On 10/25/24 01:31, Kevin Brodsky wrote:
> I agree, the naming is not ideal, I lacked inspiration! Maybe
> PKEY_REG_ALLOW_NONE to remain generic?
Works for me.
>>> static inline void __page_o_noops(void)
>>> {
>>> /* 8-bytes of instruction * 512 bytes = 1 page */
>>> diff --git a/tools/testing/selftests/mm/pkey_sighandler_tests.c b/tools/testing/selftests/mm/pkey_sighandler_tests.c
>>> index a8088b645ad6..b5e1767ee5d9 100644
>>> --- a/tools/testing/selftests/mm/pkey_sighandler_tests.c
>>> +++ b/tools/testing/selftests/mm/pkey_sighandler_tests.c
>>> @@ -37,6 +37,8 @@ pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
>>> pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
>>> siginfo_t siginfo = {0};
>>>
>>> +static u64 pkey_reg_no_access;
>> Ideally, this would be a real const or a #define because it really is
>> static. Right? Or is there something dynamic about the ARM
>> implementation's value?
>
> It isn't dynamic no, the issue is that on architectures where pkeys
> restrict execution we need to allow X for pkey 0. Of course it would be
> possible to define PKEY_REG_ALLOW_ALL in such a way that X is allowed
> for pkey 0, but I was concerned this might be misleading. No strong
> opinion either way, happy to make it purely a macro, maybe with a better
> name?
I do think we should differentiate truly "no access" value from the one
that allows X on pkey 0, at least in the selftest. Define a helper that
uses the *real* "no access" value:
/*
* Returns the most restrictive register value
* that can be used in the selftest.
*/
static inline u64 pkey_reg_restrictive_default(void)
{
/*
* The selftest code runs (mostly) with its code mapped with
* pkey-0. Allows execution on pkey-0 so that each site doesn't
* have to do this:
*/
return set_pkey_bits(PKEY_REG_NO_ACCESS, 0, PKEY_X);
}
and then use it like this:
pkey_reg = pkey_reg_restrictive_default();
pkey_reg = set_pkey_bits(pkey_reg, 1, PKEY_ALLOW_ALL);
>>> * Setup alternate signal stack, which should be pkey_mprotect()ed by
>>> @@ -142,7 +145,8 @@ static void *thread_segv_maperr_ptr(void *ptr)
>>> syscall_raw(SYS_sigaltstack, (long)stack, 0, 0, 0, 0, 0);
>>>
>>> /* Disable MPK 0. Only MPK 1 is enabled. */
>>> - __write_pkey_reg(0x55555551);
>>> + pkey_reg = set_pkey_bits(pkey_reg_no_access, 1, 0);
>>> + __write_pkey_reg(pkey_reg);
>> The existing magic numbers are not great, but could we do:
>>
>> #define PKEY_ALLOW_ALL 0x0
>>
>> So that this can be written like this:
>>
>> pkey_reg = PKRU_ALLOW_NONE;
>> pkey_reg = set_pkey_bits(pkey_reg, 1, PKEY_ALLOW_ALL);
>>
>> That would get rid of the magic '0'.
>
> Definitely better yes. But how about using Yury's uapi addition,
> PKEY_UNRESTRICTED [1]?
>
Works for me.
>> ...
>>> + /* Only allow X for MPK 0 and nothing for other keys */
>>> + pkey_reg_no_access = set_pkey_bits(PKEY_ALLOW_NONE, 0,
>>> + PKEY_DISABLE_ACCESS);
>> If the comment says "only allow X", then I'd expect the code to say:
>>
>> pkey_reg_no_access = set_pkey_bits(PKEY_ALLOW_NONE, 0, PKEY_X);
>>
>> ... or something similar.
>
> I could #define PKEY_X PKEY_DISABLE_ACCESS but is the mixture of
> negative and positive polarity really helping? We cannot define PKEY_R
> and PKEY_W so that (for instance) PKEY_R | PKEY_X does what it says.
> Having to use PKEY_DISABLE_ACCESS to mean "X only" is not ideal, but
> this is what userspace already has to do.
There would be some churn, but we could also convert the whole thing
over to just use explicit RWX enable bits, like in the
thread_segv_maperr_ptr() test:
// Truly turn everything off:
pkey_reg = PKEY_REG_NO_ACCESS;
pkey_reg = set_pkey_perm(pkey_reg, 1, PKEY_RW);
I'm not sure that's worth the churn though.
