[v33,10/21] mm: Introduce vm_ops->may_mprotect()

Message ID	20200617220844.57423-11-jarkko.sakkinen@linux.intel.com (mailing list archive)
State	Rejected
Headers	show Return-Path: <SRS0=OlnE=76=vger.kernel.org=linux-sgx-owner@kernel.org> Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3F4B092A for <patchwork-linux-sgx@patchwork.kernel.org>; Wed, 17 Jun 2020 22:11:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 32FE52184D for <patchwork-linux-sgx@patchwork.kernel.org>; Wed, 17 Jun 2020 22:11:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726758AbgFQWLb (ORCPT <rfc822;patchwork-linux-sgx@patchwork.kernel.org>); Wed, 17 Jun 2020 18:11:31 -0400 Received: from mga17.intel.com ([192.55.52.151]:6916 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726912AbgFQWLb (ORCPT <rfc822;linux-sgx@vger.kernel.org>); Wed, 17 Jun 2020 18:11:31 -0400 IronPort-SDR: yYn3Nc1w/+VVd0t7+08lV9fQXaAeZwUEwXG5hGyyGg30wTGK9fOisRqoyetK3dxW1FW8T6H97s cdqT319xX15g== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Jun 2020 15:11:24 -0700 IronPort-SDR: pLQYGKgFWQ8Su9haHgmEGdu50iOt/t9dSdPbcXkBHhbL+PRijLT58DFEr1oAcJj91EKD/pRSSf q1X3Thwj2Ajw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,523,1583222400"; d="scan'208";a="421288292" Received: from ysharon1-mobl1.ger.corp.intel.com (HELO localhost) ([10.252.49.131]) by orsmga004.jf.intel.com with ESMTP; 17 Jun 2020 15:11:12 -0700 From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com> To: x86@kernel.org, linux-sgx@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Sean Christopherson <sean.j.christopherson@intel.com>, Jethro Beekman <jethro@fortanix.com>, Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>, akpm@linux-foundation.org, andriy.shevchenko@linux.intel.com, asapek@google.com, bp@alien8.de, cedric.xing@intel.com, chenalexchen@google.com, conradparker@google.com, cyhanish@google.com, dave.hansen@intel.com, haitao.huang@intel.com, josh@joshtriplett.org, kai.huang@intel.com, kai.svahn@intel.com, kmoy@google.com, ludloff@google.com, luto@kernel.org, nhorman@redhat.com, npmccallum@redhat.com, puiterwijk@redhat.com, rientjes@google.com, tglx@linutronix.de, yaozhangx@google.com Subject: [PATCH v33 10/21] mm: Introduce vm_ops->may_mprotect() Date: Thu, 18 Jun 2020 01:08:32 +0300 Message-Id: <20200617220844.57423-11-jarkko.sakkinen@linux.intel.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200617220844.57423-1-jarkko.sakkinen@linux.intel.com> References: <20200617220844.57423-1-jarkko.sakkinen@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-sgx-owner@vger.kernel.org Precedence: bulk List-ID: <linux-sgx.vger.kernel.org> X-Mailing-List: linux-sgx@vger.kernel.org
Series	Intel SGX foundations \| expand [v33,00/21] Intel SGX foundations [v33,01/21] x86/cpufeatures: x86/msr: Add Intel SGX hardware bits [v33,02/21] x86/cpufeatures: x86/msr: Add Intel SGX Launch Control hardware bits [v33,03/21] x86/mm: x86/sgx: Signal SIGSEGV with PF_SGX [v33,04/21] x86/sgx: Add SGX microarchitectural data structures [v33,05/21] x86/sgx: Add wrappers for ENCLS leaf functions [v33,06/21] x86/cpu/intel: Detect SGX support [v33,07/21] x86/cpu/intel: Add nosgx kernel parameter [v33,08/21] x86/sgx: Initialize metadata for Enclave Page Cache (EPC) sections [v33,09/21] x86/sgx: Add __sgx_alloc_epc_page() and sgx_free_epc_page() [v33,10/21] mm: Introduce vm_ops->may_mprotect() [v33,11/21] x86/sgx: Linux Enclave Driver [v33,12/21] x86/sgx: Allow a limited use of ATTRIBUTE.PROVISIONKEY for attestation [v33,13/21] x86/sgx: Add a page reclaimer [v33,14/21] x86/sgx: ptrace() support for the SGX driver [v33,15/21] x86/vdso: Add support for exception fixup in vDSO functions [v33,16/21] x86/fault: Add helper function to sanitize error code [v33,17/21] x86/traps: Attempt to fixup exceptions in vDSO before signaling [v33,18/21] x86/vdso: Implement a vDSO for Intel SGX enclave call [v33,19/21] selftests/x86: Add a selftest for SGX [v33,20/21] docs: x86/sgx: Document SGX micro architecture and kernel internals [v33,21/21] x86/sgx: Update MAINTAINERS

Jarkko Sakkinen June 17, 2020, 10:08 p.m. UTC

From: Sean Christopherson <sean.j.christopherson@intel.com>

Add vm_ops()->may_mprotect() to check additional constraints.

SGX uses this callback to add two constraints:

1. Verify that the address range does not have holes: for each page
   address, there is an actual enclave page created.
2. Mapped permissions do not surpass the lowest enclave page permissions
   in the address range.

linux-mm@kvack.org
Andrew Morton <akpm@linux-foundation.org>
Acked-by: Jethro Beekman <jethro@fortanix.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
---
 include/linux/mm.h |  2 ++
 mm/mprotect.c      | 14 +++++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

Borislav Petkov June 25, 2020, 5:14 p.m. UTC | #1

On Thu, Jun 18, 2020 at 01:08:32AM +0300, Jarkko Sakkinen wrote:
> From: Sean Christopherson <sean.j.christopherson@intel.com>
> 
> Add vm_ops()->may_mprotect() to check additional constraints.
> 
> SGX uses this callback to add two constraints:
> 
> 1. Verify that the address range does not have holes: for each page
>    address, there is an actual enclave page created.
> 2. Mapped permissions do not surpass the lowest enclave page permissions
>    in the address range.
> 
> linux-mm@kvack.org
> Andrew Morton <akpm@linux-foundation.org>

Something ate the Cc:s. Lemme add the mm list, akpm is already on Cc.

Leaving in the rest for mm folks.

> Acked-by: Jethro Beekman <jethro@fortanix.com>
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> ---
>  include/linux/mm.h |  2 ++
>  mm/mprotect.c      | 14 +++++++++++---
>  2 files changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index dc7b87310c10..be40b9c29327 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -542,6 +542,8 @@ struct vm_operations_struct {
>  	void (*close)(struct vm_area_struct * area);
>  	int (*split)(struct vm_area_struct * area, unsigned long addr);
>  	int (*mremap)(struct vm_area_struct * area);
> +	int (*may_mprotect)(struct vm_area_struct *vma, unsigned long start,
> +			    unsigned long end, unsigned long prot);
>  	vm_fault_t (*fault)(struct vm_fault *vmf);
>  	vm_fault_t (*huge_fault)(struct vm_fault *vmf,
>  			enum page_entry_size pe_size);
> diff --git a/mm/mprotect.c b/mm/mprotect.c
> index ce8b8a5eacbb..f7731dc13ff0 100644
> --- a/mm/mprotect.c
> +++ b/mm/mprotect.c
> @@ -603,13 +603,21 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
>  			goto out;
>  		}
>  
> +		tmp = vma->vm_end;
> +		if (tmp > end)
> +			tmp = end;
> +
> +		if (vma->vm_ops && vma->vm_ops->may_mprotect) {
> +			error = vma->vm_ops->may_mprotect(vma, nstart, tmp,
> +							  prot);
> +			if (error)
> +				goto out;
> +		}
> +
>  		error = security_file_mprotect(vma, reqprot, prot);
>  		if (error)
>  			goto out;
>  
> -		tmp = vma->vm_end;
> -		if (tmp > end)
> -			tmp = end;
>  		error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
>  		if (error)
>  			goto out;
> -- 
> 2.25.1
>

Matthew Wilcox June 25, 2020, 5:30 p.m. UTC | #2

On Thu, Jun 25, 2020 at 07:14:16PM +0200, Borislav Petkov wrote:
> On Thu, Jun 18, 2020 at 01:08:32AM +0300, Jarkko Sakkinen wrote:
> > From: Sean Christopherson <sean.j.christopherson@intel.com>
> 
> Something ate the Cc:s. Lemme add the mm list, akpm is already on Cc.
> 
> Leaving in the rest for mm folks.

Thanks!

> > diff --git a/include/linux/mm.h b/include/linux/mm.h
> > index dc7b87310c10..be40b9c29327 100644
> > --- a/include/linux/mm.h
> > +++ b/include/linux/mm.h
> > @@ -542,6 +542,8 @@ struct vm_operations_struct {
> >  	void (*close)(struct vm_area_struct * area);
> >  	int (*split)(struct vm_area_struct * area, unsigned long addr);
> >  	int (*mremap)(struct vm_area_struct * area);
> > +	int (*may_mprotect)(struct vm_area_struct *vma, unsigned long start,
> > +			    unsigned long end, unsigned long prot);

This is unlike any other vm operation.  Every other one is a verb.

> > diff --git a/mm/mprotect.c b/mm/mprotect.c
> > index ce8b8a5eacbb..f7731dc13ff0 100644
> > --- a/mm/mprotect.c
> > +++ b/mm/mprotect.c
> > @@ -603,13 +603,21 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
> >  			goto out;
> >  		}
> >  
> > +		tmp = vma->vm_end;
> > +		if (tmp > end)
> > +			tmp = end;
> > +
> > +		if (vma->vm_ops && vma->vm_ops->may_mprotect) {
> > +			error = vma->vm_ops->may_mprotect(vma, nstart, tmp,
> > +							  prot);
> > +			if (error)
> > +				goto out;
> > +		}
> > +
> >  		error = security_file_mprotect(vma, reqprot, prot);
> >  		if (error)
> >  			goto out;
> >  

I think the right way to do this is:

                error = security_file_mprotect(vma, reqprot, prot);
                if (error)
                        goto out;

                tmp = vma->vm_end;
                if (tmp > end)
                        tmp = end;
+		if (vma->vm_ops->mprotect)
+			error = vma->vm_ops->mprotect(vma, &prev, nstart, tmp,
+					newflags);
+		else
+			error = mprotect_fixup(vma, &prev, nstart, tmp,
+					newflags);
-               error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
                if (error)
                        goto out;

and then the vma owner can do whatever it needs to before calling
mprotect_fixup(), which is already not static.

(how did we get to v33 with this kind of problem still in the patch set?)

Sean Christopherson June 25, 2020, 6:06 p.m. UTC | #3

On Thu, Jun 25, 2020 at 06:30:50PM +0100, Matthew Wilcox wrote:
> On Thu, Jun 25, 2020 at 07:14:16PM +0200, Borislav Petkov wrote:
> > On Thu, Jun 18, 2020 at 01:08:32AM +0300, Jarkko Sakkinen wrote:
> > > diff --git a/mm/mprotect.c b/mm/mprotect.c
> > > index ce8b8a5eacbb..f7731dc13ff0 100644
> > > --- a/mm/mprotect.c
> > > +++ b/mm/mprotect.c
> > > @@ -603,13 +603,21 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
> > >  			goto out;
> > >  		}
> > >  
> > > +		tmp = vma->vm_end;
> > > +		if (tmp > end)
> > > +			tmp = end;
> > > +
> > > +		if (vma->vm_ops && vma->vm_ops->may_mprotect) {
> > > +			error = vma->vm_ops->may_mprotect(vma, nstart, tmp,
> > > +							  prot);
> > > +			if (error)
> > > +				goto out;
> > > +		}
> > > +
> > >  		error = security_file_mprotect(vma, reqprot, prot);
> > >  		if (error)
> > >  			goto out;
> > >  
> 
> I think the right way to do this is:
> 
>                 error = security_file_mprotect(vma, reqprot, prot);
>                 if (error)
>                         goto out;
> 
>                 tmp = vma->vm_end;
>                 if (tmp > end)
>                         tmp = end;
> +		if (vma->vm_ops->mprotect)
> +			error = vma->vm_ops->mprotect(vma, &prev, nstart, tmp,
> +					newflags);
> +		else
> +			error = mprotect_fixup(vma, &prev, nstart, tmp,
> +					newflags);
> -               error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
>                 if (error)
>                         goto out;
> 
> and then the vma owner can do whatever it needs to before calling
> mprotect_fixup(), which is already not static.

I'm certainly not opposed to a straight ->mprotect() hook.  ->may_protect()
came about because I/we thought it would be less objectionable to allow the
vma owner to apply additional restrictions as opposed to a wholesale
replacement.

> (how did we get to v33 with this kind of problem still in the patch set?)

Because no one from the mm world has looked at it.  Which is completely
understandable because it's a giant patch set and the first 25 or so versions
were spent sorting out fundamental architectural/design issue (there have
been a _lot_ of speed bumps), e.g. the need for hooking mprotect() didn't
even come about until v21.

Jarkko Sakkinen June 25, 2020, 10:26 p.m. UTC | #4

On Thu, Jun 25, 2020 at 07:14:16PM +0200, Borislav Petkov wrote:
> On Thu, Jun 18, 2020 at 01:08:32AM +0300, Jarkko Sakkinen wrote:
> > From: Sean Christopherson <sean.j.christopherson@intel.com>
> > 
> > Add vm_ops()->may_mprotect() to check additional constraints.
> > 
> > SGX uses this callback to add two constraints:
> > 
> > 1. Verify that the address range does not have holes: for each page
> >    address, there is an actual enclave page created.
> > 2. Mapped permissions do not surpass the lowest enclave page permissions
> >    in the address range.
> > 
> > linux-mm@kvack.org
> > Andrew Morton <akpm@linux-foundation.org>
> 
> Something ate the Cc:s. Lemme add the mm list, akpm is already on Cc.
> 
> Leaving in the rest for mm folks.

Thank you. So it seems. I've fixed them now.

/Jarkko

Jarkko Sakkinen June 25, 2020, 10:40 p.m. UTC | #5

On Thu, Jun 25, 2020 at 11:06:46AM -0700, Sean Christopherson wrote:
> On Thu, Jun 25, 2020 at 06:30:50PM +0100, Matthew Wilcox wrote:
> > On Thu, Jun 25, 2020 at 07:14:16PM +0200, Borislav Petkov wrote:
> > > On Thu, Jun 18, 2020 at 01:08:32AM +0300, Jarkko Sakkinen wrote:
> > > > diff --git a/mm/mprotect.c b/mm/mprotect.c
> > > > index ce8b8a5eacbb..f7731dc13ff0 100644
> > > > --- a/mm/mprotect.c
> > > > +++ b/mm/mprotect.c
> > > > @@ -603,13 +603,21 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
> > > >  			goto out;
> > > >  		}
> > > >  
> > > > +		tmp = vma->vm_end;
> > > > +		if (tmp > end)
> > > > +			tmp = end;
> > > > +
> > > > +		if (vma->vm_ops && vma->vm_ops->may_mprotect) {
> > > > +			error = vma->vm_ops->may_mprotect(vma, nstart, tmp,
> > > > +							  prot);
> > > > +			if (error)
> > > > +				goto out;
> > > > +		}
> > > > +
> > > >  		error = security_file_mprotect(vma, reqprot, prot);
> > > >  		if (error)
> > > >  			goto out;
> > > >  
> > 
> > I think the right way to do this is:
> > 
> >                 error = security_file_mprotect(vma, reqprot, prot);
> >                 if (error)
> >                         goto out;
> > 
> >                 tmp = vma->vm_end;
> >                 if (tmp > end)
> >                         tmp = end;
> > +		if (vma->vm_ops->mprotect)
> > +			error = vma->vm_ops->mprotect(vma, &prev, nstart, tmp,
> > +					newflags);
> > +		else
> > +			error = mprotect_fixup(vma, &prev, nstart, tmp,
> > +					newflags);
> > -               error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
> >                 if (error)
> >                         goto out;
> > 
> > and then the vma owner can do whatever it needs to before calling
> > mprotect_fixup(), which is already not static.
> 
> I'm certainly not opposed to a straight ->mprotect() hook.  ->may_protect()
> came about because I/we thought it would be less objectionable to allow the
> vma owner to apply additional restrictions as opposed to a wholesale
> replacement.

Can you send fixes to associated patches to linux-sgx (i.e. this and
driver)?

> > (how did we get to v33 with this kind of problem still in the patch set?)
> 
> Because no one from the mm world has looked at it.  Which is completely
> understandable because it's a giant patch set and the first 25 or so versions
> were spent sorting out fundamental architectural/design issue (there have
> been a _lot_ of speed bumps), e.g. the need for hooking mprotect() didn't
> even come about until v21.

Actually also because we did not have an explicit linux-mm CC.

/Jarkko

[v33,10/21] mm: Introduce vm_ops->may_mprotect()

Commit Message

Comments

Patch