| Message ID | 20230120074306.1326298-3-ajd@linux.ibm.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | pSeries dynamic secure boot secvar interface + platform keyring loading | expand |
Andrew Donnellan <ajd@linux.ibm.com> writes: > A number of structures and buffers passed to PKS hcalls have alignment > requirements, which could on occasion cause problems: > > - Authorisation structures must be 16-byte aligned and must not cross a > page boundary > > - Label structures must not cross page boundaries > > - Password output buffers must not cross page boundaries > > Round up the allocations of these structures/buffers to the next power of > 2 to make sure this happens. It's not the *next* power of 2, it's the *nearest* power of 2, including the initial value if it's already a power of 2. That in conjunction with slab's guarantee that power of 2 sized objects are naturally aligned, and that the relevant structs are smaller than a page, is what makes this actually work. So I think the patch is fine, but the change log and comments probably need to be a bit clearer. cheers > Reported-by: Benjamin Gray <bgray@linux.ibm.com> > Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") > Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com> > Reviewed-by: Russell Currey <ruscur@russell.cc> > Signed-off-by: Russell Currey <ruscur@russell.cc> > > --- > > v3: Merge plpks fixes and signed update series with secvar series > > v4: Fix typo in commit message > > Move up in series (npiggin) > --- > arch/powerpc/platforms/pseries/plpks.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c > index 9e85b6d85b0b..a01cf2ff140a 100644 > --- a/arch/powerpc/platforms/pseries/plpks.c > +++ b/arch/powerpc/platforms/pseries/plpks.c > @@ -126,7 +126,8 @@ static int plpks_gen_password(void) > u8 *password, consumer = PKS_OS_OWNER; > int rc; > > - password = kzalloc(maxpwsize, GFP_KERNEL); > + // The password must not cross a page boundary, so we align to the next power of 2 > + password = kzalloc(roundup_pow_of_two(maxpwsize), GFP_KERNEL); > if (!password) > return -ENOMEM; > > @@ -162,7 +163,9 @@ static struct plpks_auth *construct_auth(u8 consumer) > if (consumer > PKS_OS_OWNER) > return ERR_PTR(-EINVAL); > > - auth = kzalloc(struct_size(auth, password, maxpwsize), GFP_KERNEL); > + // The auth structure must not cross a page boundary and must be > + // 16 byte aligned. We align to the next largest power of 2 > + auth = kzalloc(roundup_pow_of_two(struct_size(auth, password, maxpwsize)), GFP_KERNEL); > if (!auth) > return ERR_PTR(-ENOMEM); > > @@ -196,7 +199,8 @@ static struct label *construct_label(char *component, u8 varos, u8 *name, > if (component && slen > sizeof(label->attr.prefix)) > return ERR_PTR(-EINVAL); > > - label = kzalloc(sizeof(*label), GFP_KERNEL); > + // The label structure must not cross a page boundary, so we align to the next power of 2 > + label = kzalloc(roundup_pow_of_two(sizeof(*label)), GFP_KERNEL); > if (!label) > return ERR_PTR(-ENOMEM); > > -- > 2.39.0
On Thu, Jan 26, 2023 at 12:09:53AM +1100, Michael Ellerman wrote: > Andrew Donnellan <ajd@linux.ibm.com> writes: > > A number of structures and buffers passed to PKS hcalls have alignment > > requirements, which could on occasion cause problems: > > > > - Authorisation structures must be 16-byte aligned and must not cross a > > page boundary > > > > - Label structures must not cross page boundaries > > > > - Password output buffers must not cross page boundaries > > > > Round up the allocations of these structures/buffers to the next power of > > 2 to make sure this happens. > > It's not the *next* power of 2, it's the *nearest* power of 2, including > the initial value if it's already a power of 2. It's not the nearest either, the nearest power of two to 65 is 64. You could say "but, round up" to which I would say "round?" :-P "Adjust the allocation size to be the smallest power of two greater than or equal to the given size." "Pad to a power of two" in shorthand. "Padded to a power of two if necessary" if you want to emphasise it can be a no-op. Segher
From: Segher Boessenkool > Sent: 26 January 2023 17:19 > > On Thu, Jan 26, 2023 at 12:09:53AM +1100, Michael Ellerman wrote: > > Andrew Donnellan <ajd@linux.ibm.com> writes: > > > A number of structures and buffers passed to PKS hcalls have alignment > > > requirements, which could on occasion cause problems: > > > > > > - Authorisation structures must be 16-byte aligned and must not cross a > > > page boundary > > > > > > - Label structures must not cross page boundaries > > > > > > - Password output buffers must not cross page boundaries > > > > > > Round up the allocations of these structures/buffers to the next power of > > > 2 to make sure this happens. > > > > It's not the *next* power of 2, it's the *nearest* power of 2, including > > the initial value if it's already a power of 2. > > It's not the nearest either, the nearest power of two to 65 is 64. You > could say "but, round up" to which I would say "round?" :-P > > "Adjust the allocation size to be the smallest power of two greater than > or equal to the given size." > > "Pad to a power of two" in shorthand. "Padded to a power of two if > necessary" if you want to emphasise it can be a no-op. Changing the size to kzalloc() doesn't help. The alignment depends on the allocator and is only required to have a relatively small alignment (ARCH_MINALIGN?) regardless of the size. IIRC one of the allocators adds a small header to every item. It won't return 16 byte aligned items at all. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
On Thu, 2023-01-26 at 17:31 +0000, David Laight wrote: > Changing the size to kzalloc() doesn't help. > The alignment depends on the allocator and is only required to have > a relatively small alignment (ARCH_MINALIGN?) regardless of the size. > > IIRC one of the allocators adds a small header to every item. > It won't return 16 byte aligned items at all. I'm relying on the behaviour described in Documentation/core- api/memory-allocation.rst: The address of a chunk allocated with kmalloc is aligned to at least ARCH_KMALLOC_MINALIGN bytes. For sizes which are a power of two, the alignment is also guaranteed to be at least the respective size. Is this wrong? Andrew
From: Andrew Donnellan > Sent: 27 January 2023 03:21 > > On Thu, 2023-01-26 at 17:31 +0000, David Laight wrote: > > Changing the size to kzalloc() doesn't help. > > The alignment depends on the allocator and is only required to have > > a relatively small alignment (ARCH_MINALIGN?) regardless of the size. > > > > IIRC one of the allocators adds a small header to every item. > > It won't return 16 byte aligned items at all. > > I'm relying on the behaviour described in Documentation/core- > api/memory-allocation.rst: > > The address of a chunk allocated with kmalloc is aligned to at > least ARCH_KMALLOC_MINALIGN bytes. For sizes which are a power of > two, the alignment is also guaranteed to be at least the respective > size. > > Is this wrong? The alignment for power of two doesn't match what I've inferred from reading comments on other patches. It is true for dma_malloc_coherent() - that does guarantee that a 16k allocate will be aligned on a 16k physical address boundary. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Segher Boessenkool <segher@kernel.crashing.org> writes: > On Thu, Jan 26, 2023 at 12:09:53AM +1100, Michael Ellerman wrote: >> Andrew Donnellan <ajd@linux.ibm.com> writes: >> > A number of structures and buffers passed to PKS hcalls have alignment >> > requirements, which could on occasion cause problems: >> > >> > - Authorisation structures must be 16-byte aligned and must not cross a >> > page boundary >> > >> > - Label structures must not cross page boundaries >> > >> > - Password output buffers must not cross page boundaries >> > >> > Round up the allocations of these structures/buffers to the next power of >> > 2 to make sure this happens. >> >> It's not the *next* power of 2, it's the *nearest* power of 2, including >> the initial value if it's already a power of 2. > > It's not the nearest either, the nearest power of two to 65 is 64. You > could say "but, round up" to which I would say "round?" :-P OK you got me there :) The function name makes it pretty clear that it will round *up* to the nearest power of 2 but you're right the comment should also make that clear. > "Adjust the allocation size to be the smallest power of two greater than > or equal to the given size." > > "Pad to a power of two" in shorthand. "Padded to a power of two if > necessary" if you want to emphasise it can be a no-op. The initial wording implied that it would always over-allocate so yes I think it's important to make it clear that it doesn't round up if it doesn't need to. cheers
Andrew Donnellan <ajd@linux.ibm.com> writes: > On Thu, 2023-01-26 at 17:31 +0000, David Laight wrote: >> Changing the size to kzalloc() doesn't help. >> The alignment depends on the allocator and is only required to have >> a relatively small alignment (ARCH_MINALIGN?) regardless of the size. >> >> IIRC one of the allocators adds a small header to every item. >> It won't return 16 byte aligned items at all. > > I'm relying on the behaviour described in Documentation/core- > api/memory-allocation.rst: > > The address of a chunk allocated with kmalloc is aligned to at > least ARCH_KMALLOC_MINALIGN bytes. For sizes which are a power of > two, the alignment is also guaranteed to be at least the respective > size. > > Is this wrong? I believe it's correct. For SLAB and SLUB it boils down to: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/slab_common.c?commit=830b3c68c1fb1e9176028d02ef86f3cf76aa2476#n640 That's where the kmalloc slabs are created (see create_kmalloc_cache()) just below. If you create your own slab (with kmem_cache_create()) then the alignment is up to you, so that's why there's no power-of-2 logic in calculate_alignment(). And SLOB (which we don't use) does something similar: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/mm/slob.c?commit=830b3c68c1fb1e9176028d02ef86f3cf76aa2476#n493 cheers
diff --git a/arch/powerpc/platforms/pseries/plpks.c b/arch/powerpc/platforms/pseries/plpks.c index 9e85b6d85b0b..a01cf2ff140a 100644 --- a/arch/powerpc/platforms/pseries/plpks.c +++ b/arch/powerpc/platforms/pseries/plpks.c @@ -126,7 +126,8 @@ static int plpks_gen_password(void) u8 *password, consumer = PKS_OS_OWNER; int rc; - password = kzalloc(maxpwsize, GFP_KERNEL); + // The password must not cross a page boundary, so we align to the next power of 2 + password = kzalloc(roundup_pow_of_two(maxpwsize), GFP_KERNEL); if (!password) return -ENOMEM; @@ -162,7 +163,9 @@ static struct plpks_auth *construct_auth(u8 consumer) if (consumer > PKS_OS_OWNER) return ERR_PTR(-EINVAL); - auth = kzalloc(struct_size(auth, password, maxpwsize), GFP_KERNEL); + // The auth structure must not cross a page boundary and must be + // 16 byte aligned. We align to the next largest power of 2 + auth = kzalloc(roundup_pow_of_two(struct_size(auth, password, maxpwsize)), GFP_KERNEL); if (!auth) return ERR_PTR(-ENOMEM); @@ -196,7 +199,8 @@ static struct label *construct_label(char *component, u8 varos, u8 *name, if (component && slen > sizeof(label->attr.prefix)) return ERR_PTR(-EINVAL); - label = kzalloc(sizeof(*label), GFP_KERNEL); + // The label structure must not cross a page boundary, so we align to the next power of 2 + label = kzalloc(roundup_pow_of_two(sizeof(*label)), GFP_KERNEL); if (!label) return ERR_PTR(-ENOMEM);
A number of structures and buffers passed to PKS hcalls have alignment requirements, which could on occasion cause problems: - Authorisation structures must be 16-byte aligned and must not cross a page boundary - Label structures must not cross page boundaries - Password output buffers must not cross page boundaries Round up the allocations of these structures/buffers to the next power of 2 to make sure this happens. Reported-by: Benjamin Gray <bgray@linux.ibm.com> Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com> Reviewed-by: Russell Currey <ruscur@russell.cc> Signed-off-by: Russell Currey <ruscur@russell.cc> --- v3: Merge plpks fixes and signed update series with secvar series v4: Fix typo in commit message Move up in series (npiggin) --- arch/powerpc/platforms/pseries/plpks.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)