On 03/07/2016 08:43 AM, Andy Lutomirski wrote:
On Mon, Mar 7, 2016 at 7:30 AM, Rob Gardner <rob.gardner@xxxxxxxxxx> wrote:
On 03/07/2016 07:07 AM, Khalid Aziz wrote:
On 03/05/2016 09:07 PM, David Miller wrote:
From: Khalid Aziz <khalid.aziz@xxxxxxxxxx>
Date: Wed, 2 Mar 2016 13:39:37 -0700
In this
first implementation I am enabling ADI for hugepages only
since these pages are locked in memory and hence avoid the
issue of saving and restoring tags.
This makes the feature almost entire useless.
Non-hugepages must be in the initial implementation.
Hi David,
Thanks for the feedback. I will get this working for non-hugepages as
well. ADI state of each VMA region is already stored in the VMA itself in my
first implementation, so I do not lose it when the page is swapped out. The
trouble is ADI version tags for each VMA region have to be stored on the
swapped out pages since the ADI version tags are flushed when TLB entry for
a page is flushed.
Khalid,
Are you sure about that last statement? My understanding is that the tags
are stored in physical memory, and remain there until explicitly changed or
removed, and so flushing a TLB entry has no effect on the ADI tags. If it
worked the way you think, then somebody would have to potentially reload a
long list of ADI tags on every TLB miss.
I'll bite, since this was sent to linux-api:
Can someone explain what this feature does for the benefit of people
who haven't read the manual (and who don't even know where to find the
manual)?
Are the top few bits of a sparc64 virtual address currently
must-be-zero? Does this feature change the semantics so that those
bits are ignored for address resolution and instead must match
whatever the ADI tag is determined to be during address resolution?
Is this enforced for both user and kernel accesses?
Is the actual ADI tag associated with a "page" associated with the
page of physical memory or is it associated with a mapping? That is,
if there are two virtual aliases of the same physical page (in the
same process or otherwise), does the hardware require them to have the
same ADI tag? If the answer is no, then IMO this is definitely
something that should use mprotect and you should seriously consider
using something like mprotect_key (new syscall, not in Linus' tree
yet) for it. In fact, you might consider a possible extra parameter
to that syscall for this purpose.
Cc: Dave Hansen. It seems to be the zeitgeist to throw tag bits at
PTEs these days.
Hi Andy,
The primary purpose of this feature is to prevent rogue accesses to
memory regions. If a database were to allocate memory pages to cache
database, it can enable ADI on those pages and set version tags. Version
tag for a memory address is encoded in bits 63-60 in the virtual
address. When accessing an ADI enabled memory region, top 4 bits of the
virtual address presented to the MMU must match the version tag set
earlier. When these bits do not match a tag, an MCD (Memory Corruption
Detected) exception is raised. Kernel sends a SIGBUS to the offending
process in response. There is some more info on ADI at
<https://swisdev.oracle.com/_files/What-Is-ADI.html>.
Top 4-bits of sparc64 virtual address are used for version tag only when
a process has its PSTATE.mcde bit set and it is accessing a memory
region that has ADI enabled on it (TTE.mcd set) and a version tag was
set on the virtual address being accessed. These 4-bits retain their
original semantics in all other cases.
ADI version tags are checked for data fetches only. My implementation
enforces this for userspace addresses only. Expanding this to include
kernel data addresses as well will be a good thing to do to protect
kernel data but I want to try to do this incrementally - (1) ADI for
userspace addresses only for mlock'd pages, (2) expand support to
swappable pages, (3) ADI for kernel data pages, (4)......whatever else
makes sense...
ADI version tag applies to virtual addresses only. If two processes have
virtual addresses mapping to the same physical page, they must use the
same tag. Hardware will send MCD exception if the tags do not match.
This was done to ensure a hack does not bypass ADI protection by simply
inserting another VA-to-PA mapping. I do like the idea of mprotect() as
David suggested and it can be done with existing mprotect() call. I will
have to add a new key PROT_ADI to support this.
Thanks,
Khalid
--
To unsubscribe from this list: send the line "unsubscribe linux-arch" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html