From patchwork Fri Sep 7 22:36:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alison Schofield X-Patchwork-Id: 10592661 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EC43614E2 for ; Fri, 7 Sep 2018 22:36:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CCA072B2ED for ; Fri, 7 Sep 2018 22:36:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BFDA72B3BD; Fri, 7 Sep 2018 22:36:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 750AA2B2D7 for ; Fri, 7 Sep 2018 22:36:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8FFC98E0008; Fri, 7 Sep 2018 18:36:11 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 8B1378E0001; Fri, 7 Sep 2018 18:36:11 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7C8088E0008; Fri, 7 Sep 2018 18:36:11 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com [209.85.210.200]) by kanga.kvack.org (Postfix) with ESMTP id 38F288E0001 for ; Fri, 7 Sep 2018 18:36:11 -0400 (EDT) Received: by mail-pf1-f200.google.com with SMTP id d1-v6so8117349pfo.16 for ; Fri, 07 Sep 2018 15:36:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:date:from:to :cc:subject:message-id:references:mime-version:content-disposition :in-reply-to:user-agent; bh=r4PlM5ewcOgry8zutqScRMTDTIZK5bl3b3+mmZmZtqQ=; b=YuYw0oMrOxfDkE1WSU1I6lzMe1EpsFf4nExLAFNrfO4dHkom7CeQ6v8VwPHzGA67aT tfEVPSIwYwE393RuTsCJhOhDbnTsIfIwxOcrY0HWcHP0Law4fO815T5ro1gPbc/mqMF4 4d7zx5BKrebXmRrYt9PPc0IA5GQU2/FTuep5XXIoWOyREwLcYZscWRgavggozdKGBPbp KWnfEJRgQcTJXU8w4TMGlaE23H01jb2B9AJx6SHrNKqztCm5G9ANZEcPie1PEifwcgSs FGdXDmJeaaqH1st5MXPL60fi6IcY9hqBPNWXHEcUAu904+ve9sdvN8P5kiK+t8hRWdva bC2g== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of alison.schofield@intel.com designates 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Gm-Message-State: APzg51Am5qNYnbPCjzmSooIS9ADwekQ+tU0N1NjTXGYIZkUhOL0WbhKw xpwHhrBueExj2/xsPWiK3GuVlrSjt+eJxKNRfV1ar9eNdj8njtVv4s30sPTA6yil1ZOoNPpNd8U jU0IfyqSNOZIf/FJXpC7hHXXPjTUT0V+enwvu6mEL81A8Ta/2E9N5vEImQnLzakWgig== X-Received: by 2002:a17:902:8697:: with SMTP id g23-v6mr10227208plo.292.1536359770886; Fri, 07 Sep 2018 15:36:10 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaCJUKf2GJ+PL6prxc1NgM5ZDVUgz0R6J1bn3Aup6K2osx9+QNozTyv2xWY80fSpLDjbYr0 X-Received: by 2002:a17:902:8697:: with SMTP id g23-v6mr10227169plo.292.1536359769776; Fri, 07 Sep 2018 15:36:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536359769; cv=none; d=google.com; s=arc-20160816; b=BpWUCbUwAPDxxVUgVRYAse6r2R6eCeO965xwyiwLLKnc/SAp0jhZs6f+vAwW+Jvdac vPyEIVyi0a+wzdmPGWzb3nQ71enB4TcUvf+5qMpBp4UiubL+DtpK6eoRILLVdbGiuiAF hpA+irvCxg/MczT/5GCIzaI+dclXHTTznyd8wJivY7ZKMqt5GQ5qB2liCOsDQmh+fda2 QiMtOPobk+Tu1Zu6cncUSxibQVktzk9l6P028sI8/SsVoVDrt68LNgk5tDmZ8LXhUnYD 3qbPnkNo4CqqZWIsI1Wcl499k1q0nNBko2jJXU/fOHCB19UXQafmKta7fGNnCOfKBGRr VG5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date; bh=r4PlM5ewcOgry8zutqScRMTDTIZK5bl3b3+mmZmZtqQ=; b=hVAFyKAdNS8I+l3EK2wS95BcF7ewJH9jzHk+p3XP4CfOxOCC3B4I17n4sYJNaxP8LT H03CVjvmgw6dr51Z+h2JgvDJVg89tktiUNNWjrDZaYof87blK4kCjuMwJLW4NJTK0Mqo IrlHIxuoQELRgCQecUu32LpehbfwbmfPbvtVz+gqCPIjLGHWI8UmfLFXpJ3Dr+mush0i 1Lbjx2PNfTNHyflvkEtZDcWqYoJ4CdVWvSPQHLr7l7wzc51iVft7qDmwUCxzEfe77D3T GjwxLjEHXLGKvXa20RzMHMU4vigejWNnd5ss8/DwEzN/e+AXxbv9KbpZDlsGJ5Hz7Kg8 HorA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of alison.schofield@intel.com designates 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from mga02.intel.com (mga02.intel.com. [134.134.136.20]) by mx.google.com with ESMTPS id 1-v6si8956466plz.220.2018.09.07.15.36.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Sep 2018 15:36:09 -0700 (PDT) Received-SPF: pass (google.com: domain of alison.schofield@intel.com designates 134.134.136.20 as permitted sender) client-ip=134.134.136.20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of alison.schofield@intel.com designates 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Sep 2018 15:36:09 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,344,1531810800"; d="scan'208";a="260816008" Received: from alison-desk.jf.intel.com ([10.54.74.53]) by fmsmga005.fm.intel.com with ESMTP; 07 Sep 2018 15:36:08 -0700 Date: Fri, 7 Sep 2018 15:36:51 -0700 From: Alison Schofield To: dhowells@redhat.com, tglx@linutronix.de Cc: Kai Huang , Jun Nakajima , Kirill Shutemov , Dave Hansen , Jarkko Sakkinen , jmorris@namei.org, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org Subject: [RFC 06/12] mm: Add the encrypt_mprotect() system call Message-ID: <7d27511b07c8337e15096214622b66ef8f0fa345.1536356108.git.alison.schofield@intel.com> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Implement memory encryption with a new system call that is an extension of the legacy mprotect() system call. In encrypt_mprotect the caller must pass a handle to a previously allocated and programmed encryption key. Validate the key and store the keyid bits in the vm_page_prot for each VMA in the protection range. Signed-off-by: Alison Schofield --- fs/exec.c | 4 ++-- include/linux/key.h | 2 ++ include/linux/mm.h | 3 ++- mm/mprotect.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++++----- 4 files changed, 67 insertions(+), 9 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index a1a246062561..b681a413db9c 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -754,8 +754,8 @@ int setup_arg_pages(struct linux_binprm *bprm, vm_flags |= mm->def_flags; vm_flags |= VM_STACK_INCOMPLETE_SETUP; - ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, - vm_flags); + ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, vm_flags, + -1); if (ret) goto out_unlock; BUG_ON(prev != vma); diff --git a/include/linux/key.h b/include/linux/key.h index e58ee10f6e58..fb8a7d5f6149 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -346,6 +346,8 @@ static inline key_serial_t key_serial(const struct key *key) extern void key_set_timeout(struct key *, unsigned); +extern key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags, + key_perm_t perm); /* * The permissions required on a key that we're looking up. */ diff --git a/include/linux/mm.h b/include/linux/mm.h index ac85c0805761..0f9422c7841e 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1579,7 +1579,8 @@ extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long int dirty_accountable, int prot_numa); extern int mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, unsigned long start, - unsigned long end, unsigned long newflags); + unsigned long end, unsigned long newflags, + int newkeyid); /* * doesn't attempt to fault and will return short. diff --git a/mm/mprotect.c b/mm/mprotect.c index 56e64ef7931e..6c2e1106525c 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -28,14 +28,17 @@ #include #include #include +#include #include #include #include #include +#include #include "internal.h" #define NO_PKEY -1 +#define NO_KEYID -1 static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd, unsigned long addr, unsigned long end, pgprot_t newprot, @@ -310,7 +313,8 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start, int mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, - unsigned long start, unsigned long end, unsigned long newflags) + unsigned long start, unsigned long end, unsigned long newflags, + int newkeyid) { struct mm_struct *mm = vma->vm_mm; unsigned long oldflags = vma->vm_flags; @@ -320,10 +324,24 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, int error; int dirty_accountable = 0; + /* + * Flags match and Keyids match or we have NO_KEYID. + * This _fixup is usually called from do_mprotect_ext() except + * for one special case: caller fs/exec.c/setup_arg_pages() + * In that case, newkeyid is passed as -1 (NO_KEYID). + */ + if (newflags == oldflags && + (newkeyid == vma_keyid(vma) || newkeyid == NO_KEYID)) { + *pprev = vma; + return 0; + } + /* Flags match and Keyid changes */ if (newflags == oldflags) { + mprotect_set_encrypt(vma, newkeyid); *pprev = vma; return 0; } + /* Flags and Keyids both change, continue. */ /* * If we make a private mapping writable we increase our commit; @@ -373,6 +391,8 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, } success: + if (newkeyid != NO_KEYID) + mprotect_set_encrypt(vma, newkeyid); /* * vm_flags and vm_page_prot are protected by the mmap_sem * held in write mode. @@ -404,10 +424,15 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, } /* - * When pkey==NO_PKEY we get legacy mprotect behavior here. + * do_mprotect_ext() supports the legacy mprotect behavior plus extensions + * for protection keys and memory encryption keys. These extensions are + * mutually exclusive and the behavior is: + * (pkey==NO_PKEY && keyid==NO_KEYID) ==> legacy mprotect + * (pkey is valid) ==> legacy mprotect plus protection key extensions + * (keyid is valid) ==> legacy mprotect plus encryption key extensions */ static int do_mprotect_ext(unsigned long start, size_t len, - unsigned long prot, int pkey) + unsigned long prot, int pkey, int keyid) { unsigned long nstart, end, tmp, reqprot; struct vm_area_struct *vma, *prev; @@ -505,7 +530,8 @@ static int do_mprotect_ext(unsigned long start, size_t len, tmp = vma->vm_end; if (tmp > end) tmp = end; - error = mprotect_fixup(vma, &prev, nstart, tmp, newflags); + error = mprotect_fixup(vma, &prev, nstart, tmp, newflags, + keyid); if (error) goto out; nstart = tmp; @@ -530,7 +556,7 @@ static int do_mprotect_ext(unsigned long start, size_t len, SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len, unsigned long, prot) { - return do_mprotect_ext(start, len, prot, NO_PKEY); + return do_mprotect_ext(start, len, prot, NO_PKEY, NO_KEYID); } #ifdef CONFIG_ARCH_HAS_PKEYS @@ -538,7 +564,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len, SYSCALL_DEFINE4(pkey_mprotect, unsigned long, start, size_t, len, unsigned long, prot, int, pkey) { - return do_mprotect_ext(start, len, prot, pkey); + return do_mprotect_ext(start, len, prot, pkey, NO_KEYID); } SYSCALL_DEFINE2(pkey_alloc, unsigned long, flags, unsigned long, init_val) @@ -587,3 +613,32 @@ SYSCALL_DEFINE1(pkey_free, int, pkey) } #endif /* CONFIG_ARCH_HAS_PKEYS */ + +#ifdef CONFIG_X86_INTEL_MKTME + +SYSCALL_DEFINE4(encrypt_mprotect, unsigned long, start, size_t, len, + unsigned long, prot, key_serial_t, serial) +{ + key_ref_t key_ref; + int ret, keyid; + + /* TODO MKTME key service must be initialized */ + + key_ref = lookup_user_key(serial, 0, KEY_NEED_VIEW); + if (IS_ERR(key_ref)) + return PTR_ERR(key_ref); + + mktme_map_lock(); + keyid = mktme_map_keyid_from_serial(serial); + if (!keyid) { + mktme_map_unlock(); + key_ref_put(key_ref); + return -EINVAL; + } + ret = do_mprotect_ext(start, len, prot, NO_PKEY, keyid); + mktme_map_unlock(); + key_ref_put(key_ref); + return ret; +} + +#endif /* CONFIG_X86_INTEL_MKTME */