Received: by 10.213.65.68 with SMTP id h4csp915403imn;
        Fri, 6 Apr 2018 11:05:34 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+QIjHofMx2ooGJix+APW1oxh6SLEjjCyYEoyXLvk+orN3F1efgQeTk2lgOyE7cPJXW6JMC
X-Received: by 2002:a17:902:3381:: with SMTP id b1-v6mr28359404plc.214.1523037934194;
        Fri, 06 Apr 2018 11:05:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523037934; cv=none;
        d=google.com; s=arc-20160816;
        b=g6pl2w+NG89Qnn4kqF2t8Ie2OCxa3SM9AZINmiyWcaptyWeDKkzXbxj8o9BcocO6xG
         BZqGm73AjcNofWOKD0w8RPYrerE3OdywWAU9sjjEQb3yp7PElMtgZ6gOGCicNmUFW/rj
         yxwodKLoDLqC5Hf/zNRYGfWKtOi+HnXtyKvHy8/1VXNa09D6KWuFNQThQmyixpf6PTlM
         rOWY09FXUV6JL13MnWIHvZkX1Xh6daw+Y7NEnRrOQ4Gb6vtzrZ884YTVyJASpIQjPBAs
         HuufJoUpifT285bwuAPOKwN936QM60HfsaspaDVxi00KPR4vqPoqjT9IJArT20J0+6uN
         7NQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:user-agent:in-reply-to
         :content-disposition:mime-version:references:reply-to:subject:cc:to
         :from:date:arc-authentication-results;
        bh=fPo6xTYGn1Ok+e7i7S9eWoW/xX8tBfZtFpsMecbr1lc=;
        b=BPoLnCq8kMkGwcnA+jrLRkKRBBH0uyQkbhOaPxNfvEsvjnnglViDuuOzlcsZSl/dr3
         TRZYwTcQNjdpMOao0VEZCNBP0Z7miV7IR4xYXQGBYAXUAIOmnIIeCMpvdTAd2juKxYSF
         +NMi1I6uoKNDteOk2DLj1hTNlsIKpRjPGXnSO3y7jTXfD56Ymv0yYayvicNMgkUggtgO
         rz6mFGOh/WevCn0fHXBxFiGM/ykQn1v0iIXfGcIIWHZC0C8dScDYPwK08kP2lm9Me/Xc
         FOY0CjP+qfaept4FnP9wEGLql280KastDVnUBA0MgZjR7h9KPr4otwLvoP4u5a2ayZQz
         nHEw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z2si1841274pgo.567.2018.04.06.11.04.55;
        Fri, 06 Apr 2018 11:05:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751413AbeDFSBm (ORCPT <rfc822;tuxbino@gmail.com> + 99 others);
        Fri, 6 Apr 2018 14:01:42 -0400
Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:57336 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1750807AbeDFSBk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 6 Apr 2018 14:01:40 -0400
Received: from pps.filterd (m0098399.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w36I0FVK098448
        for <linux-kernel@vger.kernel.org>; Fri, 6 Apr 2018 14:01:40 -0400
Received: from e06smtp11.uk.ibm.com (e06smtp11.uk.ibm.com [195.75.94.107])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2h6bxc4kbf-1
        (version=TLSv1.2 cipher=AES256-SHA256 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Fri, 06 Apr 2018 14:01:40 -0400
Received: from localhost
        by e06smtp11.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <linuxram@us.ibm.com>;
        Fri, 6 Apr 2018 19:01:37 +0100
Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195)
        by e06smtp11.uk.ibm.com (192.168.101.141) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        Fri, 6 Apr 2018 19:01:33 +0100
Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59])
        by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w36I1WJr9437564;
        Fri, 6 Apr 2018 18:01:32 GMT
Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 4B10DA405F;
        Fri,  6 Apr 2018 18:53:56 +0100 (BST)
Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 871B4A4055;
        Fri,  6 Apr 2018 18:53:53 +0100 (BST)
Received: from ram.oc3035372033.ibm.com (unknown [9.80.237.168])
        by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTPS;
        Fri,  6 Apr 2018 18:53:53 +0100 (BST)
Date:   Fri, 6 Apr 2018 11:01:27 -0700
From:   Ram Pai <linuxram@us.ibm.com>
To:     Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Cc:     mpe@ellerman.id.au, mingo@redhat.com, akpm@linux-foundation.org,
        fweimer@redhat.com, shuah@kernel.org, msuchanek@suse.com,
        linux-kernel@vger.kernel.org, mhocko@kernel.org,
        dave.hansen@intel.com, paulus@samba.org,
        aneesh.kumar@linux.vnet.ibm.com, tglx@linutronix.de,
        linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH v2] powerpc, pkey: make protection key 0 less special
Reply-To: Ram Pai <linuxram@us.ibm.com>
References: <1522112702-27853-1-git-send-email-linuxram@us.ibm.com>
 <876056645u.fsf@morokweng.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <876056645u.fsf@morokweng.localdomain>
User-Agent: Mutt/1.5.20 (2009-12-10)
X-TM-AS-GCONF: 00
x-cbid: 18040618-0040-0000-0000-0000044A9AE9
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 18040618-0041-0000-0000-000020EEB71F
Message-Id: <20180406180126.GJ5743@ram.oc3035372033.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-04-06_09:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=2 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000
 definitions=main-1804060181
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 04, 2018 at 06:41:01PM -0300, Thiago Jung Bauermann wrote:
> 
> Hello Ram,
> 
> Ram Pai <linuxram@us.ibm.com> writes:
> 
> > Applications need the ability to associate an address-range with some
> > key and latter revert to its initial default key. Pkey-0 comes close to
> > providing this function but falls short, because the current
> > implementation disallows applications to explicitly associate pkey-0 to
> > the address range.
> >
> > Lets make pkey-0 less special and treat it almost like any other key.
> > Thus it can be explicitly associated with any address range, and can be
> > freed. This gives the application more flexibility and power.  The
> > ability to free pkey-0 must be used responsibily, since pkey-0 is
> > associated with almost all address-range by default.
> >
> > Even with this change pkey-0 continues to be slightly more special
> > from the following point of view.
> > (a) it is implicitly allocated.
> > (b) it is the default key assigned to any address-range.
> 
> It's also special in more ways (and if intentional, these should be part
> of the commit message as well):
> 
> (c) it's not possible to change permissions for key 0
> 
>   This has two causes: this patch explicitly forbids it in
>   arch_set_user_pkey_access(), and also because even if it's allocated,
>   the bits for key 0 in AMOR and UAMOR aren't set.

Yes. will have to capture that one aswell.

we cannot let userspace change permissions on key 0 because
doing so will hurt the kernel too. Unlike x86 where keys are effective
only in userspace, powerpc keys are effective even in the kernel.
So if the kernel tries to access something, it will get stuck forever.
Almost everything in the kernel is associated with key-0.

I ran a small test program which disabled access on key 0 from
userspace, and as expected ran into softlockups. It certainly
can lead to denial-of-service-attack. We can let apps
shoot-itself-in-its-foot but if the shot hurts someone else, we will
have to stop it.

The key-semantics discussed with the x86 folks did not 
explicitly say anything about changing permissions on key-0. We will
have to keep that part of the semantics open-ended.

> 
> (d) it can be freed, but can't be allocated again later.
> 
>   This is because mm_pkey_alloc() only calls __arch_activate_pkey(ret)
>   if ret > 0.
> 
> It looks like (d) is a bug. Either mm_pkey_free() should fail with key
> 0, or mm_pkey_alloc() should work with it.

Well, it can be allocated, just that we do not let userspace change the
permissions on the key.  __arch_activate_pkey(ret) does not get called
for pkey-0.


> 
> (c) could be a measure to prevent users from shooting themselves in
> their feet. But if that is the case, then mm_pkey_free() should forbid
> freeing key 0 too.
> 
> > Tested on powerpc.
> >
> > cc: Thomas Gleixner <tglx@linutronix.de>
> > cc: Dave Hansen <dave.hansen@intel.com>
> > cc: Michael Ellermen <mpe@ellerman.id.au>
> > cc: Ingo Molnar <mingo@kernel.org>
> > cc: Andrew Morton <akpm@linux-foundation.org>
> > Signed-off-by: Ram Pai <linuxram@us.ibm.com>
> > ---
> > History:
> > 	v2: mm_pkey_is_allocated() continued to treat pkey-0 special.
> > 	    fixed it.
> >
> >  arch/powerpc/include/asm/pkeys.h | 20 ++++++++++++++++----
> >  arch/powerpc/mm/pkeys.c          | 20 ++++++++++++--------
> >  2 files changed, 28 insertions(+), 12 deletions(-)
> >
> > diff --git a/arch/powerpc/include/asm/pkeys.h b/arch/powerpc/include/asm/pkeys.h
> > index 0409c80..b598fa9 100644
> > --- a/arch/powerpc/include/asm/pkeys.h
> > +++ b/arch/powerpc/include/asm/pkeys.h
> > @@ -101,10 +101,14 @@ static inline u16 pte_to_pkey_bits(u64 pteflags)
> >
> >  static inline bool mm_pkey_is_allocated(struct mm_struct *mm, int pkey)
> >  {
> > -	/* A reserved key is never considered as 'explicitly allocated' */
> > -	return ((pkey < arch_max_pkey()) &&
> > -		!__mm_pkey_is_reserved(pkey) &&
> > -		__mm_pkey_is_allocated(mm, pkey));
> > +	if (pkey < 0 || pkey >= arch_max_pkey())
> > +		return false;
> > +
> > +	/* Reserved keys are never allocated. */
> > +	if (__mm_pkey_is_reserved(pkey))
> > +		return false;
> > +
> > +	return __mm_pkey_is_allocated(mm, pkey);
> >  }
> >
> >  extern void __arch_activate_pkey(int pkey);
> > @@ -200,6 +204,14 @@ static inline int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
> >  {
> >  	if (static_branch_likely(&pkey_disabled))
> >  		return -EINVAL;
> > +
> > +	/*
> > +	 * userspace is discouraged from changing permissions of
> > +	 * pkey-0.
> 
> They're not discouraged. They're not allowed to. :-)

ok :-)

> 
> > +	 * powerpc hardware does not support it anyway.
> 
> It doesn't? I don't get that impression from reading the ISA, but
> perhaps I'm missing something.

Good Catch. I am wrongly blaming it on powerpc hardware.
Its a semantics enforced by our pkey code to block DOS attacks.

> 
> > +	 */
> > +	if (!pkey)
> > +		return init_val ? -EINVAL : 0;
> > +
> >  	return __arch_set_user_pkey_access(tsk, pkey, init_val);
> >  }
> >
> > diff --git a/arch/powerpc/mm/pkeys.c b/arch/powerpc/mm/pkeys.c
> > index ba71c54..e7a9e34 100644
> > --- a/arch/powerpc/mm/pkeys.c
> > +++ b/arch/powerpc/mm/pkeys.c
> > @@ -119,19 +119,21 @@ int pkey_initialize(void)
> >  #else
> >  	os_reserved = 0;
> >  #endif
> > -	/*
> > -	 * Bits are in LE format. NOTE: 1, 0 are reserved.
> > -	 * key 0 is the default key, which allows read/write/execute.
> > -	 * key 1 is recommended not to be used. PowerISA(3.0) page 1015,
> > -	 * programming note.
> > -	 */
> > +	/* Bits are in LE format. */
> >  	initial_allocation_mask = ~0x0;
> >
> >  	/* register mask is in BE format */
> >  	pkey_amr_uamor_mask = ~0x0ul;
> >  	pkey_iamr_mask = ~0x0ul;
> >
> > -	for (i = 2; i < (pkeys_total - os_reserved); i++) {
> > +	for (i = 0; i < (pkeys_total - os_reserved); i++) {
> > +	 	/*
> 
> There's a space between the tabs here.

ok. will fix.

> 
> > +		 * key 1 is recommended not to be used.
> > +		 * PowerISA(3.0) page 1015,
> > +		 */
> > +		if (i == 1)
> > +			continue;
> > +
> >  		initial_allocation_mask &= ~(0x1 << i);
> >  		pkey_amr_uamor_mask &= ~(0x3ul << pkeyshift(i));
> >  		pkey_iamr_mask &= ~(0x1ul << pkeyshift(i));
> > @@ -145,7 +147,9 @@ void pkey_mm_init(struct mm_struct *mm)
> >  {
> >  	if (static_branch_likely(&pkey_disabled))
> >  		return;
> > -	mm_pkey_allocation_map(mm) = initial_allocation_mask;
> > +
> > +	/* allocate key-0 by default */
> > +	mm_pkey_allocation_map(mm) = initial_allocation_mask | 0x1;
> >  	/* -1 means unallocated or invalid */
> >  	mm->context.execute_only_pkey = -1;
> >  }
> 
> I think we should also set the AMOR and UAMOR bits for key 0. Otherwise,
> key 0 will be in allocated-but-not-enabled state which is yet another
> subtle way in which it will be special.

No. as explained above, it will hurt to let userspace modify
permissions on key-0.

> 
> Also, pkey_access_permitted() has a special case for key 0. Should it?

we can delete that check. though it does not hurt to leave it in place.
Access/Write/Execute on pkey-0 is always permitted.

RP