Received: by 2002:a05:7412:98c1:b0:fa:551:50a7 with SMTP id kc1csp343026rdb; Fri, 5 Jan 2024 11:37:55 -0800 (PST) X-Google-Smtp-Source: AGHT+IFGeXMtzcOeuVgcPpmSEMFloHjCuDkVE+6f1Zi6vtAok8HnsHywp4aX1JE7ZmVme7Lh1nqR X-Received: by 2002:a17:907:9704:b0:a28:e1a4:ae46 with SMTP id jg4-20020a170907970400b00a28e1a4ae46mr3200890ejc.13.1704483475727; Fri, 05 Jan 2024 11:37:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704483475; cv=none; d=google.com; s=arc-20160816; b=cb1OcDxphghcKi2ea1eZ6M3HIqLWVjC/2xe+S+z/WD0fJVOCK8N+RX3SH/qUW0+r2+ ywv6HtR/T0ahePrVUFtODqHhUKpGWRKzrQlBXDPNF0f3NAjga02S/YE5O0CpbfOuB7rB MfGV71EE5j1Ki1NxSUGZdBRPOq63u2k4Blg9fTxwYuaNFBPzlvsJcMI3nHKs7ApVbVS/ oCe53BRS/Pm/56jKgU5iMAxLrUGzFw3XKSdh6ebvsZLuwoXOSctBzWKYw8ld/jvVUBx0 82YL99IZ7URhe7pJnvnjBf21EQecLs7D02xmC8U5LJL/TdWyTqcbe/wrB0ImYVYmwdRx 3yYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=vrOZywRVHYQrwYA4rEvbQOcCE+oYGeNQVUbfflcP1O8=; fh=iC0LeWTtFXfmi/Bq4YP3Z8pNDcOwr7Ci/il68BugYyk=; b=uicyMZXHk9AlxT7pVsJf+XkHjWUEf4rlNuf9g5GTKy5NQ6mv+M+tUXqMiU9Q6JrD5r 6GmQZNcA0wuL2PpI6T7ntoxk6Wt4wqAF9TTJv2Wxfk3r/zrW49IIEdA3GjOOR6FfGY4K LFvKsddJH+cYY7c32EV6FNlYC4WtB+bJ19grOE8332r/ZjxmEmBLTojCzJJ6THYw1bcX NvVVdevRkEFTXdhH2P870Ns/Mx4qSftAN+0CKYn+7t1GKuz49Cn4VnOsHY/EDy/eAuG7 Eutwn0mAtMTpxfdv/bDDB2sl9Fs9X3xRAXNqdJ93vxLOTs+kAmd6VvtTshr+fNqBM93p bTqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=AwPpw0Tp; spf=pass (google.com: domain of linux-kernel+bounces-18301-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-18301-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id r6-20020a17090638c600b00a28b410b572si820957ejd.13.2024.01.05.11.37.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jan 2024 11:37:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-18301-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=AwPpw0Tp; spf=pass (google.com: domain of linux-kernel+bounces-18301-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-18301-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 77A391F23D80 for ; Fri, 5 Jan 2024 19:37:55 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9DD8A35F1A; Fri, 5 Jan 2024 19:37:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="AwPpw0Tp" X-Original-To: linux-kernel@vger.kernel.org Received: from mail-oa1-f49.google.com (mail-oa1-f49.google.com [209.85.160.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53FF635F0C for ; Fri, 5 Jan 2024 19:37:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-oa1-f49.google.com with SMTP id 586e51a60fabf-2046b2cd2d3so1241427fac.0 for ; Fri, 05 Jan 2024 11:37:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1704483465; x=1705088265; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=vrOZywRVHYQrwYA4rEvbQOcCE+oYGeNQVUbfflcP1O8=; b=AwPpw0Tphp3fbFYYPoIYS3l2fzwPI7FZuvaKt+ycRxz2VmTgh4ojp1DLrZSdTOnJ6g BtAeHYG/qwzoZnRxTOKSvh4m6j/lDY8vLErNY19GAmguko+y2KQcsAtykqbMZFDgDXen MQnDnjpT+xrvYfR3UAaEm2g6v1W8nj2Oo76a4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704483465; x=1705088265; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vrOZywRVHYQrwYA4rEvbQOcCE+oYGeNQVUbfflcP1O8=; b=t4RVDY6arLLH8FaUY6rNV/clFe5ppSCdXHVLIpUFC03w0GjKDc2WoN3RMQRlSH+sW3 zs+ExelowLsNJi639XmInREdCD9ISlfgsoQCcRn9KW713TV6Dc826DgbgQWTWP2ChFyP aUMjpyKDNx8C0I8cd68agU0VcuPhlXr+lPgwTn3ixe7fBvt/nxWJ2VxwFJ7uhZkfn1xt ohjj1x7bU01HoVcDj8RW2WdCHZPi0kuOcnUwkMPAhHxwR+y3C/y+b9dTDIJLSurwchOQ zVzpfwl+nlge4IHkPg0zQZ2h4qu0QisV+/XlI5Y2CCHV2Zz3UUr/AjJOLOe3dOu8t0Yo 5TCA== X-Gm-Message-State: AOJu0YzsF+qq/eMlv+jVKrylw8aj2Vr8VKwCEHK/jcY22g1lCZVYwJHU KF6RycWvtY2JyAg9TcpqA7cb0v8m37o31Bb9IjdnRekOoZEF X-Received: by 2002:a05:6870:a19f:b0:203:c869:cd44 with SMTP id a31-20020a056870a19f00b00203c869cd44mr2937532oaf.92.1704483465420; Fri, 05 Jan 2024 11:37:45 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240104185138.169307-1-jeffxu@chromium.org> <20240104185138.169307-5-jeffxu@chromium.org> <796b6877-0548-4d2a-a484-ba4156104a20@infradead.org> In-Reply-To: <796b6877-0548-4d2a-a484-ba4156104a20@infradead.org> From: Jeff Xu Date: Fri, 5 Jan 2024 11:37:34 -0800 Message-ID: Subject: Re: [RFC PATCH v4 4/4] mseal:add documentation To: Randy Dunlap Cc: akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, sroettger@google.com, willy@infradead.org, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, usama.anjum@collabora.com, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org, deraadt@openbsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Jan 4, 2024 at 3:47=E2=80=AFPM Randy Dunlap = wrote: > > > > On 1/4/24 10:51, jeffxu@chromium.org wrote: > > From: Jeff Xu > > > > Add documentation for mseal(). > > > > Signed-off-by: Jeff Xu > > --- > > Documentation/userspace-api/mseal.rst | 181 ++++++++++++++++++++++++++ > > 1 file changed, 181 insertions(+) > > create mode 100644 Documentation/userspace-api/mseal.rst > > > > diff --git a/Documentation/userspace-api/mseal.rst b/Documentation/user= space-api/mseal.rst > > new file mode 100644 > > index 000000000000..1700ce5af218 > > --- /dev/null > > +++ b/Documentation/userspace-api/mseal.rst > > @@ -0,0 +1,181 @@ > > +.. SPDX-License-Identifier: GPL-2.0 > > + > > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > +Introduction of mseal > > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > + > > +:Author: Jeff Xu > > + > > +Modern CPUs support memory permissions such as RW and NX bits. The mem= ory > > +permission feature improves security stance on memory corruption bugs,= i.e. > > +the attacker can=E2=80=99t just write to arbitrary memory and point th= e code to it, > > +the memory has to be marked with X bit, or else an exception will happ= en. > > + > > +Memory sealing additionally protects the mapping itself against > > +modifications. This is useful to mitigate memory corruption issues whe= re a > > +corrupted pointer is passed to a memory management system. For example= , > > +such an attacker primitive can break control-flow integrity guarantees > > +since read-only memory that is supposed to be trusted can become writa= ble > > +or .text pages can get remapped. Memory sealing can automatically be > > +applied by the runtime loader to seal .text and .rodata pages and > > +applications can additionally seal security critical data at runtime. > > + > > +A similar feature already exists in the XNU kernel with the > > +VM_FLAGS_PERMANENT flag [1] and on OpenBSD with the mimmutable syscall= [2]. > > + > > +User API > > +=3D=3D=3D=3D=3D=3D=3D=3D > > +Two system calls are involved in virtual memory sealing, mseal() and m= map(). > > + > > +mseal() > > +----------- > > +The mseal() syscall has following signature: > > + > > +``int mseal(void addr, size_t len, unsigned long flags)`` > > + > > +**addr/len**: virtual memory address range. > > + > > +The address range set by ``addr``/``len`` must meet: > > + - The start address must be in an allocated VMA. > > + - The start address must be page aligned. > > + - The end address (``addr`` + ``len``) must be in an allocated VMA. > > + - no gap (unallocated memory) between start and end address. > > + > > +The ``len`` will be paged aligned implicitly by the kernel. > > Does that mean that the will be extended to be page aligned > if it's not already page aligned? > Yes. the code (do_mseal) calls PAGE_ALIGNED(len). mprotect() also has this. Two test cases cover this part. test_seal_mprotect_unalign_len test_seal_mprotect_unalign_len_variant_2 -Jeff > -- > #Randy