[PATCH V9 30/45] mm/pkeys: Introduce pks_update_exception()

From: ira . weiny
Date: Thu Mar 10 2022 - 12:22:46 EST

Next message: ira . weiny: "[PATCH V9 11/45] x86/pkeys: Enable PKS on cpus which support it"
Previous message: ira . weiny: "[PATCH V9 27/45] x86/pkeys: Preserve PKRS MSR across exceptions"
In reply to: ira . weiny: "[PATCH V9 27/45] x86/pkeys: Preserve PKRS MSR across exceptions"
Next in thread: ira . weiny: "[PATCH V9 11/45] x86/pkeys: Enable PKS on cpus which support it"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ira Weiny <ira.weiny@xxxxxxxxx>

Some PKS use cases will want to catch permissions violations with the
fault callback mechanism and optionally allow the access.

The pks_set_*() calls update the protection of the current running
context. They will not work to change the protections of a thread which
has been interrupted. Therefore updating a thread from within an
exception requires a different method.

Introduce pks_update_exception() which updates the faulted threads
protections in addition to the current context.

Add documentation

Signed-off-by: Ira Weiny <ira.weiny@xxxxxxxxx>

---
Changes for V9
Add preemption disable around pkrs per cpu cache
Update commit message
Change pkey type to u8
s/pks_saved_pkrs/pkrs

Changes for V8
Remove the concept of abandoning a pkey in favor of using the
custom fault handler via this new pks_update_exception()
call
Without an abandon call there is no need for an abandon mask on
sched in, new thread creation, or within exceptions...
This now lets all invalid access' fault
Ensure that all entry points into the pks has feature checks...
Place abandon fault check before the test callback to ensure
testing does not detect the double fault of the abandon
code and flag it incorrectly as a fault.
Change return type of pks_handle_abandoned_pkeys() to bool
---
Documentation/core-api/protection-keys.rst | 3 ++
arch/x86/mm/pkeys.c | 58 +++++++++++++++++++---
include/linux/pks.h | 5 ++
3 files changed, 58 insertions(+), 8 deletions(-)

diff --git a/Documentation/core-api/protection-keys.rst b/Documentation/core-api/protection-keys.rst
index 5fdc83a39d4e..22ad58a93423 100644
--- a/Documentation/core-api/protection-keys.rst
+++ b/Documentation/core-api/protection-keys.rst
@@ -149,6 +149,9 @@ Changing permissions of individual keys
.. kernel-doc:: include/linux/pks.h
:identifiers: pks_set_readwrite pks_set_noaccess

+.. kernel-doc:: arch/x86/mm/pkeys.c
+ :identifiers: pks_update_exception
+
Overriding Default Fault Behavior
---------------------------------

diff --git a/arch/x86/mm/pkeys.c b/arch/x86/mm/pkeys.c
index 6327e32d7237..9b2a6a62d433 100644
--- a/arch/x86/mm/pkeys.c
+++ b/arch/x86/mm/pkeys.c
@@ -409,6 +409,18 @@ void pks_setup(void)
cr4_set_bits(X86_CR4_PKS);
}

+static void __pks_update_protection(u8 pkey, u8 protection)
+{
+ u32 pkrs;
+
+ pkrs = current->thread.pkrs;
+ current->thread.pkrs = pkey_update_pkval(pkrs, pkey, protection);
+
+ preempt_disable();
+ pks_write_pkrs(current->thread.pkrs);
+ preempt_enable();
+}
+
/*
* Do not call this directly, see pks_set*().
*
@@ -422,21 +434,51 @@ void pks_setup(void)
*/
void pks_update_protection(u8 pkey, u8 protection)
{
- u32 pkrs;
-
if (!cpu_feature_enabled(X86_FEATURE_PKS))
return;

if (WARN_ON_ONCE(pkey >= PKS_KEY_MAX))
return;

- pkrs = current->thread.pkrs;
- current->thread.pkrs = pkey_update_pkval(pkrs, pkey,
- protection);
- preempt_disable();
- pks_write_pkrs(current->thread.pkrs);
- preempt_enable();
+ __pks_update_protection(pkey, protection);
}
EXPORT_SYMBOL_GPL(pks_update_protection);

+/**
+ * pks_update_exception() - Update the protections of a faulted thread
+ *
+ * @regs: Faulting thread registers
+ * @pkey: pkey to update
+ * @protection: protection bits to use.
+ *
+ * CONTEXT: Exception
+ *
+ * pks_update_exception() updates the faulted threads protections in addition
+ * to the protections within the exception.
+ *
+ * This is useful because the pks_set_*() functions will not work to change the
+ * protections of a thread which has been interrupted. Only the current
+ * context is updated by those functions. Therefore, if a PKS fault callback
+ * wants to update the faulted threads protections it must call
+ * pks_update_exception().
+ */
+void pks_update_exception(struct pt_regs *regs, u8 pkey, u8 protection)
+{
+ struct pt_regs_extended *ept_regs;
+ u32 old;
+
+ if (!cpu_feature_enabled(X86_FEATURE_PKS))
+ return;
+
+ if (WARN_ON_ONCE(pkey >= PKS_KEY_MAX))
+ return;
+
+ __pks_update_protection(pkey, protection);
+
+ ept_regs = to_extended_pt_regs(regs);
+ old = ept_regs->aux.pkrs;
+ ept_regs->aux.pkrs = pkey_update_pkval(old, pkey, protection);
+}
+EXPORT_SYMBOL_GPL(pks_update_exception);
+
#endif /* CONFIG_ARCH_ENABLE_SUPERVISOR_PKEYS */
diff --git a/include/linux/pks.h b/include/linux/pks.h
index 224fc3bbd072..45156f358776 100644
--- a/include/linux/pks.h
+++ b/include/linux/pks.h
@@ -9,6 +9,7 @@
#include <uapi/asm-generic/mman-common.h>

void pks_update_protection(u8 pkey, u8 protection);
+void pks_update_exception(struct pt_regs *regs, u8 pkey, u8 protection);

/**
* pks_set_noaccess() - Disable all access to the domain
@@ -41,6 +42,10 @@ typedef bool (*pks_key_callback)(struct pt_regs *regs, unsigned long address,

static inline void pks_set_noaccess(u8 pkey) {}
static inline void pks_set_readwrite(u8 pkey) {}
+static inline void pks_update_exception(struct pt_regs *regs,
+ u8 pkey,
+ u8 protection)
+{ }

#endif /* CONFIG_ARCH_ENABLE_SUPERVISOR_PKEYS */

--
2.35.1

Next message: ira . weiny: "[PATCH V9 11/45] x86/pkeys: Enable PKS on cpus which support it"
Previous message: ira . weiny: "[PATCH V9 27/45] x86/pkeys: Preserve PKRS MSR across exceptions"
In reply to: ira . weiny: "[PATCH V9 27/45] x86/pkeys: Preserve PKRS MSR across exceptions"
Next in thread: ira . weiny: "[PATCH V9 11/45] x86/pkeys: Enable PKS on cpus which support it"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]