| Message ID | 0b294e74f06a0d6bee51efcd7b0eb1f20b00babe.1543903910.git.alison.schofield@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Multi-Key Total Memory Encryption API (MKTME) | expand |
On Mon, Dec 03, 2018 at 11:39:56PM -0800, Alison Schofield wrote: > Memory encryption is only supported for mappings that are ANONYMOUS. > Test the entire range of VMA's in an encrypt_mprotect() request to > make sure they all meet that requirement before encrypting any. > > The encrypt_mprotect syscall will return -EINVAL and will not encrypt > any VMA's if this check fails. > > Signed-off-by: Alison Schofield <alison.schofield@intel.com> > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> That SoB doesn't make sense; per the From you wrote the patch and signed off on it, wth is Kirill's SoB doing there? > diff --git a/mm/mprotect.c b/mm/mprotect.c > index ad8127dc9aac..f1c009409134 100644 > --- a/mm/mprotect.c > +++ b/mm/mprotect.c > @@ -345,6 +345,24 @@ static int prot_none_walk(struct vm_area_struct *vma, unsigned long start, > return walk_page_range(start, end, &prot_none_walk); > } > > +/* > + * Encrypted mprotect is only supported on anonymous mappings. > + * All VMA's in the requested range must be anonymous. If this > + * test fails on any single VMA, the entire mprotect request fails. > + */ > +bool mem_supports_encryption(struct vm_area_struct *vma, unsigned long end) That's a 'weird' interface and cannot do what the comment says it should do. > +{ > + struct vm_area_struct *test_vma = vma; That variable is utterly pointless. > + do { > + if (!vma_is_anonymous(test_vma)) > + return false; > + > + test_vma = test_vma->vm_next; > + } while (test_vma && test_vma->vm_start < end); > + return true; > +}
On Tue, Dec 04, 2018 at 10:10:44AM +0100, Peter Zijlstra wrote: > > + * Encrypted mprotect is only supported on anonymous mappings. > > + * All VMA's in the requested range must be anonymous. If this > > + * test fails on any single VMA, the entire mprotect request fails. > > + */ > > +bool mem_supports_encryption(struct vm_area_struct *vma, unsigned long end) > > That's a 'weird' interface and cannot do what the comment says it should > do. More please? With MKTME, only anonymous memory supports encryption. Is it the naming that's weird, or you don't see it doing what it says? > > + struct vm_area_struct *test_vma = vma; > > That variable is utterly pointless. Got it. Will fix. Thanks
On Tue, Dec 04, 2018 at 09:30:20PM -0800, Alison Schofield wrote: > On Tue, Dec 04, 2018 at 10:10:44AM +0100, Peter Zijlstra wrote: > > > + * Encrypted mprotect is only supported on anonymous mappings. > > > + * All VMA's in the requested range must be anonymous. If this > > > + * test fails on any single VMA, the entire mprotect request fails. > > > + */ > > > +bool mem_supports_encryption(struct vm_area_struct *vma, unsigned long end) > > > > That's a 'weird' interface and cannot do what the comment says it should > > do. > > More please? With MKTME, only anonymous memory supports encryption. > Is it the naming that's weird, or you don't see it doing what it says? It's weird because you don't fully speficy the range -- ie. it cannot verify the vma argument. It is also weird because the start and end are not of the same type -- or rather, there is no start at all. So while the comment talks about a range, there is not in fact a range (only the implied @start is somewhere inside @vma). The comment also states all vmas in the range, but again, because of a lack of range specification it cannot verify this statement. Now, I don't necessarily object to the function and its implementation, but that comment is just plain misleading.
diff --git a/mm/mprotect.c b/mm/mprotect.c index ad8127dc9aac..f1c009409134 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -345,6 +345,24 @@ static int prot_none_walk(struct vm_area_struct *vma, unsigned long start, return walk_page_range(start, end, &prot_none_walk); } +/* + * Encrypted mprotect is only supported on anonymous mappings. + * All VMA's in the requested range must be anonymous. If this + * test fails on any single VMA, the entire mprotect request fails. + */ +bool mem_supports_encryption(struct vm_area_struct *vma, unsigned long end) +{ + struct vm_area_struct *test_vma = vma; + + do { + if (!vma_is_anonymous(test_vma)) + return false; + + test_vma = test_vma->vm_next; + } while (test_vma && test_vma->vm_start < end); + return true; +} + int mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, unsigned long start, unsigned long end, unsigned long newflags, @@ -531,6 +549,12 @@ static int do_mprotect_ext(unsigned long start, size_t len, goto out; } } + + if (keyid > 0 && !mem_supports_encryption(vma, end)) { + error = -EINVAL; + goto out; + } + if (start > vma->vm_start) prev = vma;