Subject: Re: Rethinking sigcontext's xfeatures slightly for PKRU's benefit?
To: Andy Lutomirski <luto@amacapital.net>,
        Linus Torvalds <torvalds@linux-foundation.org>
References: <CALCETrVw2V+Ny7=D=_E2m0Qa_v7Bp8GUjhyDXx_bWC35R2ohjg@mail.gmail.com>
 <5673750B.606@linux.intel.com>
 <CALCETrWMofAX8TbZNyPaCWUHqcE85wpehDR05irEPtTYiVMXRA@mail.gmail.com>
 <FEA53E3B-6AE2-4305-82B1-C57451B6E33E@zytor.com>
 <CALCETrU28FoOwR+n8U0Qtt20=ZW6rgc3=M8X4G0QMt1_ZVHY7Q@mail.gmail.com>
 <567453AF.5060808@linux.intel.com>
 <CALCETrU7TnbLSzOuGNmh=xDpa5W729RJSPdap2izXxagfg-biQ@mail.gmail.com>
 <56746774.8000707@linux.intel.com>
 <CA+55aFycMWxCVY1p8n_D8nGz7Ky35uAmZMWm=zE5LBsqModiBg@mail.gmail.com>
 <CALCETrVWgFPTap_DNzP5vnrtyr7jjMwFHyRy=iY0amHrQ_euwg@mail.gmail.com>
 <CA+55aFz9XdUP0BQXuq7UuZT1ke-+JVThs-bssMi2sV2xLubHVg@mail.gmail.com>
 <567476CC.8080805@linux.intel.com>
 <CA+55aFyVJF48-QwZBD++1u8CB7EYrO1rMnwsZFW4rTBFoNXSZw@mail.gmail.com>
 <CALCETrVj51q3=AkP2PGFOKPqv0CxukbUEhvv0n6+XT+OngJK2Q@mail.gmail.com>
 <CA+55aFwU7cjSTB3Yk7S1Bcfo244WS9cm==WXZZcN3ZAs+J2jug@mail.gmail.com>
 <CALCETrUGEwZAL8oO8956z9CY_CLg1Bt07KnU-7WhjukK6H0dXg@mail.gmail.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>, Oleg Nesterov <oleg@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@kernel.org>,
        Borislav Petkov <bp@alien8.de>, Brian Gerst <brgerst@gmail.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Christoph Hellwig <hch@lst.de>
From: Dave Hansen <dave.hansen@linux.intel.com>
Message-ID: <5678310D.2010104@linux.intel.com>
Date: Mon, 21 Dec 2015 09:04:13 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CALCETrUGEwZAL8oO8956z9CY_CLg1Bt07KnU-7WhjukK6H0dXg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1747
Lines: 40

On 12/18/2015 03:16 PM, Andy Lutomirski wrote:
> Hrm.  We might also want an option to change pkru and/or baseline_pkru
> in all threads in the current mm.  That's optional but it could be
> handy.  Maybe it would be as simple as having the allocate-a-pkey call
> have an option to set an initial baseline value and an option to
> propagate that initial value to pre-existing threads.

Do you mean actively going in and changing PKRU in other threads?  I
fear that will be dangerous.

IMNHO, whatever we do, I think we need to ensure that _raw_ PKRU calls
are allowed (somehow).  Raw in this case would mean a thread calling
WRPKRU without a system call and without checking in with what any other
threads are doing.

Let's say baseline_pkru=0x004 (we're access-disabling PKEY[1] and using
it for execute-only).  Now, a thread is trying to do this:

	pkey2 = sys_pkey_alloc(); // now pkey2=2
	tmp = rdpkru(); // 0x004
	tmp |= 0x10; // set PKRU[2].AD=1
	wrpkru(tmp);

While another thread does:

	pkey4 = pkey_alloc(); // pkey4=4
	sys_pkey_set(pkey4, ACCESS_DISABLE, SET_BASELINE_ALL_THREADS);

Without some kind of locking, that's going to race.  We could do all the
locking in the kernel, but that requires that the kernel do all the PKRU
writing, which I'd really like to avoid.

I think the closest we can get reasonably is to have the kernel track
the baseline_pkru and then allow userspace to query it in case userspace
decides that thread needs to update its thread-local PKRU from the baseline.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/