Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752016AbbEGSsr (ORCPT ); Thu, 7 May 2015 14:48:47 -0400 Received: from cantor2.suse.de ([195.135.220.15]:42430 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751096AbbEGSsn (ORCPT ); Thu, 7 May 2015 14:48:43 -0400 Message-ID: <554BB36E.2080803@suse.cz> Date: Thu, 07 May 2015 20:48:14 +0200 From: Vlastimil Babka User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: Dave Hansen , Ingo Molnar CC: linux-kernel@vger.kernel.org, x86@kernel.org Subject: Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys References: <20150507174132.34AF8FAF@viggo.jf.intel.com> <20150507175707.GA22172@gmail.com> <554BAA68.6000508@sr71.net> In-Reply-To: <554BAA68.6000508@sr71.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2586 Lines: 56 On 05/07/2015 08:09 PM, Dave Hansen wrote: > On 05/07/2015 10:57 AM, Ingo Molnar wrote: >>>> There are two new instructions (RDPKRU/WRPKRU) for reading and >>>> writing to the new register. The feature is only available in >>>> 64-bit mode, even though there is theoretically space in the PAE >>>> PTEs. These permissions are enforced on data access only and have >>>> no effect on instruction fetches. >> So I'm wondering what the primary usecases are for this feature? >> Could you outline applications/workloads/libraries that would >> benefit from this? > > There are lots of things that folks would _like_ to mprotect(), but end > up not being feasible because of the overhead of going and mucking with > thousands of PTEs and shooting down remote TLBs every time you want to > change protections. > > Data structures like logs or journals that are only written to in very > limited code paths, but that you want to protect from "stray" writes. > > Maybe even a database where a query operation will never need to write > to memory, but an insert would. You could keep the data R/O during the > entire operation except when an insert is actually in progress. It > narrows the window where data might be corrupted. This becomes even > more valuable if a stray write to memory is guaranteed to hit storage... > like with persistent memory. > > Someone mentioned to me that valgrind does lots of mprotect()s and might > benefit from this. > > We could keep heap metadata as R/O and only make it R/W inside of > malloc() itself to catch corruption more quickly. But that metadata is typically within the same page as the data itself (for small objects at least), no? > More crazy ideas welcome. :) Since you asked :) I wonder if the usefulness could be extended by making it possible for a thread to revoke its access to WRPKRU (it's not privileged, right?). Then I could imagine some extra security for sandbox/bytecode/JIT code so it doesn't interfere with the runtime. But since it doesn't block instruction fetches, then maybe it wouldn't make much difference... > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/