From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=/lKt=EK=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-12.7 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 38923C2D0A3
	for <linux-mm@archiver.kernel.org>; Wed,  4 Nov 2020 14:55:45 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 9B3C3223AB
	for <linux-mm@archiver.kernel.org>; Wed,  4 Nov 2020 14:55:44 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9B3C3223AB
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 6F4EE6B005D; Wed,  4 Nov 2020 09:55:43 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 67DE36B006C; Wed,  4 Nov 2020 09:55:43 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 520146B006E; Wed,  4 Nov 2020 09:55:43 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0155.hostedemail.com [216.40.44.155])
	by kanga.kvack.org (Postfix) with ESMTP id 114D86B005D
	for <linux-mm@kvack.org>; Wed,  4 Nov 2020 09:55:43 -0500 (EST)
Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id A797F1EE6
	for <linux-mm@kvack.org>; Wed,  4 Nov 2020 14:55:42 +0000 (UTC)
X-FDA: 77447034924.12.mist17_140090f272c2
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin12.hostedemail.com (Postfix) with ESMTP id 71C5D18012864
	for <linux-mm@kvack.org>; Wed,  4 Nov 2020 14:55:42 +0000 (UTC)
X-HE-Tag: mist17_140090f272c2
X-Filterd-Recvd-Size: 5257
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf33.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Wed,  4 Nov 2020 14:55:41 +0000 (UTC)
Received: from suppilovahvero.lan (83-245-197-237.elisa-laajakaista.fi [83.245.197.237])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 18DC7223FD;
	Wed,  4 Nov 2020 14:55:33 +0000 (UTC)
From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: x86@kernel.org,
	linux-sgx@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
	Sean Christopherson <sean.j.christopherson@intel.com>,
	linux-mm@kvack.org,
	Andrew Morton <akpm@linux-foundation.org>,
	Matthew Wilcox <willy@infradead.org>,
	Jethro Beekman <jethro@fortanix.com>,
	Darren Kenny <darren.kenny@oracle.com>,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	andriy.shevchenko@linux.intel.com,
	asapek@google.com,
	bp@alien8.de,
	cedric.xing@intel.com,
	chenalexchen@google.com,
	conradparker@google.com,
	cyhanish@google.com,
	dave.hansen@intel.com,
	haitao.huang@intel.com,
	kai.huang@intel.com,
	kai.svahn@intel.com,
	kmoy@google.com,
	ludloff@google.com,
	luto@kernel.org,
	nhorman@redhat.com,
	npmccallum@redhat.com,
	puiterwijk@redhat.com,
	rientjes@google.com,
	tglx@linutronix.de,
	yaozhangx@google.com,
	mikko.ylinen@intel.com
Subject: [PATCH v40 10/24] mm: Add 'mprotect' hook to struct vm_operations_struct
Date: Wed,  4 Nov 2020 16:54:16 +0200
Message-Id: <20201104145430.300542-11-jarkko.sakkinen@linux.intel.com>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20201104145430.300542-1-jarkko.sakkinen@linux.intel.com>
References: <20201104145430.300542-1-jarkko.sakkinen@linux.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Sean Christopherson <sean.j.christopherson@intel.com>

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

1. SGX enclave pages are populated with data by copying from normal memor=
y
   via ioctl() (SGX_IOC_ENCLAVE_ADD_PAGES), which will be added later in
   this series.
2. It is desirable to be able to restrict those normal memory data source=
s.
   For instance, to ensure that the source data is executable before
   copying data to an executable enclave page.
3. Enclave page permissions are dynamic (just like normal permissions) an=
d
   can be adjusted at runtime with mprotect().

This creates a problem because the original data source may have long sin=
ce
vanished at the time when enclave page permissions are established (mmap(=
)
or mprotect()).

The solution (elsewhere in this series) is to force enclaves creators to
declare their paging permission *intent* up front to the ioctl().  This
intent can me immediately compared to the source data=E2=80=99s mapping a=
nd
rejected if necessary.

The =E2=80=9Cintent=E2=80=9D is also stashed off for later comparison wit=
h enclave
PTEs. This ensures that any future mmap()/mprotect() operations
performed by the enclave creator or done on behalf of the enclave
can be compared with the earlier declared permissions.

Problem
=3D=3D=3D=3D=3D=3D=3D

There is an existing mmap() hook which allows SGX to perform this
permission comparison at mmap() time.  However, there is no corresponding
->mprotect() hook.

Solution
=3D=3D=3D=3D=3D=3D=3D=3D

Add a vm_ops->mprotect() hook so that mprotect() operations which are
inconsistent with any page's stashed intent can be rejected by the driver=
.

Cc: linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Matthew Wilcox <willy@infradead.org>
Acked-by: Jethro Beekman <jethro@fortanix.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Co-developed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 include/linux/mm.h | 3 +++
 mm/mprotect.c      | 5 ++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h
index ef360fe70aaf..eb38eabc5039 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -559,6 +559,9 @@ struct vm_operations_struct {
 	void (*close)(struct vm_area_struct * area);
 	int (*split)(struct vm_area_struct * area, unsigned long addr);
 	int (*mremap)(struct vm_area_struct * area);
+	int (*mprotect)(struct vm_area_struct *vma,
+			struct vm_area_struct **pprev, unsigned long start,
+			unsigned long end, unsigned long newflags);
 	vm_fault_t (*fault)(struct vm_fault *vmf);
 	vm_fault_t (*huge_fault)(struct vm_fault *vmf,
 			enum page_entry_size pe_size);
diff --git a/mm/mprotect.c b/mm/mprotect.c
index 56c02beb6041..1fd4fa71ce16 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -616,7 +616,10 @@ static int do_mprotect_pkey(unsigned long start, siz=
e_t len,
 		tmp =3D vma->vm_end;
 		if (tmp > end)
 			tmp =3D end;
-		error =3D mprotect_fixup(vma, &prev, nstart, tmp, newflags);
+		if (vma->vm_ops && vma->vm_ops->mprotect)
+			error =3D vma->vm_ops->mprotect(vma, &prev, nstart, tmp, newflags);
+		else
+			error =3D mprotect_fixup(vma, &prev, nstart, tmp, newflags);
 		if (error)
 			goto out;
 		nstart =3D tmp;
--=20
2.27.0