Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751437AbbEGULe (ORCPT <rfc822;w@1wt.eu>);
	Thu, 7 May 2015 16:11:34 -0400
Received: from 251.110.2.81.in-addr.arpa ([81.2.110.251]:44963 "EHLO
	lxorguk.ukuu.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751061AbbEGULd (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 7 May 2015 16:11:33 -0400
Date: Thu, 7 May 2015 21:11:18 +0100
From: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>
To: Ingo Molnar <mingo@kernel.org>
Cc: Dave Hansen <dave@sr71.net>, linux-kernel@vger.kernel.org, x86@kernel.org
Subject: Re: [PATCH 00/12] [RFC] x86: Memory Protection Keys
Message-ID: <20150507211118.5f765fc6@lxorguk.ukuu.org.uk>
In-Reply-To: <20150507192619.GA23338@gmail.com>
References: <20150507174132.34AF8FAF@viggo.jf.intel.com>
	<20150507175707.GA22172@gmail.com>
	<554BAA68.6000508@sr71.net>
	<20150507201843.0ccf0938@lxorguk.ukuu.org.uk>
	<20150507192619.GA23338@gmail.com>
Organization: Intel Corporation
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.27; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2345
Lines: 61

On Thu, 7 May 2015 21:26:20 +0200
Ingo Molnar <mingo@kernel.org> wrote:

> 
> * One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk> wrote:
> 
> > > We could keep heap metadata as R/O and only make it R/W inside of 
> > > malloc() itself to catch corruption more quickly.
> > 
> > If you implement multiple malloc pools you can chop up lots of 
> > stuff.
> 
> I'd say that a 64-bit address space is large enough to hide buffers in 
> from accidental corruption, without any runtime page protection 
> flipping overhead?

I'd say no. And from actual real world demand for PK the answer is also
no. It's already a problem with very large data sets. Worse still in many
cases its a problem that nobody is actually measuring or doing much about
(because mprotect on many gigabytes of data is expensive).

> > In library land it isn't just stuff like malloc, you can use it as a 
> > debug weapon to protect library private data from naughty 
> > application code.
> > 
> > There are some other debug uses when catching faults - fast ways to 
> > do range access breakpoints for example.
> 
> I think libraries are happy enough to work without bugs - apps digging 
> around in library data are in a "you keep all the broken pieces" 
> situation, why would a library want to slow down every good citizen 
> down with extra protection flipping/unflipping accesses?

For debugging, when the library maintained data is sensitive or
something you don't want corupted, or because the user puts security
first. Protection keys are an awful lot faster than mprotect. You've got
no synchronization and shootdowns to do just a CPU register to load to
indicate which mask of keys you are happy with. That really changes what
it is useful for, because it's cheap. It means you can happily do stuff
like

	while(data_blocks) {
		allow_key_and_source_access();
		do_crypto_func();
		revoke_key_and_source_access();
		do_network_io();  /* Can't accidentally leak keys or
					input */
	}


> Also, will apps/libraries bother if it's not a standard API and if it 
> only runs on very fresh CPUs?

In time I think yes.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/