From patchwork Fri Sep  7 22:34:07 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592643
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2961714E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:33:33 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 16A682B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:33:33 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 09D3C2B12D; Fri,  7 Sep 2018 22:33:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4F5792B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:33:32 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id C105E8E0003; Fri,  7 Sep 2018 18:33:30 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B9A418E0001; Fri,  7 Sep 2018 18:33:30 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A3B6C8E0003; Fri,  7 Sep 2018 18:33:30 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com
 [209.85.214.198])
	by kanga.kvack.org (Postfix) with ESMTP id 5CB048E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:33:30 -0400 (EDT)
Received: by mail-pl1-f198.google.com with SMTP id bg5-v6so7631921plb.20
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:33:30 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=7xGrl4dVGT5M51JL53umoUFE/B4+nhH2JaSlZUL3tiw=;
        b=C1kQpNsMcvLTcZuVw2utYoh1dK74WN7hllK6FevQV4PB/X0cuInbI2P6oCN7+roY7y
         M/i/WlHslp+2IEBEvwJyMKdNv4KzAeta7vFDOf+KI81/w1ngJ1aw4TaWYqCK/NrVgzrw
         C9s+rMdMBEiKXFS5ZBMhFjWSlPTgYjFr2kP0EYHXQSY3d5Pypyys18KD4qi9p2p4Fuo4
         DyaSauALmqIYTmz15ySCvvuTy1okK+2ZlfZvgSEPeBsnXv/9I8ZrEa4my2dXMW5Xf0Sb
         bqR1vg0HalpciRr0uo3oEdtWXsw/+6VxlBwfzuVXBgXWPXHKZpoEGe0tuRK0OO6ad4cM
         uIcQ==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.65 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51B7x8ynR02vdNzKO8E9ZdX6qNFQvwBudaoxNa2RGCgqeTrsZPXx
	MT4KqpEpnllmEYiO8vkOJMYOxZ0qjeXYdtFWuL8rdNwU3y17DX9M3xx8g9QSmpbZ755s3dF2HLa
	//LCYs5U5yNMqZ26eFzaWb7GFDrzXxV69xFcTjDf82l2e1y+fJPGj6Z9hgnmnPMQytQ==
X-Received: by 2002:a63:447:: with SMTP id
 68-v6mr10512216pge.409.1536359609992;
        Fri, 07 Sep 2018 15:33:29 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0Vdad9gXSGlCA0+xixIvUZIw2IbObO3cmGD2u6qLzOiPCzYC3+YojdcqfPYoD2JQu2ASoPEtt
X-Received: by 2002:a63:447:: with SMTP id
 68-v6mr10512152pge.409.1536359608754;
        Fri, 07 Sep 2018 15:33:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359608; cv=none;
        d=google.com; s=arc-20160816;
        b=tW+eF7quK0GMxRDBywV6TJFqppoM/p49pyg6Q0NlVgy5L80EgmMFNEdjr1bC3XM2Ik
         sPGAwfYW9UzBElh6QTMvmp8WKjp9VwSWGUO9cRSz3tLJGMgXTDw/c1tyw1y+QZjb+mCR
         IqoIMNoKmsMYKbqowZkVCccoCo5RDfi/v2MvXrvAkcMUh6e8CIc0P5swhiQfi1rk0+LO
         EmF6dWufsk6evdiZg2yp7Cu9qKoqJaZ4eoRHm1t7Frq0AsBsUIQ1ck2CoM4EwBLfAUVI
         hwmG2t2ueRZUlHAbapcHCQqB3eLBOaCws/blI3qXrUE4YeA79LDmt6M6coXAD7zUvHxe
         P5zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=7xGrl4dVGT5M51JL53umoUFE/B4+nhH2JaSlZUL3tiw=;
        b=I76zC/LxfafsIyjdoDblDn0NE3nkMRgW/4g6oQ5ohBz0Exan7x5rdHOcKWOD26PQAF
         6FtKKlrKR6gcsy39g881aMM3b/mtuw0jT9TBwVTaktpLWQKf8a/0kUKIECbjZaM7FFRy
         xMVulB3ldc4xAtt68CeGmYh6IYSLAE3lhRE2xNK27NW6pMBqZONvwurAJo0gB+921O8c
         RMvWR/whgiZBIfMMNGuXmhgueSe+/4dIoMJob24dmzbgs+vDY+kAhrhYMQorJeCArIMz
         wL2wXzWhwu5DeOiBTUcT8liu+meKUsQkbMhDv9eu1nHhj8ASE8bK6jQ7vg3moVNlytHH
         voRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.65 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga03.intel.com (mga03.intel.com. [134.134.136.65])
        by mx.google.com with ESMTPS id
 v61-v6si8769505plb.448.2018.09.07.15.33.28
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:33:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.65 as permitted sender) client-ip=134.134.136.65;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.65 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNSCANNABLE
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:33:28 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="89921061"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by orsmga002.jf.intel.com with ESMTP; 07 Sep 2018 15:33:24 -0700
Date: Fri, 7 Sep 2018 15:34:07 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 01/12] docs/x86: Document the Multi-Key Total Memory Encryption
 API
Message-ID: 
 <b9c1e3805c700043d92117462bdb6018bb9f858a.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Document the API's used for MKTME on Intel platforms.
MKTME: Multi-KEY Total Memory Encryption

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 Documentation/x86/mktme-keys.txt | 153 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 153 insertions(+)
 create mode 100644 Documentation/x86/mktme-keys.txt

diff --git a/Documentation/x86/mktme-keys.txt b/Documentation/x86/mktme-keys.txt
new file mode 100644
index 000000000000..2dea7acd2a17
--- /dev/null
+++ b/Documentation/x86/mktme-keys.txt
@@ -0,0 +1,153 @@
+MKTME (Multi-Key Total Memory Encryption) is a technology that allows
+memory encryption on Intel platforms. Whereas TME (Total Memory Encryption)
+allows encryption of the entire system memory using a single key, MKTME
+allows multiple encryption domains, each having their own key. The main use
+case for the feature is virtual machine isolation. The API's introduced here
+are intended to offer flexibility to work in a wide range of uses.
+
+The externally available Intel Architecture Spec:
+https://software.intel.com/sites/default/files/managed/a5/16/Multi-Key-Total-Memory-Encryption-Spec.pdf
+
+============================  API Overview  ============================
+
+There are 2 MKTME specific API's that enable userspace to create and use
+the memory encryption keys:
+
+1) Kernel Key Service: MKTME Type
+
+   MKTME is a new key type added to the existing Kernel Key Services
+   to support the memory encryption keys. The MKTME service manages
+   the addition and removal of MKTME keys. It maps userspace keys
+   to hardware keyids and programs the hardware with user requested
+   encryption parameters.
+
+   o An understanding of the Kernel Key Service is required in order
+     to use the MKTME key type as it is a subset of that service.
+
+   o MKTME keys are a limited resource. There is a single pool of
+     MKTME keys for a system and that pool can be from 3 to 63 keys.
+     With that in mind, userspace may take advantage of the kernel
+     key services sharing and permissions model for userspace keys.
+     One key can be shared as long as each user has the permission
+     of "KEY_NEED_VIEW" to use it.
+
+   o MKTME key type uses capabilities to restrict the allocation
+     of keys. It only requires CAP_SYS_RESOURCE, but will accept
+     the broader capability of CAP_SYS_ADMIN.  See capabilities(7).
+
+   o The MKTME key service blocks kernel key service commands that
+     could lead to reprogramming of in use keys, or loss of keys from
+     the pool. This means MKTME does not allow a key to be invalidated,
+     unlinked, or timed out. These operations are blocked by MKTME as
+     it creates all keys with the internal flag KEY_FLAG_KEEP.
+
+   o MKTME does not support the keyctl option of UPDATE. Userspace
+     may change the programming of a key by revoking it and adding
+     a new key with the updated encryption options (or vice-versa).
+
+2) System Call: encrypt_mprotect()
+
+   MKTME encryption is requested by calling encrypt_mprotect(). The
+   caller passes the serial number to a previously allocated and
+   programmed encryption key. That handle was created with the MKTME
+   Key Service.
+
+   o The caller must have KEY_NEED_VIEW permission on the key
+
+   o The range of memory that is to be protected must be mapped as
+     ANONYMOUS. If it is not, the entire encrypt_mprotect() request
+     fails with EINVAL.
+
+   o As an extension to the existing mprotect() system call,
+     encrypt_mprotect() supports the legacy mprotect behavior plus
+     the enabling of memory encryption. That means that in addition
+     to encrypting the memory, the protection flags will be updated
+     as requested in the call.
+
+   o Additional mprotect() calls to memory already protected with
+     MKTME will not alter the MKTME status.
+
+======================  Usage: MKTME Key Service  ======================
+
+MKTME is enabled on supported Intel platforms by selecting
+CONFIG_X86_INTEL_MKTME which selects CONFIG_MKTME_KEYS.
+
+Allocating MKTME Keys via command line or system call:
+    keyctl add mktme name "[options]" ring
+
+    key_serial_t add_key(const char *type, const char *description,
+                         const void *payload, size_t plen,
+                         key_serial_t keyring);
+
+Revoking MKTME Keys via command line or system call::
+   keyctl revoke <key>
+
+   long keyctl(KEYCTL_REVOKE, key_serial_t key);
+
+Options Field Definition:
+    userkey=      ASCII HEX value encryption key. Defaults to a CPU
+		  generated key if a userkey is not defined here.
+
+    algorithm=    Encryption algorithm name as a string.
+		  Valid algorithm: "aes-xts-128"
+
+    tweak=        ASCII HEX value tweak key. Tweak key will be added to the
+                  userkey...  (need to be clear here that this is being sent
+                  to the hardware - kernel not messing w it)
+
+    entropy=      ascii hex value entropy.
+                  This entropy will be used to generated the CPU key and
+		  the tweak key when CPU generated key is requested.
+
+Algorithm Dependencies:
+    AES-XTS 128 is the only supported algorithm.
+    There are only 2 ways that AES-XTS 128 may be used:
+
+    1) User specified encryption key
+	- The user specified encryption key must be exactly
+	  16 ASCII Hex bytes (128 bits).
+	- A tweak key must be specified and it must be exactly
+	  16 ASCII Hex bytes (128 bits).
+	- No entropy field is accepted.
+
+    2) CPU generated encryption key
+	- When no user specified encryption key is provided, the
+	  default encryption key will be CPU generated.
+	- User must specify 16 ASCII Hex bytes of entropy. This 
+	  entropy will be used by the CPU to generate both the
+	  encryption key and the tweak key.
+	- No entropy field is accepted.
+
+======================  Usage: encrypt_mprotect()  ======================
+
+System Call encrypt_mprotect()::
+
+    This system call is an extension of the existing mprotect() system
+    call. It requires the same parameters as legary mprotect() plus
+    one additional parameter, the keyid. Userspace must provide the
+    key serial number assigned through the kernel key service.
+
+    int encrypt_mprotect(void *addr, size_t len, int prot, int keyid);
+
+======================  Usage: Sample Roundtrip  ======================
+
+Sample usage of MKTME Key Service API with encrypt_mprotect() API:
+
+  Add a key:
+        key = add_key(mktme, name, options, strlen(option), keyring);
+
+  Map memory:
+        ptr = mmap(NULL, size, prot, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
+
+  Protect memory:
+        ret = syscall(sys_encrypt_mprotect, ptr, size, prot, keyid);
+
+  Use protected memory:
+        ................
+
+  Free memory:
+        ret = munmap(ptr, size);
+
+  Revoke key:
+        ret = keyctl(KEYCTL_REVOKE, key);
+

From patchwork Fri Sep  7 22:34:26 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592647
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8CB231515
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:33:50 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C7F12B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:33:50 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6FCD62B12D; Fri,  7 Sep 2018 22:33:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 19C4D2B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:33:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 339298E0004; Fri,  7 Sep 2018 18:33:49 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2C0458E0001; Fri,  7 Sep 2018 18:33:49 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 161F08E0004; Fri,  7 Sep 2018 18:33:49 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com
 [209.85.215.197])
	by kanga.kvack.org (Postfix) with ESMTP id C3D168E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:33:48 -0400 (EDT)
Received: by mail-pg1-f197.google.com with SMTP id e124-v6so7746737pgc.11
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:33:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=ExhzVHsdv6lfoeuwhbFclEbkpbsJl6iiiRC3ImFe1Ec=;
        b=pHEJ4P+FkzmsF0bS2WWNYiD9A8LLRX+s31RSl01uvkQO72guczJo03DBs7VNVXnPqj
         3dtKjTFav1eV/ubwybOXEV5/dA3Y6eHwTFMcRWt5E3nRQQtSp/1w5ypQUckQC68MdOLK
         4fxrtFvy4v2dWFXSZFbHVwq/v7VSghiPKkElXeFV+dvTcZ0D3T/UCVKOk8nKsMPUHg4H
         A8osa9fDf0/T+jAyAaJ+PhSJoey7DYliFVYFQDB2OSAeMWgWW1gGDiPfAYcJgr8Y+94d
         t6+Qzafm8nH22WQl1B9fcSyimSfiKanO72oMyQ9/2a9KybEF/LSrXyqQPQMqF+rRIkeD
         w7dg==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.120 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51CKfI1TYPIX+kx8dllh4czHPA3VGzZwpOpf56ddwmu2E6oHRtEB
	V0cxgR+lyPwZtY8Ys2h5fCRbUUOo4L5LrD0obhA/RN5Cikosz1edZBXAcljx0lGCBfdWp85ctIk
	Bummd9erVUmvbVMyr81hYL/stPUIRpwg4GjcgxR/hQCA0/VP8GyQL9vv4Eu+l0rv0yQ==
X-Received: by 2002:a63:cf09:: with SMTP id
 j9-v6mr10312857pgg.195.1536359628472;
        Fri, 07 Sep 2018 15:33:48 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdZbJPea9x+ZfW6QF+wee7ig2E8F2J8XTNueuOHgfkBRcuX9m6+BAZhZ044/AX7ONkV7JsZm
X-Received: by 2002:a63:cf09:: with SMTP id
 j9-v6mr10312820pgg.195.1536359627630;
        Fri, 07 Sep 2018 15:33:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359627; cv=none;
        d=google.com; s=arc-20160816;
        b=M+bjLSS1lnpoCYetvqUDvDie6+4w2wOjMOrfE966lIpHLudx5I93lBm7Sx7JGFkKW+
         Yw211porr7bR5rCH8CiP720HIVkabppSCVt2Gapc6lEDyQi/Dad6PDpkYPkywCLiOhPK
         0LQLHsU2hOquvQs5uSLJ+o8fcXKs08BMyCuNf2PxRv9dWPeUBSGC3EI2rQj2ePxatHIw
         LvsapAmhPDHPnKsNq/Yko0QUN2H4qOTnDnJYMY4MWV1jDhYc014P5/shmcMPjdRCn46X
         XTWknVj0cxlTci1Dyj07zcrU1rUuV1t9M69jWGyEd75XWEW1tJrANNwd1OTvbPgo8hTo
         w7Gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=ExhzVHsdv6lfoeuwhbFclEbkpbsJl6iiiRC3ImFe1Ec=;
        b=TmfmVQxD6xTvrTJlrAcM69b8qwrEx2Iky6eGMpyNngbtASpCO4sKUMvdTTnf5Q8VDX
         cfjcAf+sDR31IIQ+qN1edvTwNRxT+fk3uBssXA8OJVEDAtmYsJ7edb7ka2XGX2AIN96r
         sPuxOOa2Aa3jOVa5QziP4WXzVNMKxycY7SDtCNvMkC0XD3fnhXz7LzZSfXxnQdqIZ4kv
         DIahJQVdoLuFOALH+veF58LR5RCgEDh3GtdOsoc1ur5p2Tq2xZNXZ4W9iqt3HTf0HPaA
         werHr37ZeO6FwVdwhV34E5rR5zn20/bQyUZy5gwebCOz4tQfZ4IYEOqKYlefd/ZKodPF
         4UYw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.120 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga04.intel.com (mga04.intel.com. [192.55.52.120])
        by mx.google.com with ESMTPS id
 m28-v6si9146359pgd.358.2018.09.07.15.33.47
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:33:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.120 as permitted sender) client-ip=192.55.52.120;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.120 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:33:47 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="261683969"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by fmsmga006.fm.intel.com with ESMTP; 07 Sep 2018 15:33:44 -0700
Date: Fri, 7 Sep 2018 15:34:26 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 02/12] mm: Generalize the mprotect implementation to support
 extensions
Message-ID: 
 <2dcbb08ed8804e02538a73ee05a4283c54180e36.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Today mprotect is implemented to support legacy mprotect behavior
plus an extension for memory protection keys. Make it more generic
so that it can support additional extensions in the future.

This is done is preparation for adding a new system call for memory
encyption keys. The intent is that the new encrypted mprotect will be
another extension to legacy mprotect.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 mm/mprotect.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/mm/mprotect.c b/mm/mprotect.c
index 68dc476310c0..56e64ef7931e 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -35,6 +35,8 @@
 
 #include "internal.h"
 
+#define NO_PKEY  -1
+
 static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
 		unsigned long addr, unsigned long end, pgprot_t newprot,
 		int dirty_accountable, int prot_numa)
@@ -402,9 +404,9 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 }
 
 /*
- * pkey==-1 when doing a legacy mprotect()
+ * When pkey==NO_PKEY we get legacy mprotect behavior here.
  */
-static int do_mprotect_pkey(unsigned long start, size_t len,
+static int do_mprotect_ext(unsigned long start, size_t len,
 		unsigned long prot, int pkey)
 {
 	unsigned long nstart, end, tmp, reqprot;
@@ -528,7 +530,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
 SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot)
 {
-	return do_mprotect_pkey(start, len, prot, -1);
+	return do_mprotect_ext(start, len, prot, NO_PKEY);
 }
 
 #ifdef CONFIG_ARCH_HAS_PKEYS
@@ -536,7 +538,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 SYSCALL_DEFINE4(pkey_mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot, int, pkey)
 {
-	return do_mprotect_pkey(start, len, prot, pkey);
+	return do_mprotect_ext(start, len, prot, pkey);
 }
 
 SYSCALL_DEFINE2(pkey_alloc, unsigned long, flags, unsigned long, init_val)

From patchwork Fri Sep  7 22:34:54 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592651
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A4E441515
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:34:22 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 943342B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:34:22 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 88B792B12D; Fri,  7 Sep 2018 22:34:22 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B9E32B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:34:22 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 5A77D8E0005; Fri,  7 Sep 2018 18:34:21 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 5300C8E0001; Fri,  7 Sep 2018 18:34:21 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3D2778E0005; Fri,  7 Sep 2018 18:34:21 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com
 [209.85.210.200])
	by kanga.kvack.org (Postfix) with ESMTP id EC5EC8E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:34:20 -0400 (EDT)
Received: by mail-pf1-f200.google.com with SMTP id u13-v6so8068587pfm.8
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:34:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=IVltMZcLvXCu7eahft+qTtP8/V/q04bfidCXE5Op37A=;
        b=mJgvNIAhYcwBD1CF1EpHdrHPxVzoZaAW1VAgLmjEhvvVbE7K/9mT7dz2zJT2e8e+uR
         +GYyYiepTYXNolSa4Kr6yPz6esCQRjZARv8isUOj87LaUdZ3FNma/e7I3iEPPYRSGX2Q
         UC/hLe8i6mnv5VRxdlvlwASqpxRdDbh1YSPcpUnMcGNsxfdwqnXDJE6JkeuVMoN78+Gr
         +jo3poAWYfugwvKGu4+U3ioYTh0VxuF4H3zf/51QDm494ZBZPRD85++g9TUFPCdBrN95
         SrSbm/o2whT+pJ3aA7tFHb+3byA/ANDt5iVoHfXqcC9FdyQ6xVhHuMb1SkVWKs52wESu
         Bhrg==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51D5BM8iCBnqkNaYiWegjdZTFW+fm4AHYEd8HBlMQp3IBR0/lBuW
	js+mwASG+WftujkQOvBHS44JcuB3zPQf03V1JZxDWkBAOTMO6SwF9Rl+VSAx7u9QpxVXouF2Htj
	oqF9GbUimIJmmYXBg1JzprtKAUCXzenpQ4Y8rdPMnvWJdgIgMEiZGzzjfHJZdFhlurw==
X-Received: by 2002:a63:6a06:: with SMTP id
 f6-v6mr10488157pgc.63.1536359660632;
        Fri, 07 Sep 2018 15:34:20 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdY1Pf/CeykUu9COhPb8JoeNz37kBoBfwDYDqvgrC6sXK9OisHp7e7vPhQqBnBRQUHQx1DPk
X-Received: by 2002:a63:6a06:: with SMTP id
 f6-v6mr10488114pgc.63.1536359659843;
        Fri, 07 Sep 2018 15:34:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359659; cv=none;
        d=google.com; s=arc-20160816;
        b=bowLIN1+7pfauI9ZYNxxNjqQeU/ZtkLkAArQXhZYaM19EpXg1VNBcytbgO/eZPF3+h
         v2XP8DhQCEXM0NYlK4rpM1KoaTaQOlNYbUMyr4KHw5W0gOLlVr4PKlAHbbWuv5TW776l
         0JmytQEIgGAFOJ/ZM7e3LPUYI64K0y6CPPOYmsgWdQFnNipg15YoS1hW7KNzXjYQd6R8
         sEkJgIPsDVSq7Zn1f6PaRKuBSpOAieDulUPz/n9+BWz5AvKNrL0gysudsRoIHMMJ66Wp
         tFkfeIGtn//w3wBzycYxeJS5nSK/1DsjgcWl2fZ1YOUZDBqy+xZdlrH0LDELyY/GetYt
         ghCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=IVltMZcLvXCu7eahft+qTtP8/V/q04bfidCXE5Op37A=;
        b=ja8BZGDncYtMOugp9f8IzhYA6vQBdi9pLy8uIqUtJddyuertdAvxQC0zDyTdNYr7K4
         0JEGQS5lXIuW0xRUubzs9aYIj/a6xdqyQYNCoSWP1XKOajCmxfnnYZVhR/6ZMXc/7y5D
         rMfZ4Q12VCRSoS1pCdSGKEBQhufTxk7/mFNvApRxt984w3N1M2MQUzRjgz1wGuuXoBlx
         lWEgWuc40uHd+25jmn+vsm5h5L2HobccwUXeVw+Wh1nvTHtxWfeN1e5JuJLB1xE10iHu
         ZnpgrQomJPGMAqVewi/9U43w03OBDMR0AkmZAMf+LkxZvzkZni2YC4ivRQWIH7d8YP3E
         nIvg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga01.intel.com (mga01.intel.com. [192.55.52.88])
        by mx.google.com with ESMTPS id
 g10-v6si9006002pgl.425.2018.09.07.15.34.19
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:34:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.88 as permitted sender) client-ip=192.55.52.88;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:34:19 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="260815502"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by fmsmga005.fm.intel.com with ESMTP; 07 Sep 2018 15:34:12 -0700
Date: Fri, 7 Sep 2018 15:34:54 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 03/12] syscall/x86: Wire up a new system call for memory
 encryption keys
Message-ID: 
 <e6be7d9cf4aa0b166401cfdc514f94b5f44803bd.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

encrypt_mprotect() is a new system call to support memory encryption.

It takes the same parameters as legacy mprotect, plus an additional
key serial number that is mapped to an encryption keyid.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 arch/x86/entry/syscalls/syscall_32.tbl | 1 +
 arch/x86/entry/syscalls/syscall_64.tbl | 1 +
 include/linux/syscalls.h               | 2 ++
 include/uapi/asm-generic/unistd.h      | 4 +++-
 kernel/sys_ni.c                        | 2 ++
 5 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 3cf7b533b3d1..f41ad857d5c6 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -398,3 +398,4 @@
 384	i386	arch_prctl		sys_arch_prctl			__ia32_compat_sys_arch_prctl
 385	i386	io_pgetevents		sys_io_pgetevents		__ia32_compat_sys_io_pgetevents
 386	i386	rseq			sys_rseq			__ia32_sys_rseq
+387	i386	encrypt_mprotect	sys_encrypt_mprotect		__ia32_sys_encrypt_mprotect
diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl
index f0b1709a5ffb..cf2decfa6119 100644
--- a/arch/x86/entry/syscalls/syscall_64.tbl
+++ b/arch/x86/entry/syscalls/syscall_64.tbl
@@ -343,6 +343,7 @@
 332	common	statx			__x64_sys_statx
 333	common	io_pgetevents		__x64_sys_io_pgetevents
 334	common	rseq			__x64_sys_rseq
+335	common	encrypt_mprotect	__x64_sys_encrypt_mprotect
 
 #
 # x32-specific system call numbers start at 512 to avoid cache impact
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 3ed377d0c46c..7dc0ed3a182e 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -904,6 +904,8 @@ asmlinkage long sys_statx(int dfd, const char __user *path, unsigned flags,
 			  unsigned mask, struct statx __user *buffer);
 asmlinkage long sys_rseq(struct rseq __user *rseq, uint32_t rseq_len,
 			 int flags, uint32_t sig);
+asmlinkage long sys_encrypt_mprotect(unsigned long start, size_t len,
+				     unsigned long prot, int serial);
 
 /*
  * Architecture-specific system calls
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 42990676a55e..d2cb0af68160 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -734,9 +734,11 @@ __SYSCALL(__NR_pkey_free,     sys_pkey_free)
 __SYSCALL(__NR_statx,     sys_statx)
 #define __NR_io_pgetevents 292
 __SC_COMP(__NR_io_pgetevents, sys_io_pgetevents, compat_sys_io_pgetevents)
+#define __NR_encrypt_mprotect 293
+__SYSCALL(__NR_encrypt_mprotect, sys_encrypt_mprotect)
 
 #undef __NR_syscalls
-#define __NR_syscalls 293
+#define __NR_syscalls 294
 
 /*
  * 32 bit systems traditionally used different
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
index df556175be50..1b48f709c265 100644
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -336,6 +336,8 @@ COND_SYSCALL(pkey_mprotect);
 COND_SYSCALL(pkey_alloc);
 COND_SYSCALL(pkey_free);
 
+/* multi-key total memory encryption keys */
+COND_SYSCALL(encrypt_mprotect);
 
 /*
  * Architecture specific weak syscall entries.

From patchwork Fri Sep  7 22:36:12 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592655
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E24281515
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:35:33 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D2A732B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:35:33 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id C65A92B2ED; Fri,  7 Sep 2018 22:35:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 57E082B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:35:33 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 83E258E0006; Fri,  7 Sep 2018 18:35:32 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 7EE0A8E0001; Fri,  7 Sep 2018 18:35:32 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 6B8148E0006; Fri,  7 Sep 2018 18:35:32 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf1-f199.google.com (mail-pf1-f199.google.com
 [209.85.210.199])
	by kanga.kvack.org (Postfix) with ESMTP id 2955B8E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:35:32 -0400 (EDT)
Received: by mail-pf1-f199.google.com with SMTP id a23-v6so8042801pfo.23
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:35:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=MV8eJgBn3dck/e6WwiyYPrZefAOHute7GEXGzAC4J9A=;
        b=mEAZLPHPwyDgsWc85E5RKkjO/sHJF9iihmfSg5lKR0BZNPOQTR3WMAxpztFfmo+25p
         LknLB/DzDU2uW1uyQGj/zOdp1ht+t65KLS65jlgo7Tde/F/bGWeV0m6GaKMYrEaVxTUR
         iq2B/gRPzpHD2A8AVDbqRIQuy4tCcuTjekRppEM2w+ef30AH+gNOee27Y9SzkFRj9U3d
         aHB/irt/EVqDcij9qKvJN+52KtezLh4WKG/VCzfbEkvQySU4w9HKR+8pA2u92I/oS+NA
         g0c//CbkYh5mUMcMbUYvZeOfyZUwHMExE2qndkNQKGVZBcr0ZZQX0P8FJoYd9CKZr5LU
         ui/Q==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51CTJrpoliicxEu2Y6c0xMrMCq6svPSFuAobYoXl6yzmT8gik15n
	soNycTBspS6kxT4t9NNaTmhxBKoYtPYr9UnFp7I92kR40H2258rAry/tl4/UzlR9dF94AOpSjv9
	NQC2lvKGRvqoGrg9dQ//0DieVB+nJfPydDTPnK6lR43i4Kaxq8P69lWvrgnEM8BnqGw==
X-Received: by 2002:a17:902:9893:: with SMTP id
 s19-v6mr10315083plp.130.1536359731824;
        Fri, 07 Sep 2018 15:35:31 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdZOc48bEvaqujPgOWhacOYbQzbo9a+EXjxY4ewQxZmBRClaS5elugcf2mvpa9AbLCIFMv4Y
X-Received: by 2002:a17:902:9893:: with SMTP id
 s19-v6mr10315035plp.130.1536359730799;
        Fri, 07 Sep 2018 15:35:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359730; cv=none;
        d=google.com; s=arc-20160816;
        b=OHfxUFEcVDCaX5ylLxyciwgVerAQZPKoo6Y62YjJfjnp4kXgdR1Fn+51nwN8hp8vv3
         brc0jp26GvtiSeqZiJMwx4UhoB3t2YxR9hv+PHlKOY+aYWWWXrJyaC+SYI3Ip9aD6LQd
         3q79lCPtUN6LKsCVS/JrmHGvu9E8F6ShnEk5gH59CsbHkYiDtj2MNlE0E6aHJyAo3VMF
         rNG5EL4bwAag1+XWr8eUDAnPHvaerhTpyjt0gufNVct8t0V1NaIdkmJ2GduNJnfjTte/
         uYZoFj+YEXskax0JpQpS0rsKyg43EeH9wmP6U2Mn4HGMpDl+VFasvl0V8YGL2nvl27EJ
         xgPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=MV8eJgBn3dck/e6WwiyYPrZefAOHute7GEXGzAC4J9A=;
        b=r+RqirCrWYPh49Oj6kL9tCHPJnscoPCYwdzf2knKzOU8LAhMohXmyy/gfjknAsrklr
         JOEfbHcoJN37FMcTUOWb3NAdooGRMnYMc6dXHuTLlT+DCsjGFmT9G6kOP1Qx6+jwanT4
         Da99ZONPR1+vMfxsr+24S17W2tED7pTPmrwpod2lLe7dMSLSyE/YGn+5O+1jcMx7frbe
         M/iH3sXAqgcsHo//ltaeFNpKAYhmeVRI6wtNlO+Snin615xx6DQ1Dm7ehdDjcjdnmL6a
         dawNmbsetPdgsYw9IhwDbfTSwySmCYMOwMLtwoPBBrtMZvOb6F4nYXoM1JF3KHDmQPan
         c6rw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga11.intel.com (mga11.intel.com. [192.55.52.93])
        by mx.google.com with ESMTPS id
 v21-v6si9288620plo.397.2018.09.07.15.35.30
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:35:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.93 as permitted sender) client-ip=192.55.52.93;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:35:30 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="71260822"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by orsmga007.jf.intel.com with ESMTP; 07 Sep 2018 15:35:29 -0700
Date: Fri, 7 Sep 2018 15:36:12 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 04/12] x86/mm: Add helper functions to manage memory encryption
 keys
Message-ID: 
 <28a55df5da1ecfea28bac588d3ac429cf1419b42.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Define a global mapping structure to track the mapping of userspace
keys to hardware keyids in MKTME (Multi-Key Total Memory Encryption).
This data will be used for the memory encryption system call and the
kernel key service API.

Implement helper functions to access this mapping structure and make
them visible to the MKTME Kernel Key Service: security/keys/mktme_keys

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 arch/x86/include/asm/mktme.h | 11 ++++++
 arch/x86/mm/mktme.c          | 85 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)

diff --git a/arch/x86/include/asm/mktme.h b/arch/x86/include/asm/mktme.h
index dbfbd955da98..f6acd551457f 100644
--- a/arch/x86/include/asm/mktme.h
+++ b/arch/x86/include/asm/mktme.h
@@ -13,6 +13,17 @@ extern phys_addr_t mktme_keyid_mask;
 extern int mktme_nr_keyids;
 extern int mktme_keyid_shift;
 
+/* Manage mappings between hardware keyids and userspace keys */
+extern int mktme_map_alloc(void);
+extern void mktme_map_free(void);
+extern void mktme_map_lock(void);
+extern void mktme_map_unlock(void);
+extern int mktme_map_get_free_keyid(void);
+extern void mktme_map_clear_keyid(int keyid);
+extern void mktme_map_set_keyid(int keyid, unsigned int serial);
+extern int mktme_map_keyid_from_serial(unsigned int serial);
+extern unsigned int mktme_map_serial_from_keyid(int keyid);
+
 extern struct page_ext_operations page_mktme_ops;
 
 #define page_keyid page_keyid
diff --git a/arch/x86/mm/mktme.c b/arch/x86/mm/mktme.c
index 660caf6a5ce1..5246d8323359 100644
--- a/arch/x86/mm/mktme.c
+++ b/arch/x86/mm/mktme.c
@@ -63,6 +63,91 @@ int vma_keyid(struct vm_area_struct *vma)
 	return (prot & mktme_keyid_mask) >> mktme_keyid_shift;
 }
 
+/*
+ * struct mktme_mapping and the mktme_map_* functions manage the mapping
+ * of userspace keys to hardware keyids in MKTME. They are used by the
+ * the encrypt_mprotect system call and the MKTME Key Service API.
+ */
+struct mktme_mapping {
+	struct mutex	lock;		/* protect this map & HW state */
+	unsigned int	mapped_keyids;
+	unsigned int	serial[];
+};
+
+struct mktme_mapping *mktme_map;
+
+static inline long mktme_map_size(void)
+{
+	long size = 0;
+
+	size += sizeof(mktme_map);
+	size += sizeof(mktme_map->serial[0]) * mktme_nr_keyids;
+	return size;
+}
+
+int mktme_map_alloc(void)
+{
+	mktme_map = kzalloc(mktme_map_size(), GFP_KERNEL);
+	if (!mktme_map)
+		return 0;
+	mutex_init(&mktme_map->lock);
+	return 1;
+}
+
+void mktme_map_free(void)
+{
+	kfree(mktme_map);
+}
+
+void mktme_map_lock(void)
+{
+	mutex_lock(&mktme_map->lock);
+}
+
+void mktme_map_unlock(void)
+{
+	mutex_unlock(&mktme_map->lock);
+}
+
+void mktme_map_set_keyid(int keyid, unsigned int serial)
+{
+	mktme_map->serial[keyid] = serial;
+	mktme_map->mapped_keyids++;
+}
+
+void mktme_map_clear_keyid(int keyid)
+{
+	mktme_map->serial[keyid] = 0;
+	mktme_map->mapped_keyids--;
+}
+
+unsigned int mktme_map_serial_from_keyid(int keyid)
+{
+	return mktme_map->serial[keyid];
+}
+
+int mktme_map_keyid_from_serial(unsigned int serial)
+{
+	int i;
+
+	for (i = 1; i < mktme_nr_keyids; i++)
+		if (mktme_map->serial[i] == serial)
+			return i;
+	return 0;
+}
+
+int mktme_map_get_free_keyid(void)
+{
+	int i;
+
+	if (mktme_map->mapped_keyids < mktme_nr_keyids) {
+		for (i = 1; i < mktme_nr_keyids; i++)
+			if (mktme_map->serial[i] == 0)
+				return i;
+	}
+	return 0;
+}
+
 void prep_encrypted_page(struct page *page, int order, int keyid, bool zero)
 {
 	int i;

From patchwork Fri Sep  7 22:36:27 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592659
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E982914E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:35:48 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DA0832B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:35:48 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CDE7C2B2ED; Fri,  7 Sep 2018 22:35:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 759BC2B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:35:48 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A12518E0007; Fri,  7 Sep 2018 18:35:47 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 9C2C08E0001; Fri,  7 Sep 2018 18:35:47 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 864358E0007; Fri,  7 Sep 2018 18:35:47 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com
 [209.85.215.199])
	by kanga.kvack.org (Postfix) with ESMTP id 41CCB8E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:35:47 -0400 (EDT)
Received: by mail-pg1-f199.google.com with SMTP id m4-v6so7794377pgq.19
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:35:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=QhDbTojele+tkuorJ+S8MjX4aBdoKtXOnG20rxXYlhk=;
        b=fCAGv64kaWC0IxiPiywKeuwHA2HL9nYyY28msn81K49rhiooQg5uL85yKT87pphSUV
         OXTDdXjNOS1FMqduXJrBoM/1ZtDzVGcFsI3Nycl80ppCJNuevzqzdahwTgaLSKnebbas
         ZqaTHVJHVLka3Xz5gEQ66g746rUO7gBD55zuAQucGMM03CfFq+jjbWSTDled2nhR9naL
         vkEmAXKM4nTgtE5xeppZ88LTTKga0fYH7dy+8uE2YLF8LKIwcqVT2ttP55TfQzo6YBMk
         It0qHg6t5znYmIC3IALaWrfxxWtOtmNvSuc61bjr1w5B2qloaDQn/6908/pEMODGHqdp
         v/QQ==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.151 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51DVPIKbpFYOGesOy8luJSArCRLGxoiQojrNfRzAtF3i4548BsK2
	sUsyIC7raFb1bBuamnyXT8w9Y15gnaYIAoYy32yVj5qfNgdfLnDDf31LWVLJeECx/oRwuChNQI5
	e7IUrPAd0PtrlvNMye1MHKyuhQhm2gtu/od6tqE5RtK5DKHVz5+X3QfJ377EXNX9XKg==
X-Received: by 2002:a63:dd09:: with SMTP id
 t9-v6mr10212366pgg.370.1536359746946;
        Fri, 07 Sep 2018 15:35:46 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdbmyvNjroOdykwD2mV/PWlwVM2NCpqwXaXcHlTK2XiW+YD2qmNYcT9xcjMU9Qd/7GZSNYJp
X-Received: by 2002:a63:dd09:: with SMTP id
 t9-v6mr10212316pgg.370.1536359746129;
        Fri, 07 Sep 2018 15:35:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359746; cv=none;
        d=google.com; s=arc-20160816;
        b=Yh9DkNHGPDGimHYdH/XaN3MF9QJdVzVQ7CDULfhzzGAjp/PxcrHPmecBOyFMmntU6Q
         EmLMNDfDhYzLIZkUnPLC+VOO0QrNk3v/9lD23IL+Ev24m8mRlgbf+xtt98a/aN+p57u2
         rki+twzcIHfRgPIFURH6CCrDbIDCyEmUAlym7Olni2z9koQLEvgXQC4Ifl1Dk91S8Ijb
         5IGyy+Zd0FkOXpj8J4Q7uzETm0mhxiiS3L0qbFe/Xn7pLsmdQvRN55kEwBOYfxg9SEjI
         ie9TX5F9tGT/9XsRzLNBELPQkv+X4zEjOqTZpUoLpb59F0QGLhWgQei5xtCCjOuIxp8d
         bx0A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=QhDbTojele+tkuorJ+S8MjX4aBdoKtXOnG20rxXYlhk=;
        b=s1m9/WHMD0PwOBuoe6FsxFNLE7VInD8gxgu385iW717B1x91ZK7PstgY10CUth/1uV
         oBbJRDnoqEdn96EA+UkIIGWaCaGrlqbECV1a1S84tykuz0UjKcJt61uX8+3Q6eUsuEmw
         CDM1r29MLyn2Ch3PLG295cEr1B+h2dRdxEsyDUTc3SSuO19G/WmG4pLhUrRgGfKmNrUU
         jas44FSuiOe1Pr7n7hxE3DRGZP4CxNewr4Gkx6YKTfT6NI0t0MH1i1eBjpMeAssa1p0O
         hnW5u5n5q/VmURaantwJ50OzsZBF2zBkCu9BHdFqdoOOyFchCIh/PN65u+jShpaJ6TVX
         QKtg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.151 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga17.intel.com (mga17.intel.com. [192.55.52.151])
        by mx.google.com with ESMTPS id
 64-v6si8803977plk.257.2018.09.07.15.35.45
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:35:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.151 as permitted sender) client-ip=192.55.52.151;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.151 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
  by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:35:45 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="84055650"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by fmsmga002.fm.intel.com with ESMTP; 07 Sep 2018 15:35:45 -0700
Date: Fri, 7 Sep 2018 15:36:27 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 05/12] x86/mm: Add a helper function to set keyid bits in
 encrypted VMA's
Message-ID: 
 <efec45aae8dab3f4db8a79d001ec65137748cdb1.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Store the memory encryption keyid in the upper bits of vm_page_prot
that match position of keyid, bits 51:46, in a PTE.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 arch/x86/include/asm/mktme.h |  3 +++
 arch/x86/mm/mktme.c          | 15 +++++++++++++++
 include/linux/mm.h           |  4 ++++
 3 files changed, 22 insertions(+)

diff --git a/arch/x86/include/asm/mktme.h b/arch/x86/include/asm/mktme.h
index f6acd551457f..b707f800b68f 100644
--- a/arch/x86/include/asm/mktme.h
+++ b/arch/x86/include/asm/mktme.h
@@ -13,6 +13,9 @@ extern phys_addr_t mktme_keyid_mask;
 extern int mktme_nr_keyids;
 extern int mktme_keyid_shift;
 
+/* Set the encryption keyid bits in a VMA */
+extern void mprotect_set_encrypt(struct vm_area_struct *vma, int newkeyid);
+
 /* Manage mappings between hardware keyids and userspace keys */
 extern int mktme_map_alloc(void);
 extern void mktme_map_free(void);
diff --git a/arch/x86/mm/mktme.c b/arch/x86/mm/mktme.c
index 5246d8323359..5ee7f37e9cd0 100644
--- a/arch/x86/mm/mktme.c
+++ b/arch/x86/mm/mktme.c
@@ -63,6 +63,21 @@ int vma_keyid(struct vm_area_struct *vma)
 	return (prot & mktme_keyid_mask) >> mktme_keyid_shift;
 }
 
+/* Set the encryption keyid bits in a VMA */
+void mprotect_set_encrypt(struct vm_area_struct *vma, int newkeyid)
+{
+	int oldkeyid = vma_keyid(vma);
+	pgprotval_t newprot;
+
+	if (newkeyid == oldkeyid)
+		return;
+
+	newprot = pgprot_val(vma->vm_page_prot);
+	newprot &= ~mktme_keyid_mask;
+	newprot |= (unsigned long)newkeyid << mktme_keyid_shift;
+	vma->vm_page_prot = __pgprot(newprot);
+}
+
 /*
  * struct mktme_mapping and the mktme_map_* functions manage the mapping
  * of userspace keys to hardware keyids in MKTME. They are used by the
diff --git a/include/linux/mm.h b/include/linux/mm.h
index a4ce26aa0b65..ac85c0805761 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2799,5 +2799,9 @@ void __init setup_nr_node_ids(void);
 static inline void setup_nr_node_ids(void) {}
 #endif
 
+#ifndef CONFIG_X86_INTEL_MKTME
+static inline void mprotect_set_encrypt(struct vm_area_struct *vma,
+					int newkeyid) {}
+#endif /* CONFIG_X86_INTEL_MKTME */
 #endif /* __KERNEL__ */
 #endif /* _LINUX_MM_H */

From patchwork Fri Sep  7 22:36:51 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592661
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EC43614E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:13 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CCA072B2ED
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:13 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id BFDA72B3BD; Fri,  7 Sep 2018 22:36:13 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 750AA2B2D7
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:12 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8FFC98E0008; Fri,  7 Sep 2018 18:36:11 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8B1378E0001; Fri,  7 Sep 2018 18:36:11 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7C8088E0008; Fri,  7 Sep 2018 18:36:11 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com
 [209.85.210.200])
	by kanga.kvack.org (Postfix) with ESMTP id 38F288E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:36:11 -0400 (EDT)
Received: by mail-pf1-f200.google.com with SMTP id d1-v6so8117349pfo.16
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:36:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=r4PlM5ewcOgry8zutqScRMTDTIZK5bl3b3+mmZmZtqQ=;
        b=YuYw0oMrOxfDkE1WSU1I6lzMe1EpsFf4nExLAFNrfO4dHkom7CeQ6v8VwPHzGA67aT
         tfEVPSIwYwE393RuTsCJhOhDbnTsIfIwxOcrY0HWcHP0Law4fO815T5ro1gPbc/mqMF4
         4d7zx5BKrebXmRrYt9PPc0IA5GQU2/FTuep5XXIoWOyREwLcYZscWRgavggozdKGBPbp
         KWnfEJRgQcTJXU8w4TMGlaE23H01jb2B9AJx6SHrNKqztCm5G9ANZEcPie1PEifwcgSs
         FGdXDmJeaaqH1st5MXPL60fi6IcY9hqBPNWXHEcUAu904+ve9sdvN8P5kiK+t8hRWdva
         bC2g==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51Am5qNYnbPCjzmSooIS9ADwekQ+tU0N1NjTXGYIZkUhOL0WbhKw
	xpwHhrBueExj2/xsPWiK3GuVlrSjt+eJxKNRfV1ar9eNdj8njtVv4s30sPTA6yil1ZOoNPpNd8U
	jU0IfyqSNOZIf/FJXpC7hHXXPjTUT0V+enwvu6mEL81A8Ta/2E9N5vEImQnLzakWgig==
X-Received: by 2002:a17:902:8697:: with SMTP id
 g23-v6mr10227208plo.292.1536359770886;
        Fri, 07 Sep 2018 15:36:10 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdaCJUKf2GJ+PL6prxc1NgM5ZDVUgz0R6J1bn3Aup6K2osx9+QNozTyv2xWY80fSpLDjbYr0
X-Received: by 2002:a17:902:8697:: with SMTP id
 g23-v6mr10227169plo.292.1536359769776;
        Fri, 07 Sep 2018 15:36:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359769; cv=none;
        d=google.com; s=arc-20160816;
        b=BpWUCbUwAPDxxVUgVRYAse6r2R6eCeO965xwyiwLLKnc/SAp0jhZs6f+vAwW+Jvdac
         vPyEIVyi0a+wzdmPGWzb3nQ71enB4TcUvf+5qMpBp4UiubL+DtpK6eoRILLVdbGiuiAF
         hpA+irvCxg/MczT/5GCIzaI+dclXHTTznyd8wJivY7ZKMqt5GQ5qB2liCOsDQmh+fda2
         QiMtOPobk+Tu1Zu6cncUSxibQVktzk9l6P028sI8/SsVoVDrt68LNgk5tDmZ8LXhUnYD
         3qbPnkNo4CqqZWIsI1Wcl499k1q0nNBko2jJXU/fOHCB19UXQafmKta7fGNnCOfKBGRr
         VG5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=r4PlM5ewcOgry8zutqScRMTDTIZK5bl3b3+mmZmZtqQ=;
        b=hVAFyKAdNS8I+l3EK2wS95BcF7ewJH9jzHk+p3XP4CfOxOCC3B4I17n4sYJNaxP8LT
         H03CVjvmgw6dr51Z+h2JgvDJVg89tktiUNNWjrDZaYof87blK4kCjuMwJLW4NJTK0Mqo
         IrlHIxuoQELRgCQecUu32LpehbfwbmfPbvtVz+gqCPIjLGHWI8UmfLFXpJ3Dr+mush0i
         1Lbjx2PNfTNHyflvkEtZDcWqYoJ4CdVWvSPQHLr7l7wzc51iVft7qDmwUCxzEfe77D3T
         GjwxLjEHXLGKvXa20RzMHMU4vigejWNnd5ss8/DwEzN/e+AXxbv9KbpZDlsGJ5Hz7Kg8
         HorA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga02.intel.com (mga02.intel.com. [134.134.136.20])
        by mx.google.com with ESMTPS id
 1-v6si8956466plz.220.2018.09.07.15.36.09
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:36:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.20 as permitted sender) client-ip=134.134.136.20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNSCANNABLE
X-Amp-File-Uploaded: False
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:36:09 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="260816008"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by fmsmga005.fm.intel.com with ESMTP; 07 Sep 2018 15:36:08 -0700
Date: Fri, 7 Sep 2018 15:36:51 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 06/12] mm: Add the encrypt_mprotect() system call
Message-ID: 
 <7d27511b07c8337e15096214622b66ef8f0fa345.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Implement memory encryption with a new system call that is an
extension of the legacy mprotect() system call.

In encrypt_mprotect the caller must pass a handle to a previously
allocated and programmed encryption key. Validate the key and store
the keyid bits in the vm_page_prot for each VMA in the protection
range.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 fs/exec.c           |  4 ++--
 include/linux/key.h |  2 ++
 include/linux/mm.h  |  3 ++-
 mm/mprotect.c       | 67 ++++++++++++++++++++++++++++++++++++++++++++++++-----
 4 files changed, 67 insertions(+), 9 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index a1a246062561..b681a413db9c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -754,8 +754,8 @@ int setup_arg_pages(struct linux_binprm *bprm,
 	vm_flags |= mm->def_flags;
 	vm_flags |= VM_STACK_INCOMPLETE_SETUP;
 
-	ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
-			vm_flags);
+	ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, vm_flags,
+			     -1);
 	if (ret)
 		goto out_unlock;
 	BUG_ON(prev != vma);
diff --git a/include/linux/key.h b/include/linux/key.h
index e58ee10f6e58..fb8a7d5f6149 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -346,6 +346,8 @@ static inline key_serial_t key_serial(const struct key *key)
 
 extern void key_set_timeout(struct key *, unsigned);
 
+extern key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
+				 key_perm_t perm);
 /*
  * The permissions required on a key that we're looking up.
  */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index ac85c0805761..0f9422c7841e 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1579,7 +1579,8 @@ extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long
 			      int dirty_accountable, int prot_numa);
 extern int mprotect_fixup(struct vm_area_struct *vma,
 			  struct vm_area_struct **pprev, unsigned long start,
-			  unsigned long end, unsigned long newflags);
+			  unsigned long end, unsigned long newflags,
+			  int newkeyid);
 
 /*
  * doesn't attempt to fault and will return short.
diff --git a/mm/mprotect.c b/mm/mprotect.c
index 56e64ef7931e..6c2e1106525c 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -28,14 +28,17 @@
 #include <linux/ksm.h>
 #include <linux/uaccess.h>
 #include <linux/mm_inline.h>
+#include <linux/key.h>
 #include <asm/pgtable.h>
 #include <asm/cacheflush.h>
 #include <asm/mmu_context.h>
 #include <asm/tlbflush.h>
+#include <asm/mktme.h>
 
 #include "internal.h"
 
 #define NO_PKEY  -1
+#define NO_KEYID -1
 
 static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
 		unsigned long addr, unsigned long end, pgprot_t newprot,
@@ -310,7 +313,8 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
 
 int
 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
-	unsigned long start, unsigned long end, unsigned long newflags)
+	       unsigned long start, unsigned long end, unsigned long newflags,
+	       int newkeyid)
 {
 	struct mm_struct *mm = vma->vm_mm;
 	unsigned long oldflags = vma->vm_flags;
@@ -320,10 +324,24 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 	int error;
 	int dirty_accountable = 0;
 
+	/*
+	 * Flags match and Keyids match or we have NO_KEYID.
+	 * This _fixup is usually called from do_mprotect_ext() except
+	 * for one special case: caller fs/exec.c/setup_arg_pages()
+	 * In that case, newkeyid is passed as -1 (NO_KEYID).
+	 */
+	if (newflags == oldflags &&
+	    (newkeyid == vma_keyid(vma) || newkeyid == NO_KEYID)) {
+		*pprev = vma;
+		return 0;
+	}
+	/* Flags match and Keyid changes */
 	if (newflags == oldflags) {
+		mprotect_set_encrypt(vma, newkeyid);
 		*pprev = vma;
 		return 0;
 	}
+	/* Flags and Keyids both change, continue. */
 
 	/*
 	 * If we make a private mapping writable we increase our commit;
@@ -373,6 +391,8 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 	}
 
 success:
+	if (newkeyid != NO_KEYID)
+		mprotect_set_encrypt(vma, newkeyid);
 	/*
 	 * vm_flags and vm_page_prot are protected by the mmap_sem
 	 * held in write mode.
@@ -404,10 +424,15 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 }
 
 /*
- * When pkey==NO_PKEY we get legacy mprotect behavior here.
+ * do_mprotect_ext() supports the legacy mprotect behavior plus extensions
+ * for protection keys and memory encryption keys. These extensions are
+ * mutually exclusive and the behavior is:
+ *	(pkey==NO_PKEY && keyid==NO_KEYID) ==> legacy mprotect
+ *	(pkey is valid)  ==> legacy mprotect plus protection key extensions
+ *	(keyid is valid) ==> legacy mprotect plus encryption key extensions
  */
 static int do_mprotect_ext(unsigned long start, size_t len,
-		unsigned long prot, int pkey)
+			   unsigned long prot, int pkey, int keyid)
 {
 	unsigned long nstart, end, tmp, reqprot;
 	struct vm_area_struct *vma, *prev;
@@ -505,7 +530,8 @@ static int do_mprotect_ext(unsigned long start, size_t len,
 		tmp = vma->vm_end;
 		if (tmp > end)
 			tmp = end;
-		error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
+		error = mprotect_fixup(vma, &prev, nstart, tmp, newflags,
+				       keyid);
 		if (error)
 			goto out;
 		nstart = tmp;
@@ -530,7 +556,7 @@ static int do_mprotect_ext(unsigned long start, size_t len,
 SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot)
 {
-	return do_mprotect_ext(start, len, prot, NO_PKEY);
+	return do_mprotect_ext(start, len, prot, NO_PKEY, NO_KEYID);
 }
 
 #ifdef CONFIG_ARCH_HAS_PKEYS
@@ -538,7 +564,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 SYSCALL_DEFINE4(pkey_mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot, int, pkey)
 {
-	return do_mprotect_ext(start, len, prot, pkey);
+	return do_mprotect_ext(start, len, prot, pkey, NO_KEYID);
 }
 
 SYSCALL_DEFINE2(pkey_alloc, unsigned long, flags, unsigned long, init_val)
@@ -587,3 +613,32 @@ SYSCALL_DEFINE1(pkey_free, int, pkey)
 }
 
 #endif /* CONFIG_ARCH_HAS_PKEYS */
+
+#ifdef CONFIG_X86_INTEL_MKTME
+
+SYSCALL_DEFINE4(encrypt_mprotect, unsigned long, start, size_t, len,
+		unsigned long, prot, key_serial_t, serial)
+{
+	key_ref_t key_ref;
+	int ret, keyid;
+
+	/* TODO MKTME key service must be initialized */
+
+	key_ref = lookup_user_key(serial, 0, KEY_NEED_VIEW);
+	if (IS_ERR(key_ref))
+		return PTR_ERR(key_ref);
+
+	mktme_map_lock();
+	keyid = mktme_map_keyid_from_serial(serial);
+	if (!keyid) {
+		mktme_map_unlock();
+		key_ref_put(key_ref);
+		return -EINVAL;
+	}
+	ret = do_mprotect_ext(start, len, prot, NO_PKEY, keyid);
+	mktme_map_unlock();
+	key_ref_put(key_ref);
+	return ret;
+}
+
+#endif /* CONFIG_X86_INTEL_MKTME */

From patchwork Fri Sep  7 22:37:10 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592669
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 58A7914E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:54 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 45D9C2B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:54 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3A0F42B2ED; Fri,  7 Sep 2018 22:36:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B64922B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:53 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id CAA7B8E000A; Fri,  7 Sep 2018 18:36:52 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C59BB8E0001; Fri,  7 Sep 2018 18:36:52 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B23568E000A; Fri,  7 Sep 2018 18:36:52 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com
 [209.85.215.199])
	by kanga.kvack.org (Postfix) with ESMTP id 6CA688E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:36:52 -0400 (EDT)
Received: by mail-pg1-f199.google.com with SMTP id g5-v6so7819018pgq.5
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:36:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=3GsxOQZfLmhugk38wIv/KdRj/EQxusvb+v+ke+/+4/Y=;
        b=QbrMUPn2HyWq/z2e+p8sWZCqL4LErGYkeekggwKg4MDEd7QmS/CZL67b7UA8Xsswqp
         PXc+vlHUoPn4x1x4nZdfvE+6BSj0XV8xVSP+WZRv0xSum+90ADMDPS7Xym7IMuGR5QUm
         ZVF0E5qmr4QOc1VCb/SfaaaHoWVEzyhHHE646c+pm9XxF1eEWBchr7R+Qnl8BY/MH0IQ
         BsltkwIooMe50U4y6A4JrMNrghyIuBjWRSeMBc2c5Gtuph2bGijdlZ/BraKnwjc9k2/M
         WnQpaRx+MRkkuCVK0IvQgtP1QNCD8VWNFrMbZF06VMw0mrerUqKKrdQ9mYl+xTZrsljL
         Y07Q==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51DgStWty7T1RZKx1ejwz6LOuthz7FiZva5+Sb1WE+qWw3o3GL52
	3dtsxxT2Ka74ltjaEuAmSb+nFNE22uVe8YYBaG+M/WaxUKVI96h6nQfDiNzwI1YyuwuIbmePJPO
	7xC0L6JPDZxo7k6ASl+6JGmc6YwHh5VghNHZyYcU+jqDEHMcwzl2tRmRuF8v3uBjt7Q==
X-Received: by 2002:a63:5815:: with SMTP id
 m21-v6mr10509408pgb.78.1536359812077;
        Fri, 07 Sep 2018 15:36:52 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0Vda7/jkwPGyyNd/OSUFUcz4sXxaKh4eLnk+8iO9d1V0UUg4y46hsa0VMFVLis0k0JBKGgolR
X-Received: by 2002:a63:5815:: with SMTP id
 m21-v6mr10509371pgb.78.1536359811282;
        Fri, 07 Sep 2018 15:36:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359811; cv=none;
        d=google.com; s=arc-20160816;
        b=CSbIiN36HcQ/+RZaJg2eh1p/cyswn7QRqPn7qQtE37z4E3a+tEQmyBbYN03/04IMfJ
         7MQqTYGaEbCyP+r9xDC/T8S8DNr7E67Y0Oq+DUZPfNjdsxy4nrRfcXr6wCIdEeEtyKjD
         gm10TKheGAKmLD4ym72ycAM8PorR4TvBMoA7PCFF7Dp+sfbLn0PCo3868NYR6oqyQvrG
         YCkT4rX6tDuQb92hiEu102Piku5aIIDDgy9KYCZvkUhpwXvrdrvlkFYIG+o4pJE9qE9v
         5Qktk58n10aw/J+Bx7fc+T91Yv+/IaQPlYyH6M32DOvgRLW77Z2yFo4QzkF0ihsPyzKq
         ecIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=3GsxOQZfLmhugk38wIv/KdRj/EQxusvb+v+ke+/+4/Y=;
        b=P8ECeyeE5Xd2SnXsPrcCbMHj8C3e+RfGBYKiGlVHczTPnDEy0sYxpJDPhiNv6AV4JW
         JRbkP8mi9o3zxVDPpZTy+5/preQFTIwOxvNbr8Xnrp1/jhpLZbWeee0eDkCQIvANoCWD
         lZz5nX6ft6Ic5NRHpEE6NHJB/JcMn+sTptem23fUZwifdlQnicrwp8G6k9S0jBnEZkuL
         g8wA+1+dXiFFA/IhAAqHAga8YqQosFT1wHfAF/DeDLETr+Rblbv1dZcZqyNqR/520fwg
         bNpChdhn+L81KeQysCQk/0YP7nzJzGwPr0Pc90O3rPW0wwzoeV8OAAKaP0tZRTq/RNod
         CFNw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga01.intel.com (mga01.intel.com. [192.55.52.88])
        by mx.google.com with ESMTPS id
 z71-v6si9411933pff.223.2018.09.07.15.36.51
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:36:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.88 as permitted sender) client-ip=192.55.52.88;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from orsmga008.jf.intel.com ([10.7.209.65])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:36:50 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="71508767"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by orsmga008.jf.intel.com with ESMTP; 07 Sep 2018 15:36:27 -0700
Date: Fri, 7 Sep 2018 15:37:10 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 07/12] x86/mm: Add helper functions to track encrypted VMA's
Message-ID: 
 <d98252fe105f2e948e2f585914a61b32c1902889.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

In order to safely manage the usage of memory encryption keys, VMA's
using each keyid need to be tracked. This tracking allows the Kernel
Key Service to know when the keyid resource is actually in use, or
when it is idle and may be considered for reuse.

Define a global atomic encrypt_count array to track the number of VMA's
oustanding for each encryption keyid.

Implement helper functions to manipulate this encrypt_count array.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 arch/x86/include/asm/mktme.h |  7 +++++++
 arch/x86/mm/mktme.c          | 39 +++++++++++++++++++++++++++++++++++++++
 include/linux/mm.h           |  2 ++
 3 files changed, 48 insertions(+)

diff --git a/arch/x86/include/asm/mktme.h b/arch/x86/include/asm/mktme.h
index b707f800b68f..5f3fa0c39c1c 100644
--- a/arch/x86/include/asm/mktme.h
+++ b/arch/x86/include/asm/mktme.h
@@ -16,6 +16,13 @@ extern int mktme_keyid_shift;
 /* Set the encryption keyid bits in a VMA */
 extern void mprotect_set_encrypt(struct vm_area_struct *vma, int newkeyid);
 
+/* Manage the references to outstanding VMA's per encryption key */
+extern int vma_alloc_encrypt_array(void);
+extern void vma_free_encrypt_array(void);
+extern int vma_read_encrypt_ref(int keyid);
+extern void vma_get_encrypt_ref(struct vm_area_struct *vma);
+extern void vma_put_encrypt_ref(struct vm_area_struct *vma);
+
 /* Manage mappings between hardware keyids and userspace keys */
 extern int mktme_map_alloc(void);
 extern void mktme_map_free(void);
diff --git a/arch/x86/mm/mktme.c b/arch/x86/mm/mktme.c
index 5ee7f37e9cd0..5690ef51a79a 100644
--- a/arch/x86/mm/mktme.c
+++ b/arch/x86/mm/mktme.c
@@ -163,6 +163,45 @@ int mktme_map_get_free_keyid(void)
 	return 0;
 }
 
+/*
+ *  Helper functions manage the encrypt_count[] array that tracks the
+ *  VMA's outstanding for each encryption keyid. The gets & puts are
+ *  used in core mm code that allocates and free's VMA's. The alloc,
+ *  free, and read functions are used by the MKTME key service to
+ *  manage key allocation and programming.
+ */
+atomic_t *encrypt_count;
+
+int vma_alloc_encrypt_array(void)
+{
+	encrypt_count = kcalloc(mktme_nr_keyids, sizeof(atomic_t), GFP_KERNEL);
+	if (!encrypt_count)
+		return -ENOMEM;
+	return 0;
+}
+
+void vma_free_encrypt_array(void)
+{
+	kfree(encrypt_count);
+}
+
+int vma_read_encrypt_ref(int keyid)
+{
+	return atomic_read(&encrypt_count[keyid]);
+}
+
+void vma_get_encrypt_ref(struct vm_area_struct *vma)
+{
+	if (vma_keyid(vma))
+		atomic_inc(&encrypt_count[vma_keyid(vma)]);
+}
+
+void vma_put_encrypt_ref(struct vm_area_struct *vma)
+{
+	if (vma_keyid(vma))
+		atomic_dec(&encrypt_count[vma_keyid(vma)]);
+}
+
 void prep_encrypted_page(struct page *page, int order, int keyid, bool zero)
 {
 	int i;
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 0f9422c7841e..b217c699dbab 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2803,6 +2803,8 @@ static inline void setup_nr_node_ids(void) {}
 #ifndef CONFIG_X86_INTEL_MKTME
 static inline void mprotect_set_encrypt(struct vm_area_struct *vma,
 					int newkeyid) {}
+static inline void vma_get_encrypt_ref(struct vm_area_struct *vma) {}
+static inline void vma_put_encrypt_ref(struct vm_area_struct *vma) {}
 #endif /* CONFIG_X86_INTEL_MKTME */
 #endif /* __KERNEL__ */
 #endif /* _LINUX_MM_H */

From patchwork Fri Sep  7 22:37:25 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592665
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A0F3414E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:47 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 905012B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:47 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 848EE2B2ED; Fri,  7 Sep 2018 22:36:47 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EE3C22B030
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:36:46 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 24A088E0009; Fri,  7 Sep 2018 18:36:46 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1F9C68E0001; Fri,  7 Sep 2018 18:36:46 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 09B138E0009; Fri,  7 Sep 2018 18:36:46 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com
 [209.85.214.197])
	by kanga.kvack.org (Postfix) with ESMTP id B63668E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:36:45 -0400 (EDT)
Received: by mail-pl1-f197.google.com with SMTP id w18-v6so7663148plp.3
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:36:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=xmHRTBT83soLTldrdWgE2MCH7pbqVz0l8JFJ5Xome5s=;
        b=RLruh/0e6u5UrE6hkCMx0YS0eimissgfLjopQUvf1golNXAhBTFVOgB1713NOluecN
         N5TjFwP+6bw+XZ9teoZxTKOyrdECS+Fp4b8gQv/9+8ruTtvPB946WeBxvo8NlpnpEeEi
         lkgkD7eFjDTkqNS4sJYEWIJLguNsDR2oG8bqDdB7n0NWYsVsgREoEOLKP6pSA44uJfIc
         /O1GKs/okYRzhhFqeQprHjCM/JgUu7yaYbxryI+UIM5C8pjDfATjW3AJeVFfBS4/cU3N
         PTC9QZ9hmYzfzH5MDHTyPfWRa1fXCtzIATc/aPStsHn9yCDPT2oEAMOThfjGhB/zBLZr
         YuxA==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51B0LREuLJBiJTe/V8Sw449jvcpJAFYPkFPdpX5SnDRWlu2ZIP59
	VsSTy5QJcOE2cyxATXYpFL2VJTLy2UbRc3AEYJjae4qtkPzjkn5OLDj9EXJ4zxDlVlEKYkmtLvW
	o7bdLGItc3uWul8j2vOsmy+nFA4OQFiD2h/vZ5TFNuF2ZhAZ8obUsJ7Fxzwv9M04Gsw==
X-Received: by 2002:a62:c9:: with SMTP id
 192-v6mr10785016pfa.99.1536359805384;
        Fri, 07 Sep 2018 15:36:45 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdYlwUifleQPOXF2G6vCh/ToIZFwALr/V8n+KAJLfjNrQVLDfQ91liZcHho69W0XYzLlqoza
X-Received: by 2002:a62:c9:: with SMTP id
 192-v6mr10784958pfa.99.1536359804249;
        Fri, 07 Sep 2018 15:36:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359804; cv=none;
        d=google.com; s=arc-20160816;
        b=eqkOsHT3vtd0tbnmVGfrU8gyeciwP3rMqT2QhbbTwXBmJMKUYpoQTQj6Fjm9Wfthyz
         wgCpiJ2oVsjMkWolQrDFYCnmicZRdynbeInCSBHUxMQ9xdoXPO/oCxDbNZQR+gTDi96q
         pyhg1v6P8PjGN+snH/50Cd7vyNxu9TpkjWWuZIILF7byofcveiyp1IzteGIXLUMOKsb+
         gd2CdBsL1DQawK7NJOPlU5ljDqsYnw05iutISv+Xpv4Dis50Y5z/22GJqBVq/Hs10fta
         NItbbR+90PRgbNXrEv+qdqdWeTpOWcvLiE59gvTCOGmg20dN4vBACVZGoqiBXNvM3dNp
         jmWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=xmHRTBT83soLTldrdWgE2MCH7pbqVz0l8JFJ5Xome5s=;
        b=yrUSDVi31bhjZYlit2rAH+vL3ccxhB4rbG6YN3ih+1xvtna1VyH/MMB8UskqAfiyGy
         Uu5AAaUBmESMfEY5CioaqCNzm9+V48NK+0QkFVIr0l2YVDiklAQ2WgK3ButEvTDsrRZ8
         5nlberlEPlInlu82tVQnWnws69tbshrX7vjXwMUdwLrWOwHNnBinSTNQRdQ0EN/z1Qfh
         3033BCUPXUdmsHlxkeTcRQ22od9eSSiL8lDgY1KdpzrO85K7DUX4viabCFL/lrShr7Pb
         LV+at7RhdYQ5bPzuz1Tac6wu7Hibv6uVdziz0h920snDGeyDKeWFKGVznL9kytHBSZur
         vg0A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga09.intel.com (mga09.intel.com. [134.134.136.24])
        by mx.google.com with ESMTPS id
 g10-v6si9010950pgl.425.2018.09.07.15.36.44
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:36:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.24 as permitted sender) client-ip=134.134.136.24;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNSCANNABLE
X-Amp-File-Uploaded: False
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
  by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:36:43 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="84055823"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by fmsmga002.fm.intel.com with ESMTP; 07 Sep 2018 15:36:43 -0700
Date: Fri, 7 Sep 2018 15:37:25 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 08/12] mm: Track VMA's in use for each memory encryption keyid
Message-ID: 
 <3c891d076a376c8cff04403e90d04cf98b203960.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Keep track of the VMA's oustanding for each memory encryption keyid.
The count is used by the MKTME (Multi-Key Total Memory Encryption)
Key Service to determine when it is safe to reprogram a hardware
encryption key.

Approach here is to do gets and puts on the encryption reference
wherever kmem_cache_alloc/free's of vma_area_cachep's are executed.
A couple of these locations will not be hit until cgroup support is
added. One of these locations should never hit, so use a VM_WARN_ON.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 arch/x86/mm/mktme.c |  2 ++
 kernel/fork.c       |  2 ++
 mm/mmap.c           | 12 ++++++++++++
 mm/nommu.c          |  4 ++++
 4 files changed, 20 insertions(+)

diff --git a/arch/x86/mm/mktme.c b/arch/x86/mm/mktme.c
index 5690ef51a79a..8a7c326d4546 100644
--- a/arch/x86/mm/mktme.c
+++ b/arch/x86/mm/mktme.c
@@ -72,10 +72,12 @@ void mprotect_set_encrypt(struct vm_area_struct *vma, int newkeyid)
 	if (newkeyid == oldkeyid)
 		return;
 
+	vma_put_encrypt_ref(vma);
 	newprot = pgprot_val(vma->vm_page_prot);
 	newprot &= ~mktme_keyid_mask;
 	newprot |= (unsigned long)newkeyid << mktme_keyid_shift;
 	vma->vm_page_prot = __pgprot(newprot);
+	vma_get_encrypt_ref(vma);
 }
 
 /*
diff --git a/kernel/fork.c b/kernel/fork.c
index e5e7a220a124..2d0e507bde7c 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -459,6 +459,7 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm,
 		if (!tmp)
 			goto fail_nomem;
 		*tmp = *mpnt;
+		vma_get_encrypt_ref(tmp);	/* Track encrypted vma's */
 		INIT_LIST_HEAD(&tmp->anon_vma_chain);
 		retval = vma_dup_policy(mpnt, tmp);
 		if (retval)
@@ -539,6 +540,7 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm,
 fail_nomem_anon_vma_fork:
 	mpol_put(vma_policy(tmp));
 fail_nomem_policy:
+	vma_put_encrypt_ref(tmp);		/* Track encrypted vma's */
 	kmem_cache_free(vm_area_cachep, tmp);
 fail_nomem:
 	retval = -ENOMEM;
diff --git a/mm/mmap.c b/mm/mmap.c
index 4c604eb644b4..7390b8b69fd6 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -182,6 +182,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
 	if (vma->vm_file)
 		fput(vma->vm_file);
 	mpol_put(vma_policy(vma));
+	vma_put_encrypt_ref(vma);
 	kmem_cache_free(vm_area_cachep, vma);
 	return next;
 }
@@ -913,6 +914,7 @@ int __vma_adjust(struct vm_area_struct *vma, unsigned long start,
 			anon_vma_merge(vma, next);
 		mm->map_count--;
 		mpol_put(vma_policy(next));
+		vma_put_encrypt_ref(next);
 		kmem_cache_free(vm_area_cachep, next);
 		/*
 		 * In mprotect's case 6 (see comments on vma_merge),
@@ -1744,6 +1746,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
 		goto unacct_error;
 	}
 
+	vma_get_encrypt_ref(vma);
 	vma->vm_mm = mm;
 	vma->vm_start = addr;
 	vma->vm_end = addr + len;
@@ -1839,6 +1842,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
 unmap_and_free_vma:
 	vma->vm_file = NULL;
 	fput(file);
+	vma_put_encrypt_ref(vma);
 
 	/* Undo any partial mapping done by a device driver. */
 	unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
@@ -2653,6 +2657,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
 		new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
 	}
 
+	vma_get_encrypt_ref(new);
 	err = vma_dup_policy(vma, new);
 	if (err)
 		goto out_free_vma;
@@ -2686,6 +2691,7 @@ int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
  out_free_mpol:
 	mpol_put(vma_policy(new));
  out_free_vma:
+	vma_put_encrypt_ref(new);
 	kmem_cache_free(vm_area_cachep, new);
 	return err;
 }
@@ -3007,6 +3013,7 @@ static int do_brk_flags(unsigned long addr, unsigned long len, unsigned long fla
 		return -ENOMEM;
 	}
 
+	vma_get_encrypt_ref(vma);
 	INIT_LIST_HEAD(&vma->anon_vma_chain);
 	vma->vm_mm = mm;
 	vma->vm_ops = &anon_vm_ops;
@@ -3229,6 +3236,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
 		new_vma->vm_pgoff = pgoff;
 		if (vma_dup_policy(vma, new_vma))
 			goto out_free_vma;
+		vma_get_encrypt_ref(new_vma);
 		INIT_LIST_HEAD(&new_vma->anon_vma_chain);
 		if (anon_vma_clone(new_vma, vma))
 			goto out_free_mempol;
@@ -3243,6 +3251,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
 
 out_free_mempol:
 	mpol_put(vma_policy(new_vma));
+	vma_put_encrypt_ref(new_vma);
 out_free_vma:
 	kmem_cache_free(vm_area_cachep, new_vma);
 out:
@@ -3372,6 +3381,9 @@ static struct vm_area_struct *__install_special_mapping(
 	if (unlikely(vma == NULL))
 		return ERR_PTR(-ENOMEM);
 
+	/* Do not expect a memory encrypted vma here */
+	VM_WARN_ON(vma_keyid(vma));
+
 	INIT_LIST_HEAD(&vma->anon_vma_chain);
 	vma->vm_mm = mm;
 	vma->vm_start = addr;
diff --git a/mm/nommu.c b/mm/nommu.c
index 73f66e81cfb0..85f04c174638 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -769,6 +769,7 @@ static void delete_vma(struct mm_struct *mm, struct vm_area_struct *vma)
 	if (vma->vm_file)
 		fput(vma->vm_file);
 	put_nommu_region(vma->vm_region);
+	vma_put_encrypt_ref(vma);
 	kmem_cache_free(vm_area_cachep, vma);
 }
 
@@ -1215,6 +1216,7 @@ unsigned long do_mmap(struct file *file,
 	if (!vma)
 		goto error_getting_vma;
 
+	vma_get_encrypt_ref(vma);
 	region->vm_usage = 1;
 	region->vm_flags = vm_flags;
 	region->vm_pgoff = pgoff;
@@ -1375,6 +1377,7 @@ unsigned long do_mmap(struct file *file,
 	kmem_cache_free(vm_region_jar, region);
 	if (vma->vm_file)
 		fput(vma->vm_file);
+	vma_put_encrypt_ref(vma);
 	kmem_cache_free(vm_area_cachep, vma);
 	return ret;
 
@@ -1486,6 +1489,7 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
 	*new = *vma;
 	*region = *vma->vm_region;
 	new->vm_region = region;
+	vma_get_encrypt_ref(new);
 
 	npages = (addr - vma->vm_start) >> PAGE_SHIFT;
 

From patchwork Fri Sep  7 22:37:51 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592673
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4862B14E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:37:12 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 392C6292AC
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:37:12 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2D2362B2D7; Fri,  7 Sep 2018 22:37:12 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C7284292AC
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:37:11 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id E7EC48E000B; Fri,  7 Sep 2018 18:37:10 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id E2E028E0001; Fri,  7 Sep 2018 18:37:10 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D44638E000B; Fri,  7 Sep 2018 18:37:10 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com
 [209.85.215.198])
	by kanga.kvack.org (Postfix) with ESMTP id 94A8C8E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:37:10 -0400 (EDT)
Received: by mail-pg1-f198.google.com with SMTP id q12-v6so7806544pgp.6
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:37:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=A5x5XokmuH1R9NwOMy59/ZYYO2rruoY7j9Ea4JgpN8g=;
        b=rmay89rspP3PfR+Mexkot+Z5w00AEfTzBEESIPiN4lO5BNeoCzP55Bm+QXrO79i/GG
         QNMwYxWiMSU8B1zgIMKW3bNApIgxDpRdjkWMEENZkMX6KI5H6hC8AxqBkUpTDy6J55AZ
         rLfvDd0vbhaNHp85eCm1HHTSWPiTuR5LGjViW5RCI8bflOrc9us/I1F2IZoLrJk29+KS
         rxEpt8D85blsYPcXRxXRpRTVlrBl17EUIyngTQyhXLPyhBwm3Dv8/gjH+ZLgoC09pTk8
         y0pNc/F9zLAzEBxP2pImVG+lK+bPhbEDky01MHdP734VJBSk+GdUk9A3AmTqN594gVas
         2A1w==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51DQ4UW3EKsQ77fdtCGspEgmoCJlLw+eGbtvORF8D00LeVivaTKX
	od35jVeLlyzYeSTw5F0ZLumJwYIxAICfWrElOwE4q9p8xBhK3VbIAwJrS6T441tJAj+/v4ALRxs
	q7prej/LD887diCMtVPWz7VTXwfGjiXpNW+1L1O5nxsUS+acn5TpPTqjL+OIWHaqBnA==
X-Received: by 2002:a63:344b:: with SMTP id
 b72-v6mr10586684pga.184.1536359830296;
        Fri, 07 Sep 2018 15:37:10 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdbbRnu2/n0skRywCDKwb1s3q6bU6vQv06mF10UyI0i42Mvqub5sQq5oNsfG82Y9kFUQfbOo
X-Received: by 2002:a63:344b:: with SMTP id
 b72-v6mr10586645pga.184.1536359829550;
        Fri, 07 Sep 2018 15:37:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359829; cv=none;
        d=google.com; s=arc-20160816;
        b=KqUZ54s69CxE2iQsz5eEB2h4SctT7hC0sURtVvMvpFx59qczKI35h2iuM4smh/ASvM
         9q824FIjJ9nTPNi5UxuU8HBG/ehag2uW7ogRfXtRd7+2FD8ZsZdpus2SqG2/OO8Tttnh
         2/ZuJiSvs4TBDyGDNopuM9moyJW/iadQjqiwSCi10kr10HAlfJSgJX5wrHLxXrjLPzL+
         go5mCEe5N2ZDuzsxISUyTzVPLtyuZ8dihCoWIyNPLOBeRRT2b0+r6OLtW3pkroWUG4uX
         3X82jBpr/bRCC2L2M6kv/32X8UsAzzUCO0tYDnbYh93O11yvkDd1QVy08D0SfsqsIlzJ
         40FQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=A5x5XokmuH1R9NwOMy59/ZYYO2rruoY7j9Ea4JgpN8g=;
        b=LOZo8DoYo1NmCzbGPbhHp+fuLevVeijzYDqoVZL3+gjv90sYsKiWx2rSKvNw6oeZvu
         e7dV6YmE0vOxcooSV01xrxcaOPiZBDMHmAIz+Jw8Wb8+gN1xc6ctimxET3BX3W8Ahr0S
         hVr8b7wxbB56EJAmJyVz6A5KGyDhi/5IZR1WfYfDznp7atTJmKVxi+xqIv7JFKpErexL
         eQWaL26RoS/dt0zzeYXNSZZ7P/aTHPsSYFtzo2r2+75jy3O1JH87xWQ9xl2IjuPYX7eq
         ZPnj+QPE4kO/Et+RaNXLzcIUkLLCW7LNZzp/4mnnx4MHA7M9l/8Y0L1sfe+tYmE3xz/y
         Zclw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga09.intel.com (mga09.intel.com. [134.134.136.24])
        by mx.google.com with ESMTPS id
 f40-v6si9484448plb.504.2018.09.07.15.37.09
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:37:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.24 as permitted sender) client-ip=134.134.136.24;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNSCANNABLE
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:37:09 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="89921676"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by orsmga002.jf.intel.com with ESMTP; 07 Sep 2018 15:37:09 -0700
Date: Fri, 7 Sep 2018 15:37:51 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 09/12] mm: Restrict memory encryption to anonymous VMA's
Message-ID: 
 <f69e3d4f96504185054d951c7c85075ebf63e47a.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Memory encryption is only supported for mappings that are ANONYMOUS.
Test the entire range of VMA's in an encrypt_mprotect() request to
make sure they all meet that requirement before encrypting any.

The encrypt_mprotect syscall will return -EINVAL and will not encrypt
any VMA's if this check fails.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 mm/mprotect.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/mm/mprotect.c b/mm/mprotect.c
index 6c2e1106525c..3384b755aad1 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -311,6 +311,24 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
 	return pages;
 }
 
+/*
+ * Encrypted mprotect is only supported on anonymous mappings.
+ * All VMA's in the requested range must be anonymous. If this
+ * test fails on any single VMA, the entire mprotect request fails.
+ */
+bool mem_supports_encryption(struct vm_area_struct *vma, unsigned long end)
+{
+	struct vm_area_struct *test_vma = vma;
+
+	do {
+		if (!vma_is_anonymous(test_vma))
+			return false;
+
+		test_vma = test_vma->vm_next;
+	} while (test_vma && test_vma->vm_start < end);
+	return true;
+}
+
 int
 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 	       unsigned long start, unsigned long end, unsigned long newflags,
@@ -491,6 +509,10 @@ static int do_mprotect_ext(unsigned long start, size_t len,
 				goto out;
 		}
 	}
+	if (keyid > 0 && !mem_supports_encryption(vma, end)) {
+		error = -EINVAL;
+		goto out;
+	}
 	if (start > vma->vm_start)
 		prev = vma;
 

From patchwork Fri Sep  7 22:38:10 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592677
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3ED8714E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:37:40 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FDF5292AC
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:37:40 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 23A102B2D7; Fri,  7 Sep 2018 22:37:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BE3CE292AC
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:37:39 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id D93E48E000C; Fri,  7 Sep 2018 18:37:38 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D430B8E0001; Fri,  7 Sep 2018 18:37:38 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C34F68E000C; Fri,  7 Sep 2018 18:37:38 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com
 [209.85.215.197])
	by kanga.kvack.org (Postfix) with ESMTP id 833748E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:37:38 -0400 (EDT)
Received: by mail-pg1-f197.google.com with SMTP id m4-v6so7796002pgq.19
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:37:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=VxFtrsbBNJemFQjMlwaEYWQrGEweXrDFjS0+vM3QRHg=;
        b=kQy0I9O33DAVjzeZUsP1LT2vlWqot1CZMNkOZ6tlse+9ulqDYq+9nITxK1kzrpGsCy
         SBiZv2m0xdYVM6OUK3sM9pvreO8fjfZx0yTnlb0ear3Dh7lqM8dtzbG5yvtQ8cxxYNEa
         U2tjNWAGwRtmr8W0yyHk3BLmnf4BtWP/eH8JB0/wKdYWWvZVhUp7EaorDtBszmM7tHuG
         l48NbsmnaIpCzW0lQqY1/F7xFzenoGLpL8qSwGdxzEhU+3FbL9ykCJ+ea8WmW1+d/GUn
         y/HrW+izdNnJQ3Zyg068xdWgX1h0ULWgrfAsbvoEQyTswJFGiwf1qYxrixbTQwtP84De
         DqPQ==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51Dg8Zawq8IgUKzDLCD/jPi5X+A/TlvmAFguYTW9V9OmnGOLJ/cW
	aXHbSNkKycK6Jk+EgEITRhYEsgT2NxUuhezcqhFdGaMRxkV0n/Dge+qQo+QYVEPpwyMog3UGRYW
	BelmkWR991q68yJ2KKAkffkZR8lPlMEpkNwhNcI/wVmOk3+l0JKFwfJI7CF0s0zeToQ==
X-Received: by 2002:a17:902:e281:: with SMTP id
 cf1-v6mr10265627plb.86.1536359858219;
        Fri, 07 Sep 2018 15:37:38 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0Vdb2p8cV6ye/pmYrXMBCmw9Fjtq8OyATFm6NHzNelPE6JqSa9/5LZmik0VHj9IwpwM12i8UK
X-Received: by 2002:a17:902:e281:: with SMTP id
 cf1-v6mr10265585plb.86.1536359857304;
        Fri, 07 Sep 2018 15:37:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359857; cv=none;
        d=google.com; s=arc-20160816;
        b=GeeJ47e8WGFAh8QqCcd9VJvLg+qkE984+rkA4UJEG/SNmGXCPDYA6VnUSArYsYXaZe
         WjDPBM/i1iC0f43j05IemId7/tmWY2WzNGsFBorTbSOdIgHC8cSsGdgY/s5gGcZk6LeO
         FLiCcPst54I9QRJPFKPr2oYjP8QG7L6GxIDCYmBHOy89YElQULN1lvYmfiRZ6SPhpc0W
         S3rdKiAafwqioqoyE5Hu2bEaSW5VYWrr9U7INHtW8U0dyAAdisLu0cbozZY4DZMZQVJI
         X9Kxll6+shzlPUeCNonqSZEPVrFoalLj2VD6+FIvILevHcRVxtRO6mxtfcHIcOBdMIy2
         t+/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=VxFtrsbBNJemFQjMlwaEYWQrGEweXrDFjS0+vM3QRHg=;
        b=Mzb5VrIayov0BA/eT08lqkjY7e9uJRJOZoc5BxwXlLMcmPUu9/Gg17FhHgzpI2y8dq
         QIL01Z0Lsc9xHPs3z4WJHEwteMljQiANbChDqczsQv/WzXHIcTzdZdVuCJi3ADnIda6z
         SA0n9h1h8JT/jJfsI2hJ2011RD71ZRHfHguWt1OCXrhsZA04kxDccAd6AHPb2zK6EtVR
         /uEEQT+Aaiw6yXaUzqH4mL4PG6GM0RHSjCM5OUB43ZE43fDjFxtB/9vKoFd+XV5dxhKD
         TfnOUROl6zZyJm+rYGJAW2789X0LKvwlSf0GkKhXvV/ebsuoX3Iasz8uMser1zWENFez
         JTMQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga02.intel.com (mga02.intel.com. [134.134.136.20])
        by mx.google.com with ESMTPS id
 10-v6si9957731ple.60.2018.09.07.15.37.37
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:37:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.20 as permitted sender) client-ip=134.134.136.20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNSCANNABLE
X-Amp-File-Uploaded: False
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:37:37 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="231141235"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by orsmga004.jf.intel.com with ESMTP; 07 Sep 2018 15:37:27 -0700
Date: Fri, 7 Sep 2018 15:38:10 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 10/12] x86/pconfig: Program memory encryption keys on a
 system-wide basis
Message-ID: 
 <0947e4ad711e8b7c1f581a446e808f514620b49b.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The kernel manages the MKTME (Multi-Key Total Memory Encryption) Keys
as a system wide single pool of keys. The hardware, however, manages
the keys on a per physical package basis. Each physical package
maintains a key table that all CPU's in that package share.

In order to maintain the consistent, system wide view that the kernel
requires, program all physical packages during a key program request.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 arch/x86/include/asm/intel_pconfig.h | 42 ++++++++++++++++++++++++++++++------
 1 file changed, 36 insertions(+), 6 deletions(-)

diff --git a/arch/x86/include/asm/intel_pconfig.h b/arch/x86/include/asm/intel_pconfig.h
index 3cb002b1d0f9..d3bf0a297e89 100644
--- a/arch/x86/include/asm/intel_pconfig.h
+++ b/arch/x86/include/asm/intel_pconfig.h
@@ -3,6 +3,7 @@
 
 #include <asm/asm.h>
 #include <asm/processor.h>
+#include <linux/cpu.h>
 
 enum pconfig_target {
 	INVALID_TARGET	= 0,
@@ -47,19 +48,48 @@ struct mktme_key_program {
 	u8 key_field_2[64];
 } __packed __aligned(256);
 
-static inline int mktme_key_program(struct mktme_key_program *key_program)
+struct mktme_key_program_info {
+	struct mktme_key_program *key_program;
+	unsigned long status;
+};
+
+static void mktme_package_program(void *key_program_info)
 {
+	struct mktme_key_program_info *info = key_program_info;
 	unsigned long rax = MKTME_KEY_PROGRAM;
 
+	asm volatile(PCONFIG
+		: "=a" (rax), "=b" (info->key_program)
+		: "0" (rax), "1" (info->key_program)
+		: "memory", "cc");
+
+	if (rax != MKTME_PROG_SUCCESS)
+		WRITE_ONCE(info->status, rax);
+}
+
+/*
+ * MKTME keys are managed as a system-wide single pool of keys.
+ * In the hardware, each physical package maintains a separate key
+ * table. Program all physical packages with the same key info to
+ * maintain that system-wide kernel view.
+ */
+static inline int mktme_key_program(struct mktme_key_program *key_program,
+				    cpumask_var_t mktme_cpumask)
+{
+	struct mktme_key_program_info info = {
+		.key_program = key_program,
+		.status = MKTME_PROG_SUCCESS,
+	};
+
 	if (!pconfig_target_supported(MKTME_TARGET))
 		return -ENXIO;
 
-	asm volatile(PCONFIG
-		: "=a" (rax), "=b" (key_program)
-		: "0" (rax), "1" (key_program)
-		: "memory", "cc");
+	get_online_cpus();
+	on_each_cpu_mask(mktme_cpumask, mktme_package_program,
+			 &info, 1);
+	put_online_cpus();
 
-	return rax;
+	return info.status;
 }
 
 #endif	/* _ASM_X86_INTEL_PCONFIG_H */

From patchwork Fri Sep  7 22:38:36 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592681
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 260061515
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:37:59 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 138C629BFA
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:37:59 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0725C2B5E0; Fri,  7 Sep 2018 22:37:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3515429BFA
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:37:58 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 30CDC8E000D; Fri,  7 Sep 2018 18:37:57 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2BDD48E0001; Fri,  7 Sep 2018 18:37:57 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 185958E000D; Fri,  7 Sep 2018 18:37:57 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com
 [209.85.214.200])
	by kanga.kvack.org (Postfix) with ESMTP id C8DF48E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:37:56 -0400 (EDT)
Received: by mail-pl1-f200.google.com with SMTP id g12-v6so7665257plo.1
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:37:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=Yu0TpSpjG/IRL33PAENdG7UTwU9tbh8vOvtVFIa5xAo=;
        b=lboXxJhOtloIISaFSd52TrHvdliG7ng1fAfaaDFO79qZFupuifhOh9CFd4YSSHHj08
         mkICA0ZcYu87eENn7K8SEEmwXowXCLds+VEYxNRb06nc5n8dVNlwY507V4ydNC96HNEK
         ztos+M5C8ypD7KJg5EQEjbFsblZVdmVfcV/aSdWl9/yHwYJ/e+x5WuNA5IJhGdb11JA1
         fUiby2j0x4jUtQsleYepvYczwkAV2tcOZuAw4hpRvgKxn23+KmU2UYcacDRwK/ya3X8e
         QklHGLaS2ESe0FBdZg1muXp2/IuqlfkKNJdADhwgZoDdIHi8Lj9gMFOXwn46hasNJvPr
         jvdA==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51AiwtyKnmdfy/pF/sdWkO1/FEwxvGN393ST6X6mVghVT68cYLkq
	qK/NFBMHuSgOZ+CRyL7x6KxvapfgGDY4sL83Dapgt3jiiQm3x5Hp5NKhuxxGnaF5FbWdkapeq9X
	Rq7dGc0Zb/1qwpzeNQPQeePnEoRw/XPjVBcYwkgK8aw0MxFc9cPEOlc+jCxwf4GVrog==
X-Received: by 2002:a17:902:561:: with SMTP id
 88-v6mr10139292plf.320.1536359876446;
        Fri, 07 Sep 2018 15:37:56 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdbojLAIKg5is6HtNjCvvkTcRnT5nDYYJm7uArqCzt33nsTbk2cGJsNkQ1G0SFKo1oGXeiHG
X-Received: by 2002:a17:902:561:: with SMTP id
 88-v6mr10139236plf.320.1536359875142;
        Fri, 07 Sep 2018 15:37:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359875; cv=none;
        d=google.com; s=arc-20160816;
        b=FAa7VF3KUigtl/qTFfi0mYolGj9B3krZUPkI4gMIBKuuSeJcZxy8+qHzs9BXiEYjCb
         ZHVrURjRAJL1rtuQsc24t7xUfzhbyeY9fEXRvexI2gHzn1OFZ8x74dryH5bXELOCNSxp
         KZXLZhK27verUcAhpbcCxuxYuAy7nO5j2j+R/ErTNPphEUDmBVm3CyJb0bUY18AQvcZA
         nD21XjeRbxtqQCdBaOmb9I34cvb02Yyv+adeIPtjFUN8O3LgAT0p9UNkbA8b2W3rTBvR
         kJAlV5vvZTpgZ1oXL8n4L99UfOkFzU2Aiv6uSN2OG+0g87JXcFux3Sr/LeJ8sCHEKJxo
         W8vQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=Yu0TpSpjG/IRL33PAENdG7UTwU9tbh8vOvtVFIa5xAo=;
        b=y1EKNNArMO3Kxz4Q9HO/KZmPoK8lWzMNtAEj/4fwoyPmZF+RjInicxhHtZ424FTQfK
         xZAA9sctaF97ngiWvbJ6IfSBRjMOa3ycekPtxoX3BmcixpbC3dpgMcCTvuYJkvb9ESuO
         UJjieNggr6ye54CqZCl/XJDqTl9y22Ox8T8+28UyjqskVFc+xxbn69v849WcCVyqR8pw
         vOiF5yRVzU93GeYdOQ+YC2WxDwIDPmD9zrz0aJ9B0BGy4pG+f06WPusrTmi9kDoKQbpr
         UJwvXXqrLu3JqEggOU9TpEZ/fVmyhnW9oa8NxANYZZGXKttR9etHtf+hg+9dzbXw87yG
         hOwQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga11.intel.com (mga11.intel.com. [192.55.52.93])
        by mx.google.com with ESMTPS id
 v1-v6si9737154plb.387.2018.09.07.15.37.54
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:37:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.93 as permitted sender) client-ip=192.55.52.93;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from orsmga001.jf.intel.com ([10.7.209.18])
  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:37:54 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="88621452"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by orsmga001.jf.intel.com with ESMTP; 07 Sep 2018 15:37:54 -0700
Date: Fri, 7 Sep 2018 15:38:36 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 11/12] keys/mktme: Add a new key service type for memory
 encryption keys
Message-ID: 
 <1a14a6feb02f968c5e6b98360f6f16106b633b58.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

MKTME (Multi-Key Total Memory Encryption) is a technology that allows
transparent memory encryption in upcoming Intel platforms. MKTME will
support mulitple encryption domains, each having their own key. The main
use case for the feature is virtual machine isolation. The API needs the
flexibility to work for a wide range of uses.

The MKTME key service type manages the addition and removal of the memory
encryption keys. It maps software keys to hardware keyids and programs
the hardware with the user requested encryption options.

The only supported encryption algorithm is AES-XTS 128.

The MKTME key service is half of the MKTME API level solution. It pairs
with a new memory encryption system call: encrypt_mprotect() that uses
the keys to encrypt memory.

See Documentation/x86/mktme-keys.txt

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 arch/x86/Kconfig           |   1 +
 include/keys/mktme-type.h  |  28 +++++
 security/keys/Kconfig      |  11 ++
 security/keys/Makefile     |   1 +
 security/keys/mktme_keys.c | 278 +++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 319 insertions(+)
 create mode 100644 include/keys/mktme-type.h
 create mode 100644 security/keys/mktme_keys.c

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 023a22568c06..50d8aa6a58e9 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1527,6 +1527,7 @@ config X86_INTEL_MKTME
 	bool "Intel Multi-Key Total Memory Encryption"
 	select DYNAMIC_PHYSICAL_MASK
 	select PAGE_EXTENSION
+	select MKTME_KEYS
 	depends on X86_64 && CPU_SUP_INTEL
 	---help---
 	  Say yes to enable support for Multi-Key Total Memory Encryption.
diff --git a/include/keys/mktme-type.h b/include/keys/mktme-type.h
new file mode 100644
index 000000000000..bebe74cb2b51
--- /dev/null
+++ b/include/keys/mktme-type.h
@@ -0,0 +1,28 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * Key service for Multi-KEY Total Memory Encryption
+ */
+
+#ifndef _KEYS_MKTME_TYPE_H
+#define _KEYS_MKTME_TYPE_H
+
+#include <linux/key.h>
+
+/*
+ * The AES-XTS 128 encryption algorithm requires 128 bits for each
+ * user supplied option: userkey=, tweak=, entropy=.
+ */
+#define MKTME_AES_XTS_SIZE	16
+
+enum mktme_alg {
+	MKTME_ALG_AES_XTS_128,
+};
+
+const char *const mktme_alg_names[] = {
+	[MKTME_ALG_AES_XTS_128]	= "aes_xts_128",
+};
+
+extern struct key_type key_type_mktme;
+
+#endif /* _KEYS_MKTME_TYPE_H */
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index 6462e6654ccf..c36972113e67 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -101,3 +101,14 @@ config KEY_DH_OPERATIONS
 	 in the kernel.
 
 	 If you are unsure as to whether this is required, answer N.
+
+config MKTME_KEYS
+	bool "Multi-Key Total Memory Encryption Keys"
+	depends on KEYS && X86_INTEL_MKTME
+	help
+	  This option provides support for Multi-Key Total Memory
+	  Encryption (MKTME) on Intel platforms offering the feature.
+	  MKTME allows userspace to manage the hardware encryption
+	  keys through the kernel key services.
+
+	  If you are unsure as to whether this is required, answer N.
diff --git a/security/keys/Makefile b/security/keys/Makefile
index ef1581b337a3..2d9f9a82cb8a 100644
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -29,3 +29,4 @@ obj-$(CONFIG_KEY_DH_OPERATIONS) += dh.o
 obj-$(CONFIG_BIG_KEYS) += big_key.o
 obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
 obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/
+obj-$(CONFIG_MKTME_KEYS) += mktme_keys.o
diff --git a/security/keys/mktme_keys.c b/security/keys/mktme_keys.c
new file mode 100644
index 000000000000..dcbce7194647
--- /dev/null
+++ b/security/keys/mktme_keys.c
@@ -0,0 +1,278 @@
+// SPDX-License-Identifier: GPL-3.0
+
+/* Documentation/x86/mktme-keys.txt */
+
+#include <linux/cred.h>
+#include <linux/cpu.h>
+#include <linux/err.h>
+#include <linux/init.h>
+#include <linux/key.h>
+#include <linux/key-type.h>
+#include <linux/init.h>
+#include <linux/parser.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <asm/intel_pconfig.h>
+#include <asm/mktme.h>
+#include <keys/mktme-type.h>
+#include <keys/user-type.h>
+
+#include "internal.h"
+
+struct kmem_cache *mktme_prog_cache;	/* hardware programming struct */
+cpumask_var_t mktme_cpumask;		/* one cpu per pkg to program keys */
+
+static const char * const mktme_program_err[] = {
+	"KeyID was successfully programmed",	/* 0 */
+	"Invalid KeyID programming command",	/* 1 */
+	"Insufficient entropy",			/* 2 */
+	"KeyID not valid",			/* 3 */
+	"Invalid encryption algorithm chosen",	/* 4 */
+	"Failure to access key table",		/* 5 */
+};
+
+/* If a key is available, program and add the key to the software map. */
+static int mktme_program_key(key_serial_t serial,
+			     struct mktme_key_program *kprog)
+{
+	int keyid, ret;
+
+	keyid = mktme_map_get_free_keyid();
+	if (keyid == 0)
+		return -EDQUOT;
+
+	kprog->keyid = keyid;
+	ret = mktme_key_program(kprog, mktme_cpumask);
+	if (ret == MKTME_PROG_SUCCESS)
+		mktme_map_set_keyid(keyid, serial);
+	else
+		pr_debug("mktme: %s [%d]\n", mktme_program_err[ret], ret);
+
+	return ret;
+}
+
+enum mktme_opt_id	{
+	OPT_ERROR = -1,
+	OPT_USERKEY,
+	OPT_TWEAK,
+	OPT_ENTROPY,
+	OPT_ALGORITHM,
+};
+
+static const match_table_t mktme_token = {
+	{OPT_USERKEY, "userkey=%s"},
+	{OPT_TWEAK, "tweak=%s"},
+	{OPT_ENTROPY, "entropy=%s"},
+	{OPT_ALGORITHM, "algorithm=%s"},
+	{OPT_ERROR, NULL}
+
+};
+
+/*
+ * Algorithm AES-XTS 128 is the only supported encryption algorithm.
+ * CPU Generated Key: requires user supplied entropy and accepts no
+ *		      other options.
+ * User Supplied Key: requires user supplied tweak key and accepts
+ *		      no other options.
+ */
+static int mktme_check_options(struct mktme_key_program *kprog,
+			       unsigned long token_mask)
+{
+	if (!token_mask)
+		return -EINVAL;
+
+	kprog->keyid_ctrl |= MKTME_AES_XTS_128;
+
+	if (!test_bit(OPT_USERKEY, &token_mask)) {
+		if ((!test_bit(OPT_ENTROPY, &token_mask)) ||
+		    (test_bit(OPT_TWEAK, &token_mask)))
+			return -EINVAL;
+
+		kprog->keyid_ctrl |= MKTME_KEYID_SET_KEY_RANDOM;
+	}
+	if (test_bit(OPT_USERKEY, &token_mask)) {
+		if ((test_bit(OPT_ENTROPY, &token_mask)) ||
+		    (!test_bit(OPT_TWEAK, &token_mask)))
+			return -EINVAL;
+
+		kprog->keyid_ctrl |= MKTME_KEYID_SET_KEY_DIRECT;
+	}
+	return 0;
+}
+
+/*
+ * Parse the options and begin to fill in the key programming struct kprog.
+ * Check the lengths of incoming data and push data directly into kprog fields.
+ */
+static int mktme_get_options(char *options, struct mktme_key_program *kprog)
+{
+	int len = MKTME_AES_XTS_SIZE / 2;
+	substring_t args[MAX_OPT_ARGS];
+	unsigned long token_mask = 0;
+	enum mktme_alg alg;
+	char *p = options;
+	int ret, token;
+
+	while ((p = strsep(&options, " \t"))) {
+		if (*p == '\0' || *p == ' ' || *p == '\t')
+			continue;
+		token = match_token(p, mktme_token, args);
+		if (test_and_set_bit(token, &token_mask))
+			return -EINVAL;
+
+		switch (token) {
+		case OPT_USERKEY:
+			if (strlen(args[0].from) != MKTME_AES_XTS_SIZE)
+				return -EINVAL;
+			ret = hex2bin(kprog->key_field_1, args[0].from, len);
+			if (ret < 0)
+				return -EINVAL;
+			break;
+
+		case OPT_TWEAK:
+			if (strlen(args[0].from) != MKTME_AES_XTS_SIZE)
+				return -EINVAL;
+			ret = hex2bin(kprog->key_field_2, args[0].from, len);
+			if (ret < 0)
+				return -EINVAL;
+			break;
+
+		case OPT_ENTROPY:
+			if (strlen(args[0].from) != MKTME_AES_XTS_SIZE)
+				return -EINVAL;
+			/* Applied to both CPU-generated data and tweak keys */
+			ret = hex2bin(kprog->key_field_1, args[0].from, len);
+			ret = hex2bin(kprog->key_field_2, args[0].from, len);
+			if (ret < 0)
+				return -EINVAL;
+			break;
+
+		case OPT_ALGORITHM:
+			alg = match_string(mktme_alg_names,
+					   ARRAY_SIZE(mktme_alg_names),
+					   args[0].from);
+			if (alg != MKTME_ALG_AES_XTS_128)
+				return -EINVAL;
+			break;
+
+		default:
+			return -EINVAL;
+		}
+	}
+	return mktme_check_options(kprog, token_mask);
+}
+
+/* Key Service Command: Creates a software key and programs hardware */
+int mktme_instantiate(struct key *key, struct key_preparsed_payload *prep)
+{
+	struct mktme_key_program *kprog = NULL;
+	size_t datalen = prep->datalen;
+	char *options;
+	int ret = 0;
+
+	if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
+		return -EACCES;
+
+	if (datalen <= 0 || datalen > 1024 || !prep->data)
+		return -EINVAL;
+
+	options = kmemdup(prep->data, datalen + 1, GFP_KERNEL);
+	if (!options)
+		return -ENOMEM;
+
+	options[datalen] = '\0';
+
+	kprog = kmem_cache_zalloc(mktme_prog_cache, GFP_KERNEL);
+	if (!kprog) {
+		kzfree(options);
+		return -ENOMEM;
+	}
+	ret = mktme_get_options(options, kprog);
+	if (ret < 0)
+		goto out;
+
+	mktme_map_lock();
+	ret = mktme_program_key(key->serial, kprog);
+	mktme_map_unlock();
+out:
+	kzfree(options);
+	kmem_cache_free(mktme_prog_cache, kprog);
+	return ret;
+}
+
+struct key_type key_type_mktme = {
+	.name = "mktme",
+	.instantiate = mktme_instantiate,
+	.describe = user_describe,
+};
+
+/*
+ * Build mktme_cpumask to include one cpu per physical package.
+ * The mask is used in mktme_key_program() when the hardware key
+ * table is programmed on a per package basis.
+ */
+static int mktme_build_cpumask(void)
+{
+	int online_cpu, mktme_cpu;
+	int online_pkgid, mktme_pkgid = -1;
+
+	if (!zalloc_cpumask_var(&mktme_cpumask, GFP_KERNEL))
+		return -ENOMEM;
+
+	for_each_online_cpu(online_cpu) {
+		online_pkgid = topology_physical_package_id(online_cpu);
+
+		for_each_cpu(mktme_cpu, mktme_cpumask) {
+			mktme_pkgid = topology_physical_package_id(mktme_cpu);
+			if (mktme_pkgid == online_pkgid)
+				break;
+		}
+		if (mktme_pkgid != online_pkgid)
+			cpumask_set_cpu(online_cpu, mktme_cpumask);
+	}
+	return 0;
+}
+
+/*
+ * Allocate the global key map structure based on the available keyids
+ * at boot time. Create a cache and a cpu_mask to use for programming
+ * the hardware. Initialize the encrypt_count array to track VMA's per
+ * keyid. Once all that succeeds, register the 'mktme' key type.
+ */
+static int __init init_mktme(void)
+{
+	int ret;
+
+	/* Verify keys are present */
+	if (!(mktme_nr_keyids > 0))
+		return -EINVAL;
+
+	if (!mktme_map_alloc())
+		return -ENOMEM;
+
+	mktme_prog_cache = KMEM_CACHE(mktme_key_program, SLAB_PANIC);
+	if (!mktme_prog_cache)
+		goto free_map;
+
+	if (vma_alloc_encrypt_array() < 0)
+		goto free_cache;
+
+	if (mktme_build_cpumask() < 0)
+		goto free_array;
+
+	ret = register_key_type(&key_type_mktme);
+	if (!ret)
+		return ret;
+
+	free_cpumask_var(mktme_cpumask);
+free_array:
+	vma_free_encrypt_array();
+free_cache:
+	kmem_cache_destroy(mktme_prog_cache);
+free_map:
+	mktme_map_free();
+
+	return -ENOMEM;
+}
+
+late_initcall(init_mktme);

From patchwork Fri Sep  7 22:39:04 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10592685
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B2A8714E2
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:38:31 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A1F032B627
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:38:31 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 9497C2B630; Fri,  7 Sep 2018 22:38:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 24FD82B627
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Fri,  7 Sep 2018 22:38:31 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 248C78E000E; Fri,  7 Sep 2018 18:38:25 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1FA368E0001; Fri,  7 Sep 2018 18:38:25 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0E8E28E000E; Fri,  7 Sep 2018 18:38:25 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com
 [209.85.215.198])
	by kanga.kvack.org (Postfix) with ESMTP id C39168E0001
	for <linux-mm@kvack.org>; Fri,  7 Sep 2018 18:38:24 -0400 (EDT)
Received: by mail-pg1-f198.google.com with SMTP id l125-v6so7821294pga.1
        for <linux-mm@kvack.org>; Fri, 07 Sep 2018 15:38:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:date:from:to
         :cc:subject:message-id:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=+D5QaT8Xq9yQk4z5mqRblcRqBWqth6l2feIxickBdQY=;
        b=S4q4D+RZC8s+qA6bg1Tyu2WOFaVkxjueWXb10s35XW7KUkQtOKDVxaBsJYt4XfpeR3
         zxhMi6WMtNWyYy+VK+ndAUWX/DmhRpOh2gF7i8JKdeorjjCTj0xGwqWBaEpTUQHkYU6l
         sJEPa6vHooOjUr1K8Gi7g3gjpmCnRzQGagjABX0i1JcKnVIq00JLtDk3o1Hf7NPyMzYo
         elbr4nQs0TbRfEmlau9gaQYfcrPHvOex2NIRfk1NtR0s3udgzHXezl1IWNiEXMumIt8e
         KQzaeFVpUnbkToT86FYeIsPSGBHX7C5YW7wyd786Kqzi1ok8WeBxVpYAtGPP2ClUZwna
         I9VQ==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: APzg51BCe5oOLd2hPYL8dlw4NiTqHGWrfeFMk5C6+rUGgwOtw4/LOqcg
	eoCft+t0e6F6sPsP3J3nyotckOJjSnwqoYk/ihPhUk7k8rkkjvCon6caPaZ9GDPyXN42nZJ9Bnp
	GMp6LCr2l4xUonnFHCrm7R4A8iDkTpfI+c6MgnUBxi5fVmDX4Gi/jEENB+qla+SF2SQ==
X-Received: by 2002:a63:6283:: with SMTP id
 w125-v6mr10179797pgb.83.1536359904464;
        Fri, 07 Sep 2018 15:38:24 -0700 (PDT)
X-Google-Smtp-Source: 
 ANB0VdZO45mBNdNHHBm+qPnZ+ADL2Quzarx8NnZjpQBtIuC7iZq28nNd7Xo8D6MPpH6JB8WziVz5
X-Received: by 2002:a63:6283:: with SMTP id
 w125-v6mr10179727pgb.83.1536359903422;
        Fri, 07 Sep 2018 15:38:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536359903; cv=none;
        d=google.com; s=arc-20160816;
        b=aJN4foph/H64iKSVEZAPyONQ/4tH3bDPIa7rE8CwptMBSVCuvQkKRobnPKHENQeD05
         pTJcrB/iL3nVH5jqsxnf2lzgdS6t/fnHDRdzTAeYJmTnhDJUhuKYT4lnoRgPUghvnYmn
         aD12IYFtvi3Kf0J16erqbdygmQirLv5+5GA7XKuQutTw/U0SD/SUkjctr7bD+E33VIRH
         vCDiZZLEg/ON9U4tFmJd10IrXkqfBHqKOx9XzCZEEFHaqkStqOGdt7t9E61i8LBXhiHS
         Rz6SDe4+iY9YOC4c1S/0ZEjHg+5alToAkmGnGmGiiVLbBs/MpZ4Lx+gqBzTa9xvG+Z8q
         87Ww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=user-agent:in-reply-to:content-disposition:mime-version:references
         :message-id:subject:cc:to:from:date;
        bh=+D5QaT8Xq9yQk4z5mqRblcRqBWqth6l2feIxickBdQY=;
        b=a2XIry9kllCCL95MOa3s/q9tJ6zueJYCmqLLSh4NqyukYYV5gFW54tzckEqSoLk4xO
         b6FQMC+5rMMm0uXDobQXFvi3v1p2VTDuvlKSnLWsouMpeToJjkvi4AFTvLOdVG3lCxdD
         TEKgkRxJugpNX2awg5T/KO/tdDMejOUuNgSCOtZa29ov+dWJf9fGBQXToXmx956kncCT
         tPWlNwPxusBlnsQyzHBGupDR+p+BmCB3EBjebzUgwOUVzFT8C6A2AcXSGdayGnB8BgG7
         /RsMoPtxN+bHmmFiq7XivjkzTs36/bwGhP3/4iAkNqUbIOD9afrOu4KY55nPXT+mXsJ+
         7kDA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga09.intel.com (mga09.intel.com. [134.134.136.24])
        by mx.google.com with ESMTPS id
 g16-v6si9200184pgi.373.2018.09.07.15.38.23
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 07 Sep 2018 15:38:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.24 as permitted sender) client-ip=134.134.136.24;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: UNSCANNABLE
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 07 Sep 2018 15:38:23 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,344,1531810800";
   d="scan'208";a="261684753"
Received: from alison-desk.jf.intel.com ([10.54.74.53])
  by fmsmga006.fm.intel.com with ESMTP; 07 Sep 2018 15:38:22 -0700
Date: Fri, 7 Sep 2018 15:39:04 -0700
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com, tglx@linutronix.de
Cc: Kai Huang <kai.huang@intel.com>, Jun Nakajima <jun.nakajima@intel.com>,
	Kirill Shutemov <kirill.shutemov@intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Jarkko Sakkinen <jarkko.sakkinen@intel.com>, jmorris@namei.org,
	keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
	mingo@redhat.com, hpa@zytor.com, x86@kernel.org, linux-mm@kvack.org
Subject: [RFC 12/12] keys/mktme: Do not revoke in use memory encryption keys
Message-ID: 
 <e8f43039bf904d0547a9fdc1f6da515747305a59.1536356108.git.alison.schofield@intel.com>
References: <cover.1536356108.git.alison.schofield@intel.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <cover.1536356108.git.alison.schofield@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The MKTME key service maps userspace keys to hardware keyids. Those
keys are used in a new system call that encrypts memory. The keys
need to be tightly controlled. One example is that userspace keys
should not be revoked while the hardware keyid slot is still in use.

The KEY_FLAG_KEEP bit offers good control. The mktme service uses
that flag to prevent userspace keys from going away without proper
synchronization with the mktme service type.

The problem is that we need a safe and synchronous way to revoke keys.
The way .revoke methods function now, the key service type is called late
in the revoke process for cleanup after the fact. The mktme key service
has no means to consider and perhaps reject the revoke request.

This proposal inserts the MKTME revoke call earlier into the existing
keyctl <revoke> path. If it is safe to revoke the key, MKTME key service
will turn off KEY_FLAG_KEEP and let the revoke continue and succeed.
Otherwise, not safe, KEY_FLAG_KEEP stays on, which causes the normal
path of revoke to fail.

For the MKTME Key Service, a revoke may be done safely when there are
no outstanding memory mappings encrypted with the key being revoked.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 security/keys/internal.h   |  6 ++++++
 security/keys/keyctl.c     |  7 +++++++
 security/keys/mktme_keys.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+)

diff --git a/security/keys/internal.h b/security/keys/internal.h
index 9f8208dc0e55..9fb871522efe 100644
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -316,4 +316,10 @@ static inline void key_check(const struct key *key)
 
 #endif
 
+#ifdef CONFIG_MKTME_KEYS
+extern void mktme_revoke_key(struct key *key);
+#else
+static inline void mktme_revoke_key(struct key *key) {}
+#endif /* CONFIG_MKTME_KEYS */
+
 #endif /* _INTERNAL_H */
diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c
index 1ffe60bb2845..86d2596ff275 100644
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -363,6 +363,9 @@ long keyctl_update_key(key_serial_t id,
  * and any links to the key will be automatically garbage collected after a
  * certain amount of time (/proc/sys/kernel/keys/gc_delay).
  *
+ * The MKTME key service type checks if a memory encryption key is in use
+ * before allowing a revoke to proceed.
+ *
  * Keys with KEY_FLAG_KEEP set should not be revoked.
  *
  * If successful, 0 is returned.
@@ -387,6 +390,10 @@ long keyctl_revoke_key(key_serial_t id)
 
 	key = key_ref_to_ptr(key_ref);
 	ret = 0;
+
+	if (strcmp(key->type->name, "mktme") == 0)
+		mktme_revoke_key(key);
+
 	if (test_bit(KEY_FLAG_KEEP, &key->flags))
 		ret = -EPERM;
 	else
diff --git a/security/keys/mktme_keys.c b/security/keys/mktme_keys.c
index dcbce7194647..c665be860538 100644
--- a/security/keys/mktme_keys.c
+++ b/security/keys/mktme_keys.c
@@ -31,6 +31,52 @@ static const char * const mktme_program_err[] = {
 	"Failure to access key table",		/* 5 */
 };
 
+static int mktme_clear_programmed_key(int keyid)
+{
+	struct mktme_key_program *kprog = NULL;
+	int ret;
+
+	kprog = kmem_cache_zalloc(mktme_prog_cache, GFP_KERNEL);
+	if (!kprog)
+		return -ENOMEM;
+
+	kprog->keyid = keyid;
+	kprog->keyid_ctrl = MKTME_KEYID_CLEAR_KEY;
+	ret = mktme_key_program(kprog, mktme_cpumask);
+	if (ret == MKTME_PROG_SUCCESS)
+		mktme_map_clear_keyid(keyid);
+	else
+		pr_debug("mktme: %s [%d]\n", mktme_program_err[ret], ret);
+
+	kmem_cache_free(mktme_prog_cache, kprog);
+	return ret;
+}
+
+/*
+ * If the key is not in use, clear the hardware programming and
+ * allow the revoke to continue by clearing KEY_FLAG_KEEP.
+ */
+void mktme_revoke_key(struct key *key)
+{
+	int keyid, vma_count;
+
+	mktme_map_lock();
+	keyid = mktme_map_keyid_from_serial(key->serial);
+	if (keyid <= 0)
+		goto out;
+
+	vma_count = vma_read_encrypt_ref(keyid);
+	if (vma_count > 0) {
+		pr_debug("mktme not freeing keyid[%d] encrypt_count[%d]\n",
+			 keyid, vma_count);
+		goto out;
+	}
+	if (!mktme_clear_programmed_key(keyid))
+		clear_bit(KEY_FLAG_KEEP, &key->flags);
+out:
+	mktme_map_unlock();
+}
+
 /* If a key is available, program and add the key to the software map. */
 static int mktme_program_key(key_serial_t serial,
 			     struct mktme_key_program *kprog)
@@ -193,6 +239,7 @@ int mktme_instantiate(struct key *key, struct key_preparsed_payload *prep)
 
 	mktme_map_lock();
 	ret = mktme_program_key(key->serial, kprog);
+	set_bit(KEY_FLAG_KEEP, &key->flags);
 	mktme_map_unlock();
 out:
 	kzfree(options);