From: Dave Martin <Dave.Martin@arm.com>
To: Joey Gouly <joey.gouly@arm.com>
Cc: linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org,
aneesh.kumar@kernel.org, aneesh.kumar@linux.ibm.com,
bp@alien8.de, broonie@kernel.org, catalin.marinas@arm.com,
christophe.leroy@csgroup.eu, dave.hansen@linux.intel.com,
hpa@zytor.com, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linuxppc-dev@lists.ozlabs.org, maz@kernel.org, mingo@redhat.com,
mpe@ellerman.id.au, naveen.n.rao@linux.ibm.com,
npiggin@gmail.com, oliver.upton@linux.dev, shuah@kernel.org,
szabolcs.nagy@arm.com, tglx@linutronix.de, will@kernel.org,
x86@kernel.org, kvmarm@lists.linux.dev
Subject: Re: [PATCH v4 17/29] arm64: implement PKEYS support
Date: Thu, 25 Jul 2024 17:12:27 +0100 [thread overview]
Message-ID: <ZqJ5a5Iy85/XLGkr@e133380.arm.com> (raw)
In-Reply-To: <20240503130147.1154804-18-joey.gouly@arm.com>
On Fri, May 03, 2024 at 02:01:35PM +0100, Joey Gouly wrote:
> Implement the PKEYS interface, using the Permission Overlay Extension.
>
> Signed-off-by: Joey Gouly <joey.gouly@arm.com>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Will Deacon <will@kernel.org>
> ---
> arch/arm64/include/asm/mmu.h | 1 +
> arch/arm64/include/asm/mmu_context.h | 51 ++++++++++++-
> arch/arm64/include/asm/pgtable.h | 22 +++++-
> arch/arm64/include/asm/pkeys.h | 110 +++++++++++++++++++++++++++
> arch/arm64/include/asm/por.h | 33 ++++++++
> arch/arm64/mm/mmu.c | 40 ++++++++++
> 6 files changed, 255 insertions(+), 2 deletions(-)
> create mode 100644 arch/arm64/include/asm/pkeys.h
> create mode 100644 arch/arm64/include/asm/por.h
[...]
> diff --git a/arch/arm64/include/asm/pkeys.h b/arch/arm64/include/asm/pkeys.h
> new file mode 100644
> index 000000000000..a284508a4d02
> --- /dev/null
> +++ b/arch/arm64/include/asm/pkeys.h
> @@ -0,0 +1,110 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) 2023 Arm Ltd.
> + *
> + * Based on arch/x86/include/asm/pkeys.h
> + */
> +
> +#ifndef _ASM_ARM64_PKEYS_H
> +#define _ASM_ARM64_PKEYS_H
> +
> +#define ARCH_VM_PKEY_FLAGS (VM_PKEY_BIT0 | VM_PKEY_BIT1 | VM_PKEY_BIT2)
> +
> +#define arch_max_pkey() 7
Did you mean 8 ? I'm guessing this may be the "off by one error" you
alluded to in your own reply to the cover letter, but just in case...
(x86 and powerpc seem to have booby-trapped the name of this macro for
the unwary...)
See also mm_pkey_{is_allocated,alloc}().
> +
> +int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
> + unsigned long init_val);
> +
> +static inline bool arch_pkeys_enabled(void)
> +{
> + return false;
> +}
> +
> +static inline int vma_pkey(struct vm_area_struct *vma)
> +{
> + return (vma->vm_flags & ARCH_VM_PKEY_FLAGS) >> VM_PKEY_SHIFT;
> +}
> +
> +static inline int arch_override_mprotect_pkey(struct vm_area_struct *vma,
> + int prot, int pkey)
> +{
> + if (pkey != -1)
> + return pkey;
> +
> + return vma_pkey(vma);
> +}
> +
> +static inline int execute_only_pkey(struct mm_struct *mm)
> +{
> + // Execute-only mappings are handled by EPAN/FEAT_PAN3.
> + WARN_ON_ONCE(!cpus_have_final_cap(ARM64_HAS_EPAN));
> +
> + return -1;
> +}
> +
> +#define mm_pkey_allocation_map(mm) (mm->context.pkey_allocation_map)
Pedantic nit: (mm)
although other arches have the same nit already, and it's probably low
risk given the scope and usage of these macros.
(Also, the outer parentheses are also redundant (if harmless).)
> +#define mm_set_pkey_allocated(mm, pkey) do { \
> + mm_pkey_allocation_map(mm) |= (1U << pkey); \
> +} while (0)
> +#define mm_set_pkey_free(mm, pkey) do { \
> + mm_pkey_allocation_map(mm) &= ~(1U << pkey); \
> +} while (0)
> +
> +static inline bool mm_pkey_is_allocated(struct mm_struct *mm, int pkey)
> +{
> + /*
> + * "Allocated" pkeys are those that have been returned
> + * from pkey_alloc() or pkey 0 which is allocated
> + * implicitly when the mm is created.
> + */
> + if (pkey < 0)
> + return false;
> + if (pkey >= arch_max_pkey())
> + return false;
Did you mean > ?
> +
> + return mm_pkey_allocation_map(mm) & (1U << pkey);
> +}
> +
> +/*
> + * Returns a positive, 3-bit key on success, or -1 on failure.
> + */
> +static inline int mm_pkey_alloc(struct mm_struct *mm)
> +{
> + /*
> + * Note: this is the one and only place we make sure
> + * that the pkey is valid as far as the hardware is
> + * concerned. The rest of the kernel trusts that
> + * only good, valid pkeys come out of here.
> + */
> + u8 all_pkeys_mask = ((1U << arch_max_pkey()) - 1);
Nit: redundant outer ().
Also, GENMASK() and friends might be cleaner that spelling out this
idiom explicitly (but no big deal).
(1 << 7) - 1 is 0x7f, which doesn't feel right if pkeys 0..7 are all
supposed to be valid. (See arch_max_pkey() above.)
(Also it looks mildly weird to have this before checking
arch_pkeys_enabled(), but since this is likely to be constant-folded by
the compiler, I guess it almost certainly makes no difference. It's
harmless either way.)
> + int ret;
> +
> + if (!arch_pkeys_enabled())
> + return -1;
> +
> + /*
> + * Are we out of pkeys? We must handle this specially
> + * because ffz() behavior is undefined if there are no
> + * zeros.
> + */
> + if (mm_pkey_allocation_map(mm) == all_pkeys_mask)
> + return -1;
> +
> + ret = ffz(mm_pkey_allocation_map(mm));
> +
> + mm_set_pkey_allocated(mm, ret);
> +
> + return ret;
> +}
> +
> +static inline int mm_pkey_free(struct mm_struct *mm, int pkey)
> +{
> + if (!mm_pkey_is_allocated(mm, pkey))
> + return -EINVAL;
Does anything prevent a pkey_free(0)?
I couldn't find any check related to this so far.
If not, this may be a generic problem, better solved through a wrapper
in the generic mm code.
Userspace has to have at least one PKEY allocated, since the pte field
has to be set to something... unless we turn PKEYs on or off per mm.
But the pkeys API doesn't seem to be designed that way (and it doesn't
look very useful).
> +
> + mm_set_pkey_free(mm, pkey);
> +
> + return 0;
> +}
> +
> +#endif /* _ASM_ARM64_PKEYS_H */
> diff --git a/arch/arm64/include/asm/por.h b/arch/arm64/include/asm/por.h
> new file mode 100644
> index 000000000000..d6604e0c5c54
> --- /dev/null
> +++ b/arch/arm64/include/asm/por.h
> @@ -0,0 +1,33 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +/*
> + * Copyright (C) 2023 Arm Ltd.
> + */
> +
> +#ifndef _ASM_ARM64_POR_H
> +#define _ASM_ARM64_POR_H
> +
> +#define POR_BITS_PER_PKEY 4
> +#define POR_ELx_IDX(por_elx, idx) (((por_elx) >> (idx * POR_BITS_PER_PKEY)) & 0xf)
Nit: (idx)
Since this is shared with other code in a header, it's probably best
to avoid surprises.
[...]
> diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c
> index 495b732d5af3..e50ccc86d150 100644
> --- a/arch/arm64/mm/mmu.c
> +++ b/arch/arm64/mm/mmu.c
> @@ -25,6 +25,7 @@
> #include <linux/vmalloc.h>
> #include <linux/set_memory.h>
> #include <linux/kfence.h>
> +#include <linux/pkeys.h>
>
> #include <asm/barrier.h>
> #include <asm/cputype.h>
> @@ -1535,3 +1536,42 @@ void __cpu_replace_ttbr1(pgd_t *pgdp, bool cnp)
>
> cpu_uninstall_idmap();
> }
> +
> +#ifdef CONFIG_ARCH_HAS_PKEYS
> +int arch_set_user_pkey_access(struct task_struct *tsk, int pkey, unsigned long init_val)
> +{
> + u64 new_por = POE_RXW;
> + u64 old_por;
> + u64 pkey_shift;
> +
> + if (!arch_pkeys_enabled())
> + return -ENOSPC;
> +
> + /*
> + * This code should only be called with valid 'pkey'
> + * values originating from in-kernel users. Complain
> + * if a bad value is observed.
> + */
> + if (WARN_ON_ONCE(pkey >= arch_max_pkey()))
> + return -EINVAL;
> +
> + /* Set the bits we need in POR: */
> + if (init_val & PKEY_DISABLE_ACCESS)
> + new_por = POE_X;
> + else if (init_val & PKEY_DISABLE_WRITE)
> + new_por = POE_RX;
> +
> + /* Shift the bits in to the correct place in POR for pkey: */
> + pkey_shift = pkey * POR_BITS_PER_PKEY;
> + new_por <<= pkey_shift;
> +
> + /* Get old POR and mask off any old bits in place: */
> + old_por = read_sysreg_s(SYS_POR_EL0);
> + old_por &= ~(POE_MASK << pkey_shift);
> +
> + /* Write old part along with new part: */
> + write_sysreg_s(old_por | new_por, SYS_POR_EL0);
> +
> + return 0;
> +}
> +#endif
<bikeshed>
Although this is part of the existing PKEYS support, it feels weird to
have to initialise the permissions with one interface and one set of
flags, then change the permissions using an arch-specific interface and
a different set of flags (i.e., directly writing POR_EL0) later on.
Is there any merit in defining a vDSO function for changing the flags in
userspace? This would allow userspace to use PKEYS in a generic way
without a nasty per-arch volatile asm hack.
(Maybe too late for stopping user libraries rolling their own, though.)
Since we ideally don't want to write the above flags-mungeing code
twice, there would be the option of implementing pkey_alloc() via a
vDSO wrapper on arm64 (though this might be more trouble than it is
worth).
Of course, this is all pointless if people thought that even the
overhead of a vDSO call was unacceptable for flipping the permissions
on and off. Either way, this is a potential enhancement, orthogonal to
this series...
</bikeshed>
[...]
Cheers
---Dave
next prev parent reply other threads:[~2024-07-25 16:12 UTC|newest]
Thread overview: 146+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-03 13:01 [PATCH v4 00/29] arm64: Permission Overlay Extension Joey Gouly
2024-05-03 13:01 ` [PATCH v4 01/29] powerpc/mm: add ARCH_PKEY_BITS to Kconfig Joey Gouly
2024-05-06 8:57 ` Michael Ellerman
2024-05-03 13:01 ` [PATCH v4 02/29] x86/mm: " Joey Gouly
2024-05-03 16:40 ` Dave Hansen
2024-05-03 13:01 ` [PATCH v4 03/29] mm: use ARCH_PKEY_BITS to define VM_PKEY_BITN Joey Gouly
2024-05-03 16:41 ` Dave Hansen
2024-07-15 7:53 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 04/29] arm64: disable trapping of POR_EL0 to EL2 Joey Gouly
2024-07-15 7:47 ` Anshuman Khandual
2024-07-25 15:44 ` Dave Martin
2024-08-06 10:04 ` Joey Gouly
2024-05-03 13:01 ` [PATCH v4 05/29] arm64: cpufeature: add Permission Overlay Extension cpucap Joey Gouly
2024-06-21 16:58 ` Catalin Marinas
2024-06-21 17:01 ` Catalin Marinas
2024-06-21 17:02 ` Catalin Marinas
2024-07-15 7:47 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 06/29] arm64: context switch POR_EL0 register Joey Gouly
2024-06-21 17:03 ` Catalin Marinas
2024-06-21 17:07 ` Catalin Marinas
2024-07-15 8:27 ` Anshuman Khandual
2024-07-16 13:21 ` Mark Brown
2024-07-18 14:16 ` Joey Gouly
2024-07-22 13:40 ` Kevin Brodsky
2024-07-25 15:46 ` Dave Martin
2024-05-03 13:01 ` [PATCH v4 07/29] KVM: arm64: Save/restore POE registers Joey Gouly
2024-05-29 15:43 ` Marc Zyngier
2024-08-16 14:55 ` Marc Zyngier
2024-08-16 15:13 ` Joey Gouly
2024-08-16 15:32 ` Marc Zyngier
2024-05-03 13:01 ` [PATCH v4 08/29] KVM: arm64: make kvm_at() take an OP_AT_* Joey Gouly
2024-05-29 15:46 ` Marc Zyngier
2024-07-15 8:36 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 09/29] KVM: arm64: use `at s1e1a` for POE Joey Gouly
2024-05-29 15:50 ` Marc Zyngier
2024-07-15 8:45 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 10/29] arm64: enable the Permission Overlay Extension for EL0 Joey Gouly
2024-06-21 17:04 ` Catalin Marinas
2024-07-15 9:13 ` Anshuman Khandual
2024-07-15 20:16 ` Mark Brown
2024-07-25 15:49 ` Dave Martin
2024-08-01 16:04 ` Joey Gouly
2024-08-01 16:31 ` Dave Martin
2024-05-03 13:01 ` [PATCH v4 11/29] arm64: re-order MTE VM_ flags Joey Gouly
2024-06-21 17:04 ` Catalin Marinas
2024-07-15 9:21 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 12/29] arm64: add POIndex defines Joey Gouly
2024-06-21 17:05 ` Catalin Marinas
2024-07-15 9:26 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 13/29] arm64: convert protection key into vm_flags and pgprot values Joey Gouly
2024-05-28 6:54 ` Amit Daniel Kachhap
2024-06-19 16:45 ` Catalin Marinas
2024-07-04 12:47 ` Joey Gouly
2024-07-08 17:22 ` Catalin Marinas
2024-07-16 9:05 ` Anshuman Khandual
2024-07-16 9:34 ` Joey Gouly
2024-07-25 15:49 ` Dave Martin
2024-08-01 10:55 ` Joey Gouly
2024-08-01 11:01 ` Dave Martin
2024-05-03 13:01 ` [PATCH v4 14/29] arm64: mask out POIndex when modifying a PTE Joey Gouly
2024-07-16 9:10 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 15/29] arm64: handle PKEY/POE faults Joey Gouly
2024-06-21 16:57 ` Catalin Marinas
2024-07-09 13:03 ` Kevin Brodsky
2024-07-16 10:13 ` Anshuman Khandual
2024-07-25 15:57 ` Dave Martin
2024-08-01 16:01 ` Joey Gouly
2024-08-06 13:33 ` Dave Martin
2024-08-06 13:43 ` Joey Gouly
2024-08-06 14:38 ` Dave Martin
2024-05-03 13:01 ` [PATCH v4 16/29] arm64: add pte_access_permitted_no_overlay() Joey Gouly
2024-06-21 17:15 ` Catalin Marinas
2024-07-16 10:21 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 17/29] arm64: implement PKEYS support Joey Gouly
2024-05-28 6:55 ` Amit Daniel Kachhap
2024-05-28 11:26 ` Joey Gouly
2024-05-31 14:57 ` Szabolcs Nagy
2024-05-31 15:21 ` Joey Gouly
2024-05-31 16:27 ` Szabolcs Nagy
2024-06-17 13:40 ` Florian Weimer
2024-06-17 14:51 ` Szabolcs Nagy
2024-07-08 17:53 ` Catalin Marinas
2024-07-09 8:32 ` Szabolcs Nagy
2024-07-09 8:52 ` Florian Weimer
2024-07-11 9:50 ` Joey Gouly
2024-07-18 14:45 ` Szabolcs Nagy
2024-07-05 16:59 ` Catalin Marinas
2024-07-22 13:39 ` Kevin Brodsky
2024-07-09 13:07 ` Kevin Brodsky
2024-07-16 11:40 ` Anshuman Khandual
2024-07-23 4:22 ` Anshuman Khandual
2024-07-25 16:12 ` Dave Martin [this message]
2024-05-03 13:01 ` [PATCH v4 18/29] arm64: add POE signal support Joey Gouly
2024-05-28 6:56 ` Amit Daniel Kachhap
2024-05-31 16:39 ` Mark Brown
2024-06-03 9:21 ` Amit Daniel Kachhap
2024-07-25 15:58 ` Dave Martin
2024-07-25 18:11 ` Mark Brown
2024-07-26 16:14 ` Dave Martin
2024-07-26 17:39 ` Mark Brown
2024-07-29 14:27 ` Dave Martin
2024-07-29 14:41 ` Mark Brown
2024-07-05 17:04 ` Catalin Marinas
2024-07-09 13:08 ` Kevin Brodsky
2024-07-22 9:16 ` Anshuman Khandual
2024-07-25 16:00 ` Dave Martin
2024-08-01 15:54 ` Joey Gouly
2024-08-01 16:22 ` Dave Martin
2024-08-06 10:35 ` Joey Gouly
2024-08-06 14:31 ` Joey Gouly
2024-08-06 15:00 ` Dave Martin
2024-08-14 15:03 ` Catalin Marinas
2024-08-15 13:18 ` Joey Gouly
2024-08-15 15:09 ` Dave Martin
2024-08-15 15:24 ` Mark Brown
2024-08-19 17:09 ` Catalin Marinas
2024-08-20 9:54 ` Joey Gouly
2024-08-20 13:54 ` Dave Martin
2024-08-20 14:06 ` Joey Gouly
2024-08-20 14:45 ` Dave Martin
2024-05-03 13:01 ` [PATCH v4 19/29] arm64: enable PKEY support for CPUs with S1POE Joey Gouly
2024-07-16 10:47 ` Anshuman Khandual
2024-07-25 15:48 ` Dave Martin
2024-07-25 16:00 ` Dave Martin
2024-05-03 13:01 ` [PATCH v4 20/29] arm64: enable POE and PIE to coexist Joey Gouly
2024-06-21 17:16 ` Catalin Marinas
2024-07-16 10:41 ` Anshuman Khandual
2024-07-16 13:46 ` Joey Gouly
2024-05-03 13:01 ` [PATCH v4 21/29] arm64/ptrace: add support for FEAT_POE Joey Gouly
2024-07-16 10:35 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 22/29] arm64: add Permission Overlay Extension Kconfig Joey Gouly
2024-07-05 17:05 ` Catalin Marinas
2024-07-09 13:08 ` Kevin Brodsky
2024-07-16 11:02 ` Anshuman Khandual
2024-05-03 13:01 ` [PATCH v4 23/29] kselftest/arm64: move get_header() Joey Gouly
2024-05-03 13:01 ` [PATCH v4 24/29] selftests: mm: move fpregs printing Joey Gouly
2024-05-03 13:01 ` [PATCH v4 25/29] selftests: mm: make protection_keys test work on arm64 Joey Gouly
2024-05-03 13:01 ` [PATCH v4 26/29] kselftest/arm64: add HWCAP test for FEAT_S1POE Joey Gouly
2024-05-03 13:01 ` [PATCH v4 27/29] kselftest/arm64: parse POE_MAGIC in a signal frame Joey Gouly
2024-05-03 13:01 ` [PATCH v4 28/29] kselftest/arm64: Add test case for POR_EL0 signal frame records Joey Gouly
2024-05-29 15:51 ` Mark Brown
2024-07-05 19:34 ` Shuah Khan
2024-07-09 13:10 ` Kevin Brodsky
2024-05-03 13:01 ` [PATCH v4 29/29] KVM: selftests: get-reg-list: add Permission Overlay registers Joey Gouly
2024-05-05 14:41 ` [PATCH v4 00/29] arm64: Permission Overlay Extension Mark Brown
2024-05-28 11:30 ` Joey Gouly
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZqJ5a5Iy85/XLGkr@e133380.arm.com \
--to=dave.martin@arm.com \
--cc=akpm@linux-foundation.org \
--cc=aneesh.kumar@kernel.org \
--cc=aneesh.kumar@linux.ibm.com \
--cc=bp@alien8.de \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=christophe.leroy@csgroup.eu \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=joey.gouly@arm.com \
--cc=kvmarm@lists.linux.dev \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maz@kernel.org \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=naveen.n.rao@linux.ibm.com \
--cc=npiggin@gmail.com \
--cc=oliver.upton@linux.dev \
--cc=shuah@kernel.org \
--cc=szabolcs.nagy@arm.com \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox