Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp474669lqo; Wed, 8 May 2024 05:52:38 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXq51sYXUrelwOcdNqLBcJvxwUroGhKRcOl7MiwtMGzWOhOfg4+NOCKwk7DJaNEKELVpaXWgSRcnQ2xxRYU4yF4OJ3P9XCPVLiE2GI54g== X-Google-Smtp-Source: AGHT+IHNEc1C3I03x0/vnT+nd9CW5oelVMOEFkJ1qcb/7o8q0QhtSOKKnonDX/gWp0+ETN7FO7c7 X-Received: by 2002:a05:6a20:96d2:b0:1a3:b155:1cd2 with SMTP id adf61e73a8af0-1afc8d05b0dmr2267293637.10.1715172757898; Wed, 08 May 2024 05:52:37 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715172757; cv=pass; d=google.com; s=arc-20160816; b=OyPaM3wMmz8LGrSrkjUeW0cUmL8Iv0ZrrxunZcnzNb00HS2Ucwdbvusb0C5ZjlPqXM zL4ESKlAL5gbsOTRXEl2ws7u3XwhI6xYCg3yGdFk1AUX8tdWTLZaQ03JTGbE8Alx5esi Ur+UtvFhmcM/90yRc70pZsMcLwGBPO0pD/TRl5ZjhFp6rRYAz/+5l12dx4UOx/kzrhIe FzsLZiZrsrab7ktxlaAq59ITfsiY2/38yF1kwnZtWO5dgOdrWZHrUqevnes/v1+ilGsb uRz1KHzqTHDxIJQ01+iB+IgfllaueWlOMr08d9jui9kg/sPsQ8AmUrtoke7OyzVsj/G9 AVnw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:references :in-reply-to:subject:cc:to:dkim-signature:dkim-signature:from; bh=5zg6WebQLZVM/Zr+k3gM1mlCJa9IkRkbXXh8OvAx+UU=; fh=ulYyfRm4J4oy4+wA7lTo7vvWhNGj1YLBAldu0iCMLJY=; b=qEQ5NcSSPXsvgoExNGkGVitwNrTHOMMmcInBEzN4JZHWpVyCP53NUeK2VmdiCmrkXO CP+GWIbYmKbMwUxkGJ2/vdsmbao7khBte8USzzRyD4JssyeCzgzM2aKGrbPk5Rb0OiI5 Hg9xfTtoj+JQLwMEAotOQpLxrLDysowsZFEazYCEOQy19ELFCJZRrEfex4zuC7O+ZY1s vEFBUX15g6i0yZRFHJW4MR2MrjUBHFUyluKi6lwJmlhBZf3jrVHXYFHPZvWnK0VhSUi5 XdzwIPIpbzs5wtr+genB7R13mmp7WF3Mr5UAtippLozjdJVNouSivMJsUmLUH6qlCl3f MP0Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=kDzn13Qt; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-173258-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173258-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id ln12-20020a056a003ccc00b006e77d8947b5si5948148pfb.275.2024.05.08.05.52.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 May 2024 05:52:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-173258-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=kDzn13Qt; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-173258-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-173258-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 8414E2859F7 for ; Wed, 8 May 2024 12:52:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id AB1D122071; Wed, 8 May 2024 12:52:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="kDzn13Qt"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="3WkgttlU" Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 185036A34C for ; Wed, 8 May 2024 12:52:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715172742; cv=none; b=U2ukqCqfO14Rx5+jOvCVTdvX5tTV6ImmOz7iy5/KLOp5AUpwXGFWunLDCn76xI36xKJBRcDxTdwelKuSkSOieVhcVHCmE8ZEPYxVHivTeVeA3kEWF8jGz+HElPuMx5shT1VfsWq81Qq7QR6dM9snXLWFT0Y0RZxsEfra0JDJLLI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715172742; c=relaxed/simple; bh=J0lUDT8rrcvRsx9774q/JHRDZf7sHnEPkdm0tLi1WdA=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=CfunKhlvbl4rCwV3gnfM9cLHDhqPnBQMMjvgebx//UnptOwBHVJijJnYrMKXYejsEryrE+BEwZ0enN24DDNclptsgEjfo3VQ7r3SkXx6mCPPKMBPM7t/KlsVODohLn8hXJfMOYHio7Ac4QoQztMTerUctGQsUvHO9cORsnVX/2w= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=kDzn13Qt; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=3WkgttlU; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1715172739; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5zg6WebQLZVM/Zr+k3gM1mlCJa9IkRkbXXh8OvAx+UU=; b=kDzn13QtcrAMPtvVA8nuTumLTovbIvWeUaw8eAjBXuaLEtnBWP7Z0OffHnpITbMUWEqlZl s7Ck0C/Hxhs8kEQCfrxSYX0SQTSCslHvhbgmSo8tqSCOepAVwBhTbnZodV7NWvCrY0C2pZ zhWjTnoEzM+A/5LEQnfY94Kds6BqLWs8hcC4uIcdXjBmYBpf+aEkzzhFwc4NsK4XURpXok 9EQpUioG3nOg8cTvOk2tdvHYTWhRwxR58C90CjAJk6Lu/eWoXCVZNmVg2halgl57vBbLia UF2tYudkdv+peNO5OH0C+gH+EouJzwqTMRiHjOb9VyJvgvwhGHlgORkmD6/39g== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1715172739; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5zg6WebQLZVM/Zr+k3gM1mlCJa9IkRkbXXh8OvAx+UU=; b=3WkgttlUHBuDb1OeflNpxqBJL22YSbI3qnKCsL1HPQbn4/OVajKRFSWKQGw5RyFeZrf7Uv rrRKR8Xu0gKjrBDw== To: Aruna Ramakrishna Cc: "linux-kernel@vger.kernel.org" , "x86@kernel.org" , "dave.hansen@linux.intel.com" , Ingo Molnar , Keith Lucas Subject: Re: [PATCH v3 3/4] x86/pkeys: Update PKRU to enable all pkeys before XSAVE In-Reply-To: References: <20240425180542.1042933-1-aruna.ramakrishna@oracle.com> <20240425180542.1042933-4-aruna.ramakrishna@oracle.com> <87wmo5po0i.ffs@tglx> Date: Wed, 08 May 2024 14:52:18 +0200 Message-ID: <874jb8pit9.ffs@tglx> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Tue, May 07 2024 at 17:34, Aruna Ramakrishna wrote: >> On May 7, 2024, at 9:47=E2=80=AFAM, Thomas Gleixner = wrote: >> >> Also this lacks any justification why this enables all pkeys and how >> that is the right thing to do instead of using init_pkru_value which >> is what is set by fpu__clear_user_states() before going back to user >> space. For signal handling this can be the only valid PKEY state unless >> I'm missing something here. > > If the alt sig stack is protected by a different pkey (other than pkey 0)= , then > this flow would need to enable that, along with the pkey for the thread= =E2=80=99s=20 > stack. Since the code has no way of knowing what pkey the altstack needs, > it enables all for this brief window. Again. The flow here is: handle_signal() enable_access_to_altstack() .... fpu__clear_user_states() restore_fpregs_from_init_fpstate(XFEATURE_MASK_USER_RESTORE) os_xrstor(&init_fpstate, features_mask) pkru_write_default() write_pkru(init_pkru_value); <- Loads the default PKRU value =20=20=20=20=20=20=20=20=20=20=20 return_to_user_space() User space resumes with the default PKRU value and the first thing user space does when entering the signal handler is to push stuff on the signal stack. If the signal stack is protected by a key which is not contained in init_pkru_value then the application segfaults in a non recoverable way, no? So arguably it is sufficient to ensure that PKRU has the keys in init_pkru_value enabled: sigpkru =3D read_pkru() & init_pkru_value; If user space protects the task stack or the sigalt stack with a key which is not in init_pkru_value then it does not matter at all whether it dies in handle_signal() or later when returning to user space, no? I'm not fundamentaly opposed to enable all keys, but I don't buy this without a proper explanation why this has been chosen over enabling only the absolute minimum access rights. Thanks, tglx