Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1719210imu; Wed, 21 Nov 2018 00:33:33 -0800 (PST) X-Google-Smtp-Source: AFSGD/WpBOC1pYftEek35Fwq7wpUFwgkjnAsDgxIzEya+YbAJFJ6Y7XowzIeUn7w1VDSOD9SZQBG X-Received: by 2002:a17:902:544:: with SMTP id 62-v6mr5537484plf.73.1542789213545; Wed, 21 Nov 2018 00:33:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542789213; cv=none; d=google.com; s=arc-20160816; b=bZNUfRH33bznaTSE65X7VAQNPjkwp/WIiWZuvgoiycH7BrIim7unseUIKywLgBEjvu sFX32IZBKS+2uN0oOW/tC60phrM4M0lbiaIS/WAXVx011YUh2Fy5h425G4fChOLjH8Nj tvBFeSAygruhQ8fsRIqLc1sTJ8lznt51De74VMxbEUFgEvGwXYrPMXhTMwVBMBOW38B8 BFVBTSVPLNC02324UTeOc/+efrlxHSIoXUCKwtSv0z63tEm43hbpItwQ1RL/3yTH0vfW J+/Ncnkc1OEtqFenLEh7NtnJbnKIep9nPDXHbdcmOpAP7D7f5eZ2+ZPDsUCb/UOpF+X4 Kmuw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=HH4yai+VafObONcYKMlzJ6CP1NbqsoaD06iocU5aDCI=; b=izUMg9jd9aM3DHAFTNoKM3k0KdZ1I1OA4FTgwqFiY3vnS2SXTgK9vzalXFJHc7k61a DOvkAQ2rzsFhDogHRGGJ4kPcnJiD8lBDA0FUINewctUb2YEiJEi3dXM61DqR+qYPlXr8 33reFpraytWPMzGvzuIxw2PATVfHvCOJ/TW9NC6t3l53OaQu0Fo3joLqx1rKMjDsjdKk atpQDy0D1JyhlBpP/bVE9tnqn0sFswEj81PB8mKKdU3MGulxnRCmBL79YtOYHxmZrb7v oxwH3giZGqldJE/sKH790MZ836nbya06z/IsVpbxoIZGOldnIGoWJ74wNNJEQFv2Q3C1 j86A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o22-v6si49529857pfk.50.2018.11.21.00.33.18; Wed, 21 Nov 2018 00:33:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728790AbeKUTGO (ORCPT + 99 others); Wed, 21 Nov 2018 14:06:14 -0500 Received: from pegase1.c-s.fr ([93.17.236.30]:2208 "EHLO pegase1.c-s.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728370AbeKUTGO (ORCPT ); Wed, 21 Nov 2018 14:06:14 -0500 Received: from localhost (mailhub1-int [192.168.12.234]) by localhost (Postfix) with ESMTP id 430G676V56z9txvZ; Wed, 21 Nov 2018 09:32:31 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at c-s.fr Received: from pegase1.c-s.fr ([192.168.12.234]) by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024) with ESMTP id IAHMGtRtbQbW; Wed, 21 Nov 2018 09:32:31 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase1.c-s.fr (Postfix) with ESMTP id 430G675zNyz9txvW; Wed, 21 Nov 2018 09:32:31 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id C54488B7FF; Wed, 21 Nov 2018 09:32:35 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id QfZI9f9-l_5r; Wed, 21 Nov 2018 09:32:35 +0100 (CET) Received: from PO15451 (po15451.idsi0.si.c-s.fr [172.25.231.2]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 7573E8B75F; Wed, 21 Nov 2018 09:32:35 +0100 (CET) Subject: Re: [RFC PATCH v1 5/6] powerpc/mm: Add a framework for Kernel Userspace Access Protection To: Russell Currey , Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org References: From: Christophe LEROY Message-ID: Date: Wed, 21 Nov 2018 09:32:35 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: fr Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 21/11/2018 à 03:26, Russell Currey a écrit : > On Wed, 2018-11-07 at 16:56 +0000, Christophe Leroy wrote: >> This patch implements a framework for Kernel Userspace Access >> Protection. >> >> Then subarches will have to possibility to provide their own >> implementation >> by providing setup_kuap(), and lock/unlock_user_rd/wr_access >> >> We separate read and write accesses because some subarches like >> book3s32 might only support write access protection. >> >> Signed-off-by: Christophe Leroy > > Separating read and writes does have a performance impact, I'm doing > some benchmarking to find out exactly how much - but at least for radix > it means we have to do a RMW instead of just a write. It does add some > amount of security, though. > > The other issue I have is that you're just locking everything here > (like I was), and not doing anything different for just reads or > writes. In theory, wouldn't someone assume that they could (for > example) unlock reads, lock writes, then attempt to read? At which > point the read would fail, because the lock actually locks both. > > I would think we either need to bundle read/write locking/unlocking > together, or only implement this on platforms that can do one at a > time, unless there's a cleaner way to handle this. Glancing at the > values you use for 8xx, this doesn't seem possible there, and it's a > definite performance hit for radix. > > At the same time, as you say, it would suck for book3s32 that can only > do writes, but maybe just doing both at the same time and if > implemented for that platform it could just have a warning that it only > applies to writes on init? Well, I see your points. My idea was not to separate read and write on platform that can lock both. I think it is no problem to also unlocking writes when we are doing a read, so on platforms that can do both I think both should do the same.. The idea was to avoid spending time unlocking writes for doing a read on platforms on which reads are not locked. And for platforms able to independently unlock/lock reads and writes, if only unlocking reads can improve performance it can be interesting as well. For book3s/32, locking/unlocking will be done through Kp/Ks bits in segment registers, the function won't be trivial as it may involve more than one segment at a time. So I just wanted to avoid spending time doing that for reads as reads won't be protected. And may also be the case on older book3s/64, may not it ? On Book3s/32, the page protection bits are as follows: Key 0 1 PP 00 RW NA 01 RW RO 10 RW RW 11 RO RO So the idea is to encode user RW with PP01 (instead of PP10 today) and user RO with PP11 (as done today), giving Key0 to user and Key1 to kernel (today both user and kernel have Key1). Then when kernel needs to write, we change Ks to Key0 in segment register for the involved segments. I'm not sure there is any risk that someone nests unlocks/locks for reads and unlocks/locks for writes, because the unlocks/locks are done in very limited places. Christophe > > Curious for people's thoughts on this. > > - Russell >