From: Andy Lutomirski <luto@kernel.org>
To: linuxram@us.ibm.com
Cc: Andrew Lutomirski <luto@kernel.org>,
Florian Weimer <fweimer@redhat.com>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
Linux-MM <linux-mm@kvack.org>,
Dave Hansen <dave.hansen@intel.com>
Subject: Re: pkeys on POWER: Access rights not reset on execve
Date: Sat, 19 May 2018 23:06:20 -0700 [thread overview]
Message-ID: <CALCETrVvQkphypn10A_rkX35DNqi29MJcXYRpRiCFNm02VYz2g@mail.gmail.com> (raw)
In-Reply-To: <20180520060425.GL5479@ram.oc3035372033.ibm.com>
On Sat, May 19, 2018 at 11:04 PM Ram Pai <linuxram@us.ibm.com> wrote:
> On Sat, May 19, 2018 at 04:47:23PM -0700, Andy Lutomirski wrote: > On
Sat, May 19, 2018 at 1:28 PM Ram Pai <linuxram@us.ibm.com> wrote:
> ...snip...
> >
> > So is it possible for two threads to each call pkey_alloc() and end up
with
> > the same key? If so, it seems entirely broken.
> No. Two threads cannot allocate the same key; just like x86.
> > If not, then how do you
> > intend for a multithreaded application to usefully allocate a new key?
> > Regardless, it seems like the current behavior on POWER is very
difficult
> > to work with. Can you give an example of a use case for which POWER's
> > behavior makes sense?
> >
> > For the use cases I've imagined, POWER's behavior does not make sense.
> > x86's is not ideal but is still better. Here are my two example use
cases:
> >
> > 1. A crypto library. Suppose I'm writing a TLS-terminating server, and
I
> > want it to be resistant to Heartbleed-like bugs. I could store my
private
> > keys protected by mprotect_key() and arrange for all threads and signal
> > handlers to have PKRU/AMR values that prevent any access to the memory.
> > When an explicit call is made to sign with the key, I would temporarily
> > change PKRU/AMR to allow access, compute the signature, and change
PKRU/AMR
> > back. On x86 right now, this works nicely. On POWER, it doesn't,
because
> > any thread started before my pkey_alloc() call can access the protected
> > memory, as can any signal handler.
> >
> > 2. A database using mmap() (with persistent memory or otherwise). It
would
> > be nice to be resistant to accidental corruption due to stray writes. I
> > would do more or less the same thing as (1), except that I would want
> > threads that are not actively writing to the database to be able the
> > protected memory. On x86, I need to manually convince threads that may
> > have been started before my pkey_alloc() call as well as signal
handlers to
> > update their PKRU values. On POWER, as in example (1), the error goes
the
> > other direction -- if I fail to propagate the AMR bits to all threads,
> > writes are not blocked.
> I see the problem from an application's point of view, on powerpc. If
> the key allocated in one thread is not activated on all threads
> (existing one and future one), than other threads will not be able
> to modify the key's permissions. Hence they will not be able to control
> access/write to pages to which the key is associated.
> As Florian suggested, I should enable the key's bit in the UAMOR value
> corresponding to existing threads, when a new key is allocated.
> Now, looking at the implementation for x86, I see that sys_mpkey_alloc()
> makes no attempt to modify anything of any other thread. How
> does it manage to activate the key on any other thread? Is this
> magic done by the hardware?
x86 has no equivalent concept to UAMOR. There are 16 keys no matter what.
--Andy
next prev parent reply other threads:[~2018-05-20 6:06 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-18 14:27 Florian Weimer
2018-05-19 1:19 ` Ram Pai
2018-05-19 1:50 ` Andy Lutomirski
2018-05-19 5:26 ` Florian Weimer
2018-05-19 20:27 ` Ram Pai
2018-05-19 23:47 ` Andy Lutomirski
2018-05-20 6:04 ` Ram Pai
2018-05-20 6:06 ` Andy Lutomirski [this message]
2018-05-20 19:11 ` Ram Pai
2018-05-21 11:29 ` Florian Weimer
2018-06-03 20:18 ` Ram Pai
2018-06-04 10:12 ` Florian Weimer
2018-06-04 14:01 ` Ram Pai
2018-06-04 17:57 ` Florian Weimer
2018-06-04 19:02 ` Ram Pai
2018-06-04 21:00 ` Florian Weimer
2018-06-08 2:34 ` Ram Pai
2018-06-08 5:53 ` Florian Weimer
2018-06-08 10:15 ` Michal Suchánek
2018-06-08 10:44 ` Florian Weimer
2018-06-08 12:54 ` Michal Suchánek
2018-06-08 12:57 ` Florian Weimer
2018-06-08 13:49 ` Michal Suchánek
2018-06-08 13:51 ` Florian Weimer
2018-06-08 14:17 ` Michal Suchánek
2018-06-11 17:23 ` Ram Pai
2018-06-11 17:29 ` Florian Weimer
2018-06-11 20:08 ` Ram Pai
2018-06-12 12:17 ` Florian Weimer
2018-05-19 5:12 ` Florian Weimer
2018-05-19 11:11 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALCETrVvQkphypn10A_rkX35DNqi29MJcXYRpRiCFNm02VYz2g@mail.gmail.com \
--to=luto@kernel.org \
--cc=dave.hansen@intel.com \
--cc=fweimer@redhat.com \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=linuxram@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox