Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp486958pxb; Wed, 18 Nov 2020 09:23:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJzZRy9ofhtcvIpW/52fwjciV+FbQniPHtd+RMarNGGTp+Xvq02H8GtDk4b++0yEjSwXDMsV X-Received: by 2002:aa7:d787:: with SMTP id s7mr25931175edq.205.1605720218794; Wed, 18 Nov 2020 09:23:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1605720218; cv=none; d=google.com; s=arc-20160816; b=xcay1fYuhUTcXy/b7OvxGu737Nshj2dxtxJPyXSIq0cVB9FTSy0d63ja20WkoeU6XW 2UT1mGhzXldnXN+6lGoNqyMD45GQWPQ5fTgnibfi3Ti11PlzFiv2XjhuGsdaB7L2bzl0 TTIBIJLOomz+zlnaGg4ADu8gLPz3hYzcqwLc1JMOOBPC2d3lm1yycW2PfMZ4YrKTuNDo ahrPs0TmBC6DNXMzHTy1MBlXkkyQe1k2KCovxq7H6MKEulZ75+h50xjdmAWku9FmYUEd /CK9tq8PDXL3J6gwaaRiI4zQ4AvXeDlfGh/CKo+eyAQXKT/JNzK8nC6LWUau3/dmRye/ 3ZsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:references:in-reply-to:cc:subject :to:reply-to:sender:from:dkim-signature:dkim-signature:date; bh=D8nvGAloLJJ+ql8yUirlpnKjefPIphkSY9wZqt7KbrU=; b=VORiLypPb12JfPHOSJKcj8Fms+nzeEaVMfqt2M1Xvwozp2ofA/pT2IbPOjsmw2KK2X 0wGfTk4xpLsQxqdKMd88LlZGvKcmK8qeRS/Bk3klbm4AnkHtcWMha/H3+KDMIohXUkJl wsOPb39klHb6CZddl8jo+jc+0afUEr2x2oDy2yidl0ABSZO8ZMswppTkePpI6P9Zg5f7 sWUTV6w7veaFsPX6yt7KEbQR1yZhvhw9zfk5KS8VPe5+qpRclz0h9+h8i2reGPhVFkS7 1gyQ5IAFYaHO+SuIdlAxwZVQUtOIyjrHl+oukddhqJOwZ2MY+G1xkU/ZVbh/0pArMOEz b/NA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=HmXLRPvL; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e26si18942747edr.162.2020.11.18.09.23.16; Wed, 18 Nov 2020 09:23:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=HmXLRPvL; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728282AbgKRRTC (ORCPT + 99 others); Wed, 18 Nov 2020 12:19:02 -0500 Received: from Galois.linutronix.de ([193.142.43.55]:56288 "EHLO galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728128AbgKRRS1 (ORCPT ); Wed, 18 Nov 2020 12:18:27 -0500 Date: Wed, 18 Nov 2020 17:18:24 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1605719905; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=D8nvGAloLJJ+ql8yUirlpnKjefPIphkSY9wZqt7KbrU=; b=HmXLRPvL6PMY28DoLg8vFxmeMzLmDS/aanFDrDA0oHMsTV0kFY2TOMoz+uE89FHthZwDMm UsoYbrgWzukpzd20d2fqUbL/0+IflPX/17U8Oih0IJfb5rH9oJBZdCrKtupnd3p0bTLR4Y eBRQ2ecI/5ECsT6YEIzCPgycjWE3fm4kXb7ky2eKX1FOyMNg2k83e+0RdG46q5Y3h7BpMI g4g9zjhsrpopCMTFnJgyiyOnxxYpiVIgIYJK5lnPU6gPiw4X7Xt5+hEFlvoJAOV1YkyBl0 c1KUsEj5Fl5QgHm2i9zpzng31rKERTbn7rEha0QYEIdOUw9LJkbYJvqbvC1R5g== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1605719905; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=D8nvGAloLJJ+ql8yUirlpnKjefPIphkSY9wZqt7KbrU=; b=uOgaBK5vemufPZWUYT3IMXINBNMLwhm00NKsUyMuSTibbrQKJWLHEhQ2Jv5isvjWNOh0Un Xp9W/wmlEYr5dnCQ== From: "tip-bot2 for Sean Christopherson" Sender: tip-bot2@linutronix.de Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/sgx] mm: Add 'mprotect' hook to struct vm_operations_struct Cc: Sean Christopherson , Jarkko Sakkinen , Borislav Petkov , Jethro Beekman , Dave Hansen , Mel Gorman , Hillf Danton , linux-mm@kvack.org, x86@kernel.org, linux-kernel@vger.kernel.org In-Reply-To: <20201112220135.165028-11-jarkko@kernel.org> References: <20201112220135.165028-11-jarkko@kernel.org> MIME-Version: 1.0 Message-ID: <160571990472.11244.16622523428160178953.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the x86/sgx branch of tip: Commit-ID: 95bb7c42ac8a94ce3d0eb059ad64430390351ccb Gitweb: https://git.kernel.org/tip/95bb7c42ac8a94ce3d0eb059ad644303903= 51ccb Author: Sean Christopherson AuthorDate: Fri, 13 Nov 2020 00:01:21 +02:00 Committer: Borislav Petkov CommitterDate: Tue, 17 Nov 2020 14:36:14 +01:00 mm: Add 'mprotect' hook to struct vm_operations_struct Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1. SGX enclave pages are populated with data by copying from normal memory via ioctl() (SGX_IOC_ENCLAVE_ADD_PAGES), which will be added later in this series. 2. It is desirable to be able to restrict those normal memory data sources. For instance, to ensure that the source data is executable before copying data to an executable enclave page. 3. Enclave page permissions are dynamic (just like normal permissions) and can be adjusted at runtime with mprotect(). This creates a problem because the original data source may have long since vanished at the time when enclave page permissions are established (mmap() or mprotect()). The solution (elsewhere in this series) is to force enclave creators to declare their paging permission *intent* up front to the ioctl(). This intent can be immediately compared to the source data=E2=80=99s mapping and rejected if necessary. The =E2=80=9Cintent=E2=80=9D is also stashed off for later comparison with en= clave PTEs. This ensures that any future mmap()/mprotect() operations performed by the enclave creator or done on behalf of the enclave can be compared with the earlier declared permissions. Problem =3D=3D=3D=3D=3D=3D=3D There is an existing mmap() hook which allows SGX to perform this permission comparison at mmap() time. However, there is no corresponding ->mprotect() hook. Solution =3D=3D=3D=3D=3D=3D=3D=3D Add a vm_ops->mprotect() hook so that mprotect() operations which are inconsistent with any page's stashed intent can be rejected by the driver. Signed-off-by: Sean Christopherson Co-developed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Borislav Petkov Acked-by: Jethro Beekman Acked-by: Dave Hansen Acked-by: Mel Gorman Acked-by: Hillf Danton Cc: linux-mm@kvack.org Link: https://lkml.kernel.org/r/20201112220135.165028-11-jarkko@kernel.org --- include/linux/mm.h | 7 +++++++ mm/mprotect.c | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/include/linux/mm.h b/include/linux/mm.h index db6ae4d..1813fa8 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -559,6 +559,13 @@ struct vm_operations_struct { void (*close)(struct vm_area_struct * area); int (*split)(struct vm_area_struct * area, unsigned long addr); int (*mremap)(struct vm_area_struct * area); + /* + * Called by mprotect() to make driver-specific permission + * checks before mprotect() is finalised. The VMA must not + * be modified. Returns 0 if eprotect() can proceed. + */ + int (*mprotect)(struct vm_area_struct *vma, unsigned long start, + unsigned long end, unsigned long newflags); vm_fault_t (*fault)(struct vm_fault *vmf); vm_fault_t (*huge_fault)(struct vm_fault *vmf, enum page_entry_size pe_size); diff --git a/mm/mprotect.c b/mm/mprotect.c index 56c02be..ab70902 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -616,9 +616,16 @@ static int do_mprotect_pkey(unsigned long start, size_t = len, tmp =3D vma->vm_end; if (tmp > end) tmp =3D end; + + if (vma->vm_ops && vma->vm_ops->mprotect) + error =3D vma->vm_ops->mprotect(vma, nstart, tmp, newflags); + if (error) + goto out; + error =3D mprotect_fixup(vma, &prev, nstart, tmp, newflags); if (error) goto out; + nstart =3D tmp; =20 if (nstart < prev->vm_end)