-igor.stoppa@huawei.com \
--to=igor.stoppa@huawei.com \
--cc=david@fromorbit.com \
--cc=igor.stoppa@gmail.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mhocko@kernel.org \
--cc=rppt@linux.vnet.ibm.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox