Re: [PATCH v4 0/4] Application Data Integrity feature introduced by SPARC M7

From: Khalid Aziz
Date: Thu Jan 12 2017 - 11:51:43 EST

Next message: Ulf Hansson: "Re: eMMC boot problem: switch to bus width 8 ddr failed"
Previous message: Laxman Dewangan: "Re: [PATCH] power: reset: Add MAX77620 support"
In reply to: Dave Hansen: "Re: [PATCH v4 0/4] Application Data Integrity feature introduced by SPARC M7"
Next in thread: Dave Hansen: "Re: [PATCH v4 0/4] Application Data Integrity feature introduced by SPARC M7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/11/2017 05:49 PM, Dave Hansen wrote:

On 01/11/2017 04:22 PM, Khalid Aziz wrote:
...

All of the tag coordination can happen in userspace. Once a process sets
a tag on a physical page mapped in its address space, another process
that has mapped the same physical page in its address space can only set
the tag to exact same value. Attempts to set a different tag are caught
by memory controller and result in MCD trap and kernel sends SIGSEGV to
the process trying to set a different tag.

Again, I don't think these semantics will work for anything other than
explicitly shared memory. This behavior ensures that it is *entirely*
unsafe to use ADI on any data that any process you do not control might
be able to mmap(). That's a *HUGE* caveat for the feature and can't
imagine ever seeing this get merged without addressing it.

I think it's fairly simple to address, though a bit expensive. First,
you can't allow the VMA bit to get set on non-writable mappings.
Second, you'll have to force COW to occur on read-only pages in writable
mappings before the PTE bit can get set. I think you can probably even
do this in the faults that presumably occur when you try to set ADI tags
on memory mapped with non-ADI PTEs.

Hi Dave,

You have brought up an interesting scenario with COW pages. I had started out with the following policies regarding ADI that made sense:

1. New data pages do not get full ADI protection by default, i.e. TTE.mcd is not set and tags are not set on the new pages. A task that creates a new data page must make decision to protect these new pages or not.

2. Any shared page that has ADI protection enabled on it, must stay ADI protected across all processes sharing it.

COW creates an intersection of the two. It creates a new copy of the shared data. It is a new data page and hence the process creating it must be the one responsible for enabling ADI protection on it. It is also a copy of what was ADI protected data, so should it inherit the protection instead?

I misspoke earlier. I had misinterpreted the results of test I ran. Changing the tag on shared memory is allowed by memory controller. The requirement is every one sharing the page must switch to the new tag or else they get SIGSEGV.

I am inclined to suggest we copy the tags to the new data page on COW and that will continue to enforce ADI on the COW'd pages even though COW'd pages are new data pages. This is the logically consistent behavior. Does that make sense?

Thanks,
Khalid

Next message: Ulf Hansson: "Re: eMMC boot problem: switch to bus width 8 ddr failed"
Previous message: Laxman Dewangan: "Re: [PATCH] power: reset: Add MAX77620 support"
In reply to: Dave Hansen: "Re: [PATCH v4 0/4] Application Data Integrity feature introduced by SPARC M7"
Next in thread: Dave Hansen: "Re: [PATCH v4 0/4] Application Data Integrity feature introduced by SPARC M7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]