From patchwork Fri Sep  7 22:36:51 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592661
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EC43614E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:13 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CCA072B2ED
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:13 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BFDA72B3BD; Fri,  7 Sep 2018 22:36:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 750AA2B2D7
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:12 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8FFC98E0008; Fri,  7 Sep 2018 18:36:11 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8B1378E0001; Fri,  7 Sep 2018 18:36:11 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7C8088E0008; Fri,  7 Sep 2018 18:36:11 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com
 [209.85.210.200])
	by kanga.kvack.org (Postfix) with ESMTP id 38F288E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:36:11 -0400 (EDT)
Received: by mail-pf1-f200.google.com with SMTP id d1-v6so8117349pfo.16
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:36:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=r4PlM5ewcOgry8zutqScRMTDTIZK5bl3b3+mmZmZtqQ=;
        b=YuYw0oMrOxfDkE1WSU1I6lzMe1EpsFf4nExLAFNrfO4dHkom7CeQ6v8VwPHzGA67aT
         tfEVPSIwYwE393RuTsCJhOhDbnTsIfIwxOcrY0HWcHP0Law4fO815T5ro1gPbc/mqMF4
         4d7zx5BKrebXmRrYt9PPc0IA5GQU2/FTuep5XXIoWOyREwLcYZscWRgavggozdKGBPbp
         KWnfEJRgQcTJXU8w4TMGlaE23H01jb2B9AJx6SHrNKqztCm5G9ANZEcPie1PEifwcgSs
         FGdXDmJeaaqH1st5MXPL60fi6IcY9hqBPNWXHEcUAu904+ve9sdvN8P5kiK+t8hRWdva
         bC2g==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51Am5qNYnbPCjzmSooIS9ADwekQ+tU0N1NjTXGYIZkUhOL0WbhKw
	xpwHhrBueExj2/xsPWiK3GuVlrSjt+eJxKNRfV1ar9eNdj8njtVv4s30sPTA6yil1ZOoNPpNd8U
	jU0IfyqSNOZIf/FJXpC7hHXXPjTUT0V+enwvu6mEL81A8Ta/2E9N5vEImQnLzakWgig==
X-Received: by 2002:a17:902:8697:: with SMTP id
 g23-v6mr10227208plo.292.1536359770886;
        Fri, 07 Sep 2018 15:36:10 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdaCJUKf2GJ+PL6prxc1NgM5ZDVUgz0R6J1bn3Aup6K2osx9+QNozTyv2xWY80fSpLDjbYr0
X-Received: by 2002:a17:902:8697:: with SMTP id
 g23-v6mr10227169plo.292.1536359769776;
        Fri, 07 Sep 2018 15:36:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359769; cv=none;
        d=google.com; s=arc-20160816;
        b=BpWUCbUwAPDxxVUgVRYAse6r2R6eCeO965xwyiwLLKnc/SAp0jhZs6f+vAwW+Jvdac
         vPyEIVyi0a+wzdmPGWzb3nQ71enB4TcUvf+5qMpBp4UiubL+DtpK6eoRILLVdbGiuiAF
         hpA+irvCxg/MczT/5GCIzaI+dclXHTTznyd8wJivY7ZKMqt5GQ5qB2liCOsDQmh+fda2
         QiMtOPobk+Tu1Zu6cncUSxibQVktzk9l6P028sI8/SsVoVDrt68LNgk5tDmZ8LXhUnYD
         3qbPnkNo4CqqZWIsI1Wcl499k1q0nNBko2jJXU/fOHCB19UXQafmKta7fGNnCOfKBGRr
         VG5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=r4PlM5ewcOgry8zutqScRMTDTIZK5bl3b3+mmZmZtqQ=;
        b=hVAFyKAdNS8I+l3EK2wS95BcF7ewJH9jzHk+p3XP4CfOxOCC3B4I17n4sYJNaxP8LT
         H03CVjvmgw6dr51Z+h2JgvDJVg89tktiUNNWjrDZaYof87blK4kCjuMwJLW4NJTK0Mqo
         IrlHIxuoQELRgCQecUu32LpehbfwbmfPbvtVz+gqCPIjLGHWI8UmfLFXpJ3Dr+mush0i
         1Lbjx2PNfTNHyflvkEtZDcWqYoJ4CdVWvSPQHLr7l7wzc51iVft7qDmwUCxzEfe77D3T
         GjwxLjEHXLGKvXa20RzMHMU4vigejWNnd5ss8/DwEzN/e+AXxbv9KbpZDlsGJ5Hz7Kg8
         HorA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga02.intel.com (mga02.intel.com. [134.134.136.20])
        by mx.google.com with ESMTPS id
 1-v6si8956466plz.220.2018.09.07.15.36.09
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:36:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.20 as permitted sender) client-ip=134.134.136.20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNSCANNABLE
X-Amp-File-Uploaded: False
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:36:09 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="260816008"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by fmsmga005.fm.intel.com with ESMTP; 07 Sep 2018 15:36:08 -0700
Date: Fri, 7 Sep 2018 15:36:51 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 06/12] mm: Add the encrypt_mprotect() system call
Message-ID: 
 <7d27511b07c8337e15096214622b66ef8f0fa345.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Implement memory encryption with a new system call that is an
extension of the legacy mprotect() system call.

In encrypt_mprotect the caller must pass a handle to a previously
allocated and programmed encryption key. Validate the key and store
the keyid bits in the vm_page_prot for each VMA in the protection
range.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 fs/exec.c           |  4 ++--
 include/linux/key.h |  2 ++
 include/linux/mm.h  |  3 ++-
 mm/mprotect.c       | 67 ++++++++++++++++++++++++++++++++++++++++++++++++-----
 4 files changed, 67 insertions(+), 9 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index a1a246062561..b681a413db9c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -754,8 +754,8 @@ int setup_arg_pages(struct linux_binprm *bprm,
 	vm_flags |= mm->def_flags;
 	vm_flags |= VM_STACK_INCOMPLETE_SETUP;
 
-	ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
-			vm_flags);
+	ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, vm_flags,
+			     -1);
 	if (ret)
 		goto out_unlock;
 	BUG_ON(prev != vma);
diff --git a/include/linux/key.h b/include/linux/key.h
index e58ee10f6e58..fb8a7d5f6149 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -346,6 +346,8 @@ static inline key_serial_t key_serial(const struct key *key)
 
 extern void key_set_timeout(struct key *, unsigned);
 
+extern key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
+				 key_perm_t perm);
 /*
  * The permissions required on a key that we're looking up.
  */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index ac85c0805761..0f9422c7841e 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1579,7 +1579,8 @@ extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long
 			      int dirty_accountable, int prot_numa);
 extern int mprotect_fixup(struct vm_area_struct *vma,
 			  struct vm_area_struct **pprev, unsigned long start,
-			  unsigned long end, unsigned long newflags);
+			  unsigned long end, unsigned long newflags,
+			  int newkeyid);
 
 /*
  * doesn't attempt to fault and will return short.
diff --git a/mm/mprotect.c b/mm/mprotect.c
index 56e64ef7931e..6c2e1106525c 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -28,14 +28,17 @@
 #include <linux/ksm.h>
 #include <linux/uaccess.h>
 #include <linux/mm_inline.h>
+#include <linux/key.h>
 #include <asm/pgtable.h>
 #include <asm/cacheflush.h>
 #include <asm/mmu_context.h>
 #include <asm/tlbflush.h>
+#include <asm/mktme.h>
 
 #include "internal.h"
 
 #define NO_PKEY  -1
+#define NO_KEYID -1
 
 static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
 		unsigned long addr, unsigned long end, pgprot_t newprot,
@@ -310,7 +313,8 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
 
 int
 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
-	unsigned long start, unsigned long end, unsigned long newflags)
+	       unsigned long start, unsigned long end, unsigned long newflags,
+	       int newkeyid)
 {
 	struct mm_struct *mm = vma->vm_mm;
 	unsigned long oldflags = vma->vm_flags;
@@ -320,10 +324,24 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 	int error;
 	int dirty_accountable = 0;
 
+	/*
+	 * Flags match and Keyids match or we have NO_KEYID.
+	 * This _fixup is usually called from do_mprotect_ext() except
+	 * for one special case: caller fs/exec.c/setup_arg_pages()
+	 * In that case, newkeyid is passed as -1 (NO_KEYID).
+	 */
+	if (newflags == oldflags &&
+	    (newkeyid == vma_keyid(vma) || newkeyid == NO_KEYID)) {
+		*pprev = vma;
+		return 0;
+	}
+	/* Flags match and Keyid changes */
 	if (newflags == oldflags) {
+		mprotect_set_encrypt(vma, newkeyid);
 		*pprev = vma;
 		return 0;
 	}
+	/* Flags and Keyids both change, continue. */
 
 	/*
 	 * If we make a private mapping writable we increase our commit;
@@ -373,6 +391,8 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 	}
 
 success:
+	if (newkeyid != NO_KEYID)
+		mprotect_set_encrypt(vma, newkeyid);
 	/*
 	 * vm_flags and vm_page_prot are protected by the mmap_sem
 	 * held in write mode.
@@ -404,10 +424,15 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 }
 
 /*
- * When pkey==NO_PKEY we get legacy mprotect behavior here.
+ * do_mprotect_ext() supports the legacy mprotect behavior plus extensions
+ * for protection keys and memory encryption keys. These extensions are
+ * mutually exclusive and the behavior is:
+ *	(pkey==NO_PKEY && keyid==NO_KEYID) ==> legacy mprotect
+ *	(pkey is valid)  ==> legacy mprotect plus protection key extensions
+ *	(keyid is valid) ==> legacy mprotect plus encryption key extensions
  */
 static int do_mprotect_ext(unsigned long start, size_t len,
-		unsigned long prot, int pkey)
+			   unsigned long prot, int pkey, int keyid)
 {
 	unsigned long nstart, end, tmp, reqprot;
 	struct vm_area_struct *vma, *prev;
@@ -505,7 +530,8 @@ static int do_mprotect_ext(unsigned long start, size_t len,
 		tmp = vma->vm_end;
 		if (tmp > end)
 			tmp = end;
-		error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
+		error = mprotect_fixup(vma, &prev, nstart, tmp, newflags,
+				       keyid);
 		if (error)
 			goto out;
 		nstart = tmp;
@@ -530,7 +556,7 @@ static int do_mprotect_ext(unsigned long start, size_t len,
 SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot)
 {
-	return do_mprotect_ext(start, len, prot, NO_PKEY);
+	return do_mprotect_ext(start, len, prot, NO_PKEY, NO_KEYID);
 }
 
 #ifdef CONFIG_ARCH_HAS_PKEYS
@@ -538,7 +564,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 SYSCALL_DEFINE4(pkey_mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot, int, pkey)
 {
-	return do_mprotect_ext(start, len, prot, pkey);
+	return do_mprotect_ext(start, len, prot, pkey, NO_KEYID);
 }
 
 SYSCALL_DEFINE2(pkey_alloc, unsigned long, flags, unsigned long, init_val)
@@ -587,3 +613,32 @@ SYSCALL_DEFINE1(pkey_free, int, pkey)
 }
 
 #endif /* CONFIG_ARCH_HAS_PKEYS */
+
+#ifdef CONFIG_X86_INTEL_MKTME
+
+SYSCALL_DEFINE4(encrypt_mprotect, unsigned long, start, size_t, len,
+		unsigned long, prot, key_serial_t, serial)
+{
+	key_ref_t key_ref;
+	int ret, keyid;
+
+	/* TODO MKTME key service must be initialized */
+
+	key_ref = lookup_user_key(serial, 0, KEY_NEED_VIEW);
+	if (IS_ERR(key_ref))
+		return PTR_ERR(key_ref);
+
+	mktme_map_lock();
+	keyid = mktme_map_keyid_from_serial(serial);
+	if (!keyid) {
+		mktme_map_unlock();
+		key_ref_put(key_ref);
+		return -EINVAL;
+	}
+	ret = do_mprotect_ext(start, len, prot, NO_PKEY, keyid);
+	mktme_map_unlock();
+	key_ref_put(key_ref);
+	return ret;
+}
+
+#endif /* CONFIG_X86_INTEL_MKTME */