On 25/10/2024 17:09, Dave Hansen wrote:
> [...]
>>>> static inline void __page_o_noops(void)
>>>> {
>>>> /* 8-bytes of instruction * 512 bytes = 1 page */
>>>> diff --git a/tools/testing/selftests/mm/pkey_sighandler_tests.c b/tools/testing/selftests/mm/pkey_sighandler_tests.c
>>>> index a8088b645ad6..b5e1767ee5d9 100644
>>>> --- a/tools/testing/selftests/mm/pkey_sighandler_tests.c
>>>> +++ b/tools/testing/selftests/mm/pkey_sighandler_tests.c
>>>> @@ -37,6 +37,8 @@ pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
>>>> pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
>>>> siginfo_t siginfo = {0};
>>>>
>>>> +static u64 pkey_reg_no_access;
>>> Ideally, this would be a real const or a #define because it really is
>>> static. Right? Or is there something dynamic about the ARM
>>> implementation's value?
>> It isn't dynamic no, the issue is that on architectures where pkeys
>> restrict execution we need to allow X for pkey 0. Of course it would be
>> possible to define PKEY_REG_ALLOW_ALL in such a way that X is allowed
>> for pkey 0, but I was concerned this might be misleading. No strong
>> opinion either way, happy to make it purely a macro, maybe with a better
>> name?
> I do think we should differentiate truly "no access" value from the one
> that allows X on pkey 0, at least in the selftest. Define a helper that
> uses the *real* "no access" value:
>
> /*
> * Returns the most restrictive register value
> * that can be used in the selftest.
> */
> static inline u64 pkey_reg_restrictive_default(void)
> {
> /*
> * The selftest code runs (mostly) with its code mapped with
> * pkey-0. Allows execution on pkey-0 so that each site doesn't
> * have to do this:
> */
> return set_pkey_bits(PKEY_REG_NO_ACCESS, 0, PKEY_X);
> }
>
> and then use it like this:
>
> pkey_reg = pkey_reg_restrictive_default();
> pkey_reg = set_pkey_bits(pkey_reg, 1, PKEY_ALLOW_ALL);
Didn't think of introducing a helper, that looks good, thanks! Inlining
and optimisations should be able to reduce the call to a constant,
another win compared to using a global. Will go for that in v3.
> [...]
>>> ...
>>>> + /* Only allow X for MPK 0 and nothing for other keys */
>>>> + pkey_reg_no_access = set_pkey_bits(PKEY_ALLOW_NONE, 0,
>>>> + PKEY_DISABLE_ACCESS);
>>> If the comment says "only allow X", then I'd expect the code to say:
>>>
>>> pkey_reg_no_access = set_pkey_bits(PKEY_ALLOW_NONE, 0, PKEY_X);
>>>
>>> ... or something similar.
>> I could #define PKEY_X PKEY_DISABLE_ACCESS but is the mixture of
>> negative and positive polarity really helping? We cannot define PKEY_R
>> and PKEY_W so that (for instance) PKEY_R | PKEY_X does what it says.
>> Having to use PKEY_DISABLE_ACCESS to mean "X only" is not ideal, but
>> this is what userspace already has to do.
> There would be some churn, but we could also convert the whole thing
> over to just use explicit RWX enable bits, like in the
> thread_segv_maperr_ptr() test:
>
> // Truly turn everything off:
> pkey_reg = PKEY_REG_NO_ACCESS;
> pkey_reg = set_pkey_perm(pkey_reg, 1, PKEY_RW);
I suppose that not granting X permission for pkey 1 would make sense,
but since we don't have anything mapped with PROT_EXEC and pkey 1 the
benefits are minimal.
> I'm not sure that's worth the churn though.
I'm not convinced either. I'd rather keep using the standard uapi
macros, even though they can be confusing (but they at least combine in
the way you'd expect).
Kevin
