powerpc/pkeys: make protection key 0 less special

Applications need the ability to associate an address-range with some
key and latter revert to its initial default key. Pkey-0 comes close to
providing this function but falls short, because the current
implementation disallows applications to explicitly associate pkey-0 to
the address range.

Lets make pkey-0 less special and treat it almost like any other key.
Thus it can be explicitly associated with any address range, and can be
freed. This gives the application more flexibility and power.  The
ability to free pkey-0 must be used responsibily, since pkey-0 is
associated with almost all address-range by default.

Even with this change pkey-0 continues to be slightly more special
from the following point of view.
(a) it is implicitly allocated.
(b) it is the default key assigned to any address-range.
(c) its permissions cannot be modified by userspace.

NOTE: (c) is specific to powerpc only. pkey-0 is associated by default
with all pages including kernel pages, and pkeys are also active in
kernel mode. If any permission is denied on pkey-0, the kernel running
in the context of the application will be unable to operate.

Tested on powerpc.

Signed-off-by: Ram Pai <linuxram@us.ibm.com>
[mpe: Drop #define PKEY_0 0 in favour of plain old 0]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>

diff --git a/arch/powerpc/include/asm/pkeys.h b/arch/powerpc/include/asm/pkeys.h
index 3312606fda07b0b73100eaa83cd3c0345283450d..20ebf153c8714e27c095f43e979b4787d77f8236 100644 (file)
--- a/arch/powerpc/include/asm/pkeys.h
+++ b/arch/powerpc/include/asm/pkeys.h
@@ -13,7 +13,8 @@
 
 DECLARE_STATIC_KEY_TRUE(pkey_disabled);
 extern int pkeys_total; /* total pkeys as per device tree */
-extern u32 initial_allocation_mask; /* bits set for reserved keys */
+extern u32 initial_allocation_mask; /*  bits set for the initially allocated keys */
+extern u32 reserved_allocation_mask; /* bits set for reserved keys */
 
 #define ARCH_VM_PKEY_FLAGS (VM_PKEY_BIT0 | VM_PKEY_BIT1 | VM_PKEY_BIT2 | \
                            VM_PKEY_BIT3 | VM_PKEY_BIT4)
@@ -83,15 +84,19 @@ static inline u16 pte_to_pkey_bits(u64 pteflags)
 #define __mm_pkey_is_allocated(mm, pkey)       \
        (mm_pkey_allocation_map(mm) & pkey_alloc_mask(pkey))
 
-#define __mm_pkey_is_reserved(pkey) (initial_allocation_mask & \
+#define __mm_pkey_is_reserved(pkey) (reserved_allocation_mask & \
                                       pkey_alloc_mask(pkey))
 
 static inline bool mm_pkey_is_allocated(struct mm_struct *mm, int pkey)
 {
-       /* A reserved key is never considered as 'explicitly allocated' */
-       return ((pkey < arch_max_pkey()) &&
-               !__mm_pkey_is_reserved(pkey) &&
-               __mm_pkey_is_allocated(mm, pkey));
+       if (pkey < 0 || pkey >= arch_max_pkey())
+               return false;
+
+       /* Reserved keys are never allocated. */
+       if (__mm_pkey_is_reserved(pkey))
+               return false;
+
+       return __mm_pkey_is_allocated(mm, pkey);
 }
 
 /*
@@ -176,6 +181,16 @@ static inline int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
 {
        if (static_branch_likely(&pkey_disabled))
                return -EINVAL;
+
+       /*
+        * userspace should not change pkey-0 permissions.
+        * pkey-0 is associated with every page in the kernel.
+        * If userspace denies any permission on pkey-0, the
+        * kernel cannot operate.
+        */
+       if (pkey == 0)
+               return init_val ? -EINVAL : 0;
+
        return __arch_set_user_pkey_access(tsk, pkey, init_val);
 }
 

diff --git a/arch/powerpc/mm/pkeys.c b/arch/powerpc/mm/pkeys.c
index 0e7810ccd1ae7a88fd455ca86e44f82c7565679a..333b1f80c435435cbf703a477e4bb60f6181a058 100644 (file)
--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -14,7 +14,8 @@ DEFINE_STATIC_KEY_TRUE(pkey_disabled);
 bool pkey_execute_disable_supported;
 int  pkeys_total;              /* Total pkeys as per device tree */
 bool pkeys_devtree_defined;    /* pkey property exported by device tree */
-u32  initial_allocation_mask;  /* Bits set for reserved keys */
+u32  initial_allocation_mask;   /* Bits set for the initially allocated keys */
+u32  reserved_allocation_mask;  /* Bits set for reserved keys */
 u64  pkey_amr_mask;            /* Bits in AMR not to be touched */
 u64  pkey_iamr_mask;           /* Bits in AMR not to be touched */
 u64  pkey_uamor_mask;          /* Bits in UMOR not to be touched */
@@ -121,8 +122,8 @@ int pkey_initialize(void)
 #else
        os_reserved = 0;
 #endif
-       initial_allocation_mask  = (0x1 << 0) | (0x1 << 1) |
-                                       (0x1 << execute_only_key);
+       /* Bits are in LE format. */
+       reserved_allocation_mask = (0x1 << 1) | (0x1 << execute_only_key);
 
        /* register mask is in BE format */
        pkey_amr_mask = ~0x0ul;
@@ -138,9 +139,10 @@ int pkey_initialize(void)
 
        /* mark the rest of the keys as reserved and hence unavailable */
        for (i = (pkeys_total - os_reserved); i < pkeys_total; i++) {
-               initial_allocation_mask |= (0x1 << i);
+               reserved_allocation_mask |= (0x1 << i);
                pkey_uamor_mask &= ~(0x3ul << pkeyshift(i));
        }
+       initial_allocation_mask = reserved_allocation_mask | (0x1 << 0);
 
        if (unlikely((pkeys_total - os_reserved) <= execute_only_key)) {
                /*
@@ -359,9 +361,6 @@ static bool pkey_access_permitted(int pkey, bool write, bool execute)
        int pkey_shift;
        u64 amr;
 
-       if (!pkey)
-               return true;
-
        if (!is_pkey_enabled(pkey))
                return true;