From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 15D13C3DA6E
	for <linux-mm@archiver.kernel.org>; Fri,  5 Jan 2024 19:37:49 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 723146B02E2; Fri,  5 Jan 2024 14:37:48 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6D3DF6B02E3; Fri,  5 Jan 2024 14:37:48 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 59C046B02EA; Fri,  5 Jan 2024 14:37:48 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 47C226B02E2
	for <linux-mm@kvack.org>; Fri,  5 Jan 2024 14:37:48 -0500 (EST)
Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 127E040503
	for <linux-mm@kvack.org>; Fri,  5 Jan 2024 19:37:48 +0000 (UTC)
X-FDA: 81646267416.13.6B4CF52
Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182])
	by imf07.hostedemail.com (Postfix) with ESMTP id 55FD540013
	for <linux-mm@kvack.org>; Fri,  5 Jan 2024 19:37:46 +0000 (UTC)
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b="GEuBH/Yh";
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf07.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.167.182 as permitted sender) smtp.mailfrom=jeffxu@chromium.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1704483466;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=vrOZywRVHYQrwYA4rEvbQOcCE+oYGeNQVUbfflcP1O8=;
	b=nmqTlTwbWuB3SxjeJeIwlOumrUcFRFdx/hx5A6zaw3sxJX/BRZpgNtmA1oK/PTyV317ACP
	zaYwd0MBzenApvFm8543ZUCpR4kf6ddHTTn3BVsmwfWNvjHQMeKQiMY2KbKZ9kRHBr+cRk
	H0sOTBACou/1WLRtfk3ZdazX2vQm6zM=
ARC-Authentication-Results: i=1;
	imf07.hostedemail.com;
	dkim=pass header.d=chromium.org header.s=google header.b="GEuBH/Yh";
	dmarc=pass (policy=none) header.from=chromium.org;
	spf=pass (imf07.hostedemail.com: domain of jeffxu@chromium.org designates 209.85.167.182 as permitted sender) smtp.mailfrom=jeffxu@chromium.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1704483466; a=rsa-sha256;
	cv=none;
	b=Yq2KGvyqm6Z7waVzDbvBvnDol+rPKAF14xfJs4wU3Vz9wUmR5JQKAscMTRsqOTroJQWBvx
	UiTg8+3hod4rmKSTslNKCzetWn5RZggJzco4Wh9vC6ykabcyHgy6oTtkWAuXudmuSS/E/I
	YSrek9rXLAcS9sxxojQ4JHiwoxk+7pA=
Received: by mail-oi1-f182.google.com with SMTP id 5614622812f47-3bc4f49a3b6so109712b6e.1
        for <linux-mm@kvack.org>; Fri, 05 Jan 2024 11:37:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1704483465; x=1705088265; darn=kvack.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=vrOZywRVHYQrwYA4rEvbQOcCE+oYGeNQVUbfflcP1O8=;
        b=GEuBH/YhvqkZgSJfeWlDa+IyFNVLW0LlNJNSTADQ2rVaHSLVmfhxLHs+vYGIVmdIwX
         ecT13xqqzdpXHT0yy3i2MOQu0SC0D3V6LhOpBvt9VanJ82g5SCME3FNq9ylICsDfaIl9
         +Tht/hK//9a4GqoG0kij4wDhVZrM9B4S7wVUs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1704483465; x=1705088265;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=vrOZywRVHYQrwYA4rEvbQOcCE+oYGeNQVUbfflcP1O8=;
        b=FQWHCrVEgyzOzjmXlCov24yG4HB5i1tZvPHlPAt4gyBHJ/uoKaS1WA05vUUC/VgdB6
         wNoJTLpuoZSyuFCq/MemnETR6o7ReCT11uhld1r4VeEU4bx67YOPVNHCKqypPjT2ETE7
         HByhuwWdeokVjr3nmlK5V/q9kxx2PM4P57gMhkOt9YmJtwfgSt5vSuzwSgRyqoDs23oO
         mPlQ/6/VjLWSPAwk992VNfFuSJE/9Hgcr3j8sUBOqHRYz3KI7J4sDpPhU214OWopBGwV
         vJ5FyD73J5XwptnSUsCcVPX0cxz28VJcs7qZ1VhZKvVmV/OsdzYt/xDLyE6mZVjPCpeT
         svNA==
X-Gm-Message-State: AOJu0Yx81J/4lqY+hpEgLTvdQb5reNugG1SaMxvFzXWyE+ztyCwsYmVG
	6y1kgHydOTc6X0Waw9NCbilwSezfZrEdOscaSex2aLxOms+z
X-Google-Smtp-Source: AGHT+IF+iHC1gEAXC43HF3ocZtXJBAdcsjjaDe5rzg2X0p+MIUjbNDmhc5uxVg01loIn0VUHcHP25gmmMl2GNf+rx+4=
X-Received: by 2002:a05:6870:a19f:b0:203:c869:cd44 with SMTP id
 a31-20020a056870a19f00b00203c869cd44mr2937532oaf.92.1704483465420; Fri, 05
 Jan 2024 11:37:45 -0800 (PST)
MIME-Version: 1.0
References: <20240104185138.169307-1-jeffxu@chromium.org> <20240104185138.169307-5-jeffxu@chromium.org>
 <796b6877-0548-4d2a-a484-ba4156104a20@infradead.org>
In-Reply-To: <796b6877-0548-4d2a-a484-ba4156104a20@infradead.org>
From: Jeff Xu <jeffxu@chromium.org>
Date: Fri, 5 Jan 2024 11:37:34 -0800
Message-ID: <CABi2SkWF8sVeqjOar8MMftEv-piZuLtb8Pt5Bz7dNTekcwzByg@mail.gmail.com>
Subject: Re: [RFC PATCH v4 4/4] mseal:add documentation
To: Randy Dunlap <rdunlap@infradead.org>
Cc: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, 
	sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, 
	torvalds@linux-foundation.org, usama.anjum@collabora.com, jeffxu@google.com, 
	jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, 
	linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, 
	dave.hansen@intel.com, linux-hardening@vger.kernel.org, deraadt@openbsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Server: rspam09
X-Rspamd-Queue-Id: 55FD540013
X-Stat-Signature: 16ca1jksz141488du59uha7om9pntgg9
X-Rspam-User: 
X-HE-Tag: 1704483466-287623
X-HE-Meta: U2FsdGVkX1/KJW05nN8RzzrG3mPa8rp8QSVwTKfEUuvxIEVKilGbRBBmyrK7/Hv770iooOkK4eJO5OMFY82scp6HfxDj64JFwApJ5aHZ65c+sOfe9HxeIMcxyCJJnLFXM4+AYyvSdS+/1qCaDYm/ms2viwrSJLr29AoxsiLWw4vFtPYabFFlqHNgFiS6XNzBA6489rfC1VzMtqVuatS47dZC8dxWFTYxMKhOXoh14SO4/mKUxbmR3yXn1Uae1TzGEdWcSPyi2qnbwZYSg2fMQALLBxcooFiYR9qZ9vWVKSwdSZU0etLtfmGCJ3Co/TWpwHmaqozmh7N2qJKGFxfHEYl021HQc2v+3j2/nYAOIVyb/SICyuZaFC7iaycyPUrOr4AWU6IYW9HItRlkhjg4sqDS5E1YlmQ9LCVAq1ugr+Iv75x5jUWS4ouFfDMSRT1pT0pt3xcaOTPlz1chZGfc9Sk+Eg4vjdRvkzxJo0NL+aQt4dlyyTInNvTrolRI6vhj9OCCwop+eSejVrCmsWMqAbVlw5bCIWr0twdOqyWTtcxupRFDqHjhlXJNZOFj/YIzkEGVh91AY2MdTw9qclc5tLMAWntXHWrKWV5NOKfj9gkvheuS/p8EQtzTHBoqhrTSlRsIovqhTAX7sfRWYK5ky3D4aCbpFtr4Fllils5NbWiTHgAYEypUBMlwoW8ySxWtgb6+l3MnNGXSY+yK5aCxzNe4P6TBF1lelcX8iSuo5l6lBi6s5LjxeZ67i8Vjz9JHjPB42DmUdobTS9NARFyJK/P2gcQJ8y7IYSZe5XTBRZKbJ9dga9IcjNrXdIiHwc6iJGKBchNSdywWFKEfBqfo0cfWB3XgS3NjrRhxzeJNpUjE6jTeo1gACu5ahXLdiOiMbUD0Ml0dHUwRCGgPByXFD5JpmjV/72QxHY0JQ2R04NsZlW46tu9HZPsYkPWoKFGRtjR7LTyQgSTJ+JNoGAn
 39hDKEWK
 qx6xo7FlmnRmJcZlHaL4u80/dzjysFEJtyVwPYtbFlORBcfdeP5OMuPjEgSI+YCRlKTrxFsETztUOqiDozID9w6Aq8xaMt34NnTuPQBy9xRqL6KYZUGO+XZtEibtxCiBsmxtF8hySdERbcFJsyqQ8L9caHFnczwpsvUL45IBtvB/xnroOy2T4fHGXYt/t9xumR5z+8Q2tLgDv9eOeA8BSn2ufF0HPa2vJ9KXZ51arr73lh8nmwtHbPDtxv64PlZUyjWfvIDG/246F3gMMok8fKxsrKop2Er0F90dZ3Mwt7HLMNgWKUx+BINnkusBCviPU7f9ogQwnA/1OUzU4+uMqZfMhvhpZ4wspn0BiL4YV9LuTODyyibBnn2/gv8SU3mk22SZnNgzuaLD8inzsURw7vDB2IwDOyichFjdsF5w3gKRdj0M=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Thu, Jan 4, 2024 at 3:47=E2=80=AFPM Randy Dunlap <rdunlap@infradead.org>=
 wrote:
>
>
>
> On 1/4/24 10:51, jeffxu@chromium.org wrote:
> > From: Jeff Xu <jeffxu@chromium.org>
> >
> > Add documentation for mseal().
> >
> > Signed-off-by: Jeff Xu <jeffxu@chromium.org>
> > ---
> >  Documentation/userspace-api/mseal.rst | 181 ++++++++++++++++++++++++++
> >  1 file changed, 181 insertions(+)
> >  create mode 100644 Documentation/userspace-api/mseal.rst
> >
> > diff --git a/Documentation/userspace-api/mseal.rst b/Documentation/user=
space-api/mseal.rst
> > new file mode 100644
> > index 000000000000..1700ce5af218
> > --- /dev/null
> > +++ b/Documentation/userspace-api/mseal.rst
> > @@ -0,0 +1,181 @@
> > +.. SPDX-License-Identifier: GPL-2.0
> > +
> > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > +Introduction of mseal
> > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> > +
> > +:Author: Jeff Xu <jeffxu@chromium.org>
> > +
> > +Modern CPUs support memory permissions such as RW and NX bits. The mem=
ory
> > +permission feature improves security stance on memory corruption bugs,=
 i.e.
> > +the attacker can=E2=80=99t just write to arbitrary memory and point th=
e code to it,
> > +the memory has to be marked with X bit, or else an exception will happ=
en.
> > +
> > +Memory sealing additionally protects the mapping itself against
> > +modifications. This is useful to mitigate memory corruption issues whe=
re a
> > +corrupted pointer is passed to a memory management system. For example=
,
> > +such an attacker primitive can break control-flow integrity guarantees
> > +since read-only memory that is supposed to be trusted can become writa=
ble
> > +or .text pages can get remapped. Memory sealing can automatically be
> > +applied by the runtime loader to seal .text and .rodata pages and
> > +applications can additionally seal security critical data at runtime.
> > +
> > +A similar feature already exists in the XNU kernel with the
> > +VM_FLAGS_PERMANENT flag [1] and on OpenBSD with the mimmutable syscall=
 [2].
> > +
> > +User API
> > +=3D=3D=3D=3D=3D=3D=3D=3D
> > +Two system calls are involved in virtual memory sealing, mseal() and m=
map().
> > +
> > +mseal()
> > +-----------
> > +The mseal() syscall has following signature:
> > +
> > +``int mseal(void addr, size_t len, unsigned long flags)``
> > +
> > +**addr/len**: virtual memory address range.
> > +
> > +The address range set by ``addr``/``len`` must meet:
> > +   - The start address must be in an allocated VMA.
> > +   - The start address must be page aligned.
> > +   - The end address (``addr`` + ``len``) must be in an allocated VMA.
> > +   - no gap (unallocated memory) between start and end address.
> > +
> > +The ``len`` will be paged aligned implicitly by the kernel.
>
> Does that mean that the <len> will be extended to be page aligned
> if it's not already page aligned?
>
Yes.
the code (do_mseal) calls PAGE_ALIGNED(len).
mprotect() also has this.

Two test cases cover this part.
test_seal_mprotect_unalign_len
test_seal_mprotect_unalign_len_variant_2

-Jeff

> --
> #Randy