2019-05-08 23:21:26 +08:00
|
|
|
.. SPDX-License-Identifier: GPL-2.0
|
|
|
|
|
|
|
|
======================
|
|
|
|
Memory Protection Keys
|
|
|
|
======================
|
|
|
|
|
2017-11-11 08:12:28 +08:00
|
|
|
Memory Protection Keys for Userspace (PKU aka PKEYs) is a feature
|
2020-05-29 00:08:23 +08:00
|
|
|
which is found on Intel's Skylake (and later) "Scalable Processor"
|
|
|
|
Server CPUs. It will be available in future non-server Intel parts
|
|
|
|
and future AMD processors.
|
2017-11-11 08:12:28 +08:00
|
|
|
|
|
|
|
For anyone wishing to test or use this feature, it is available in
|
|
|
|
Amazon's EC2 C5 instances and is known to work there using an Ubuntu
|
|
|
|
17.04 image.
|
2015-12-15 03:06:34 +08:00
|
|
|
|
|
|
|
Memory Protection Keys provides a mechanism for enforcing page-based
|
|
|
|
protections, but without requiring modification of the page tables
|
|
|
|
when an application changes protection domains. It works by
|
|
|
|
dedicating 4 previously ignored bits in each page table entry to a
|
|
|
|
"protection key", giving 16 possible keys.
|
|
|
|
|
|
|
|
There is also a new user-accessible register (PKRU) with two separate
|
|
|
|
bits (Access Disable and Write Disable) for each key. Being a CPU
|
|
|
|
register, PKRU is inherently thread-local, potentially giving each
|
|
|
|
thread a different set of protections from every other thread.
|
|
|
|
|
|
|
|
There are two new instructions (RDPKRU/WRPKRU) for reading and writing
|
|
|
|
to the new register. The feature is only available in 64-bit mode,
|
|
|
|
even though there is theoretically space in the PAE PTEs. These
|
|
|
|
permissions are enforced on data access only and have no effect on
|
|
|
|
instruction fetches.
|
|
|
|
|
2019-05-08 23:21:26 +08:00
|
|
|
Syscalls
|
|
|
|
========
|
2016-07-30 00:30:20 +08:00
|
|
|
|
2019-05-08 23:21:26 +08:00
|
|
|
There are 3 system calls which directly interact with pkeys::
|
2016-07-30 00:30:20 +08:00
|
|
|
|
|
|
|
int pkey_alloc(unsigned long flags, unsigned long init_access_rights)
|
|
|
|
int pkey_free(int pkey);
|
|
|
|
int pkey_mprotect(unsigned long start, size_t len,
|
|
|
|
unsigned long prot, int pkey);
|
|
|
|
|
|
|
|
Before a pkey can be used, it must first be allocated with
|
|
|
|
pkey_alloc(). An application calls the WRPKRU instruction
|
|
|
|
directly in order to change access permissions to memory covered
|
|
|
|
with a key. In this example WRPKRU is wrapped by a C function
|
|
|
|
called pkey_set().
|
2019-05-08 23:21:26 +08:00
|
|
|
::
|
2016-07-30 00:30:20 +08:00
|
|
|
|
|
|
|
int real_prot = PROT_READ|PROT_WRITE;
|
2017-07-24 21:03:46 +08:00
|
|
|
pkey = pkey_alloc(0, PKEY_DISABLE_WRITE);
|
2016-07-30 00:30:20 +08:00
|
|
|
ptr = mmap(NULL, PAGE_SIZE, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
|
|
|
|
ret = pkey_mprotect(ptr, PAGE_SIZE, real_prot, pkey);
|
|
|
|
... application runs here
|
|
|
|
|
|
|
|
Now, if the application needs to update the data at 'ptr', it can
|
2019-05-08 23:21:26 +08:00
|
|
|
gain access, do the update, then remove its write access::
|
2016-07-30 00:30:20 +08:00
|
|
|
|
2017-07-24 21:03:46 +08:00
|
|
|
pkey_set(pkey, 0); // clear PKEY_DISABLE_WRITE
|
2016-07-30 00:30:20 +08:00
|
|
|
*ptr = foo; // assign something
|
2017-07-24 21:03:46 +08:00
|
|
|
pkey_set(pkey, PKEY_DISABLE_WRITE); // set PKEY_DISABLE_WRITE again
|
2016-07-30 00:30:20 +08:00
|
|
|
|
|
|
|
Now when it frees the memory, it will also free the pkey since it
|
2019-05-08 23:21:26 +08:00
|
|
|
is no longer in use::
|
2016-07-30 00:30:20 +08:00
|
|
|
|
|
|
|
munmap(ptr, PAGE_SIZE);
|
|
|
|
pkey_free(pkey);
|
|
|
|
|
2019-05-08 23:21:26 +08:00
|
|
|
.. note:: pkey_set() is a wrapper for the RDPKRU and WRPKRU instructions.
|
|
|
|
An example implementation can be found in
|
|
|
|
tools/testing/selftests/x86/protection_keys.c.
|
2016-10-05 00:38:57 +08:00
|
|
|
|
2019-05-08 23:21:26 +08:00
|
|
|
Behavior
|
|
|
|
========
|
2016-07-30 00:30:20 +08:00
|
|
|
|
|
|
|
The kernel attempts to make protection keys consistent with the
|
2019-05-08 23:21:26 +08:00
|
|
|
behavior of a plain mprotect(). For instance if you do this::
|
2016-07-30 00:30:20 +08:00
|
|
|
|
|
|
|
mprotect(ptr, size, PROT_NONE);
|
|
|
|
something(ptr);
|
|
|
|
|
2019-05-08 23:21:26 +08:00
|
|
|
you can expect the same effects with protection keys when doing this::
|
2016-07-30 00:30:20 +08:00
|
|
|
|
|
|
|
pkey = pkey_alloc(0, PKEY_DISABLE_WRITE | PKEY_DISABLE_READ);
|
|
|
|
pkey_mprotect(ptr, size, PROT_READ|PROT_WRITE, pkey);
|
|
|
|
something(ptr);
|
|
|
|
|
|
|
|
That should be true whether something() is a direct access to 'ptr'
|
2019-05-08 23:21:26 +08:00
|
|
|
like::
|
2016-07-30 00:30:20 +08:00
|
|
|
|
|
|
|
*ptr = foo;
|
|
|
|
|
|
|
|
or when the kernel does the access on the application's behalf like
|
2019-05-08 23:21:26 +08:00
|
|
|
with a read()::
|
2016-07-30 00:30:20 +08:00
|
|
|
|
|
|
|
read(fd, ptr, 1);
|
|
|
|
|
|
|
|
The kernel will send a SIGSEGV in both cases, but si_code will be set
|
|
|
|
to SEGV_PKERR when violating protection keys versus SEGV_ACCERR when
|
|
|
|
the plain mprotect() permissions are violated.
|