Re: [PATCH V4 3/7] KVM, pkeys: update memeory permission bitmask for pkeys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 03/05/2016 07:27 PM, Huaitong Han wrote:
PKEYS define a new status bit in the PFEC. PFEC.PK (bit 5), if some
conditions is true, the fault is considered as a PKU violation. This
patch updates memeory permission bitmask for pkeys.

Signed-off-by: Huaitong Han <huaitong.han@xxxxxxxxx>
---
  arch/x86/include/asm/kvm_host.h |  8 ++++++--
  arch/x86/kvm/mmu.c              | 32 ++++++++++++++++++++++++++++++--
  2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 2867626..9eb54e8 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -187,12 +187,14 @@ enum {
  #define PFERR_USER_BIT 2
  #define PFERR_RSVD_BIT 3
  #define PFERR_FETCH_BIT 4
+#define PFERR_PK_BIT 5

  #define PFERR_PRESENT_MASK (1U << PFERR_PRESENT_BIT)
  #define PFERR_WRITE_MASK (1U << PFERR_WRITE_BIT)
  #define PFERR_USER_MASK (1U << PFERR_USER_BIT)
  #define PFERR_RSVD_MASK (1U << PFERR_RSVD_BIT)
  #define PFERR_FETCH_MASK (1U << PFERR_FETCH_BIT)
+#define PFERR_PK_MASK (1U << PFERR_PK_BIT)

  /* apic attention bits */
  #define KVM_APIC_CHECK_VAPIC	0
@@ -322,10 +324,12 @@ struct kvm_mmu {

  	/*
  	 * Bitmap; bit set = permission fault
-	 * Byte index: page fault error code [4:1]
+	 * Byte index: page fault error code [5:1]
  	 * Bit index: pte permissions in ACC_* format
+	 *
+	 * Add PFEC.PK (bit 5) for protection-key violations
  	 */
-	u8 permissions[16];
+	u8 permissions[32];

  	u64 *pae_root;
  	u64 *lm_root;
diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 95a955d..1ef66f4 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3776,16 +3776,22 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu,
  {
  	unsigned bit, byte, pfec;
  	u8 map;
-	bool fault, x, w, u, wf, uf, ff, smapf, cr4_smap, cr4_smep, smap = 0;
+	bool fault, x, w, u, smap = 0, pku = 0;
+	bool wf, uf, ff, smapf, rsvdf, pkuf;
+	bool cr4_smap, cr4_smep, cr4_pku;

  	cr4_smep = kvm_read_cr4_bits(vcpu, X86_CR4_SMEP);
  	cr4_smap = kvm_read_cr4_bits(vcpu, X86_CR4_SMAP);
+	cr4_pku = kvm_read_cr4_bits(vcpu, X86_CR4_PKE);
+
  	for (byte = 0; byte < ARRAY_SIZE(mmu->permissions); ++byte) {
  		pfec = byte << 1;
  		map = 0;
  		wf = pfec & PFERR_WRITE_MASK;
  		uf = pfec & PFERR_USER_MASK;
  		ff = pfec & PFERR_FETCH_MASK;
+		rsvdf = pfec & PFERR_RSVD_MASK;

No. RSVD is reserved by SMAP and it should not be used to walk guest page page table.

+		pkuf = pfec & PFERR_PK_MASK;
  		/*
  		 * PFERR_RSVD_MASK bit is set in PFEC if the access is not
  		 * subject to SMAP restrictions, and cleared otherwise. The
@@ -3824,12 +3830,34 @@ static void update_permission_bitmask(struct kvm_vcpu *vcpu,
  				 *   clearer.
  				 */
  				smap = cr4_smap && u && !uf && !ff;
+
+				/*
+				* PKU:additional mechanism by which the paging
+				* controls access to user-mode addresses based
+				* on the value in the PKRU register. A fault is
+				* considered as a PKU violation if all of the
+				* following conditions are true:
+				* 1.CR4_PKE=1.
+				* 2.EFER_LMA=1.
+				* 3.page is present with no reserved bit
+				*   violations.
+				* 4.the access is not an instruction fetch.
+				* 5.the access is to a user page.
+				* 6.PKRU.AD=1
+				*	or The access is a data write and
+				*	   PKRU.WD=1 and either CR0.WP=1
+				*	   or it is a user access.
+				*
+				* The 2nd and 6th conditions are computed
+				* dynamically in permission_fault.
+				*/

It is not good as there are branches in the next patch.

However, i do not think we need a new byte index for PK. The conditions detecting PK enablement
can be fully found in current vcpu content (i.e, CR4, EFER and U/S access).

So you only need to extend permission to u32 and the highest two bits are used to indicate
PKEY got from guest pte.
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux