From patchwork Tue Dec  4 07:39:48 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711227
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 285F616B1
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:41 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 16B062A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:41 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 0A5532A544; Tue,  4 Dec 2018 07:37:41 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 256572A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:40 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A1F816B6D89; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6E8246B6D8D; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 31B036B6D89; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pl1-f197.google.com (mail-pl1-f197.google.com
 [209.85.214.197])
	by kanga.kvack.org (Postfix) with ESMTP id 927836B6D93
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
Received: by mail-pl1-f197.google.com with SMTP id j8so2280482plb.1
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=4WHf7+SFm92EbbrOxdFTgt5fziQZ/f7v5fSnDI5i9h4=;
        b=rb5++9H8vafpSvwFaShYW4QlpJ5aaFedfQFlbwAqrM4p0KYIZXEvvfbLubaZBC5lla
         ESTjr9//bmhqXcpKru7lj6EvhzSyBAscpB+mw4SSRQHGaic32l4g3xdJ0Fp1KatR6GEU
         VMj3bigDAMQm4Kn9zE0cXqMo35KwE33x8dae76xkhVhz9kyR17IwP+41ImUpI9Puxi5Y
         QF5YnVABEHdWSWABX9ggAj4FwopFzv9OGPlUjF9WOjtHb6nDDjQgyxcbSm9REar4Fk6l
         YxGaGaSeB6QElFl9V7VnseyCcg2s4RwZVAy7Acpu8LENmeEjXGr7DZdxOvFbQbiX1NWV
         YU1w==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWZbOyraPIgvXnuI+ied9ZcwFrcXXJXLiVjkvzHaNUXyF/PvGYvr
	F3f4Ft06JsHcjQdRW0zsTHdFxhWL/UEVbyQRcYx958AAAO+RPIdonli6tKSjk1kf0hTYcTLAkt4
	9GJA/eJYTWVv1vSdCP6nj4QjzSTXpHCO6EMU6UgVD/RNpkKgc4k17teqUjPDBqfDJWw==
X-Received: by 2002:a63:7154:: with SMTP id
 b20mr15922610pgn.342.1543909046205;
        Mon, 03 Dec 2018 23:37:26 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/X0rm1QUQRTNhpl75Cy9UAJICYdjADApGCsgqyShvh67gr3mNprwk1qVObyB5+cvhe/yHAt
X-Received: by 2002:a63:7154:: with SMTP id
 b20mr15922575pgn.342.1543909044843;
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909044; cv=none;
        d=google.com; s=arc-20160816;
        b=w69VylWcvu6no6EaOp8Oxzn+RuRfAb2VcHDPCKmt3wAq6sTux+CJarnmDAar6sGjjW
         hWuMjWmcwM1YuYlhDJ9C9RpfDoa3CWDxhdxF8RK3JfJoTXIkS9oTQTwAFanxUAlyZ82l
         i1O9p8HN67hVSL3N5iL2obWAGhrF+Urm0ckb2LQTae66GirAkZiaEpxILkYoIyL2qfzV
         AavLwBC+Ta5baf1qcdmfk/f5+caEIArIbrGCdma3PEzBsR3ZqN9vseFc8eU8ITYAEmxZ
         KaB2W39alInLPBz5TpP9+KhdqdBCuUq1hAqoQ0EuSgE7LaomoS+g9QhB4WQoZ6QPBupi
         gukA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=4WHf7+SFm92EbbrOxdFTgt5fziQZ/f7v5fSnDI5i9h4=;
        b=f6wwynet7ki9CtKMYMbwCT+KbLBCc0L7WLXOOf/ypbgpjXY85M5gAq0E3aeReu8EI1
         YEdt+OiA5IwreEZiXGMrTJhbZBoVO8hD8VFnArLKe0yJ4qng+s7TXg5CWM5WvQTd7q1e
         w+1+B6fUXd7b+SqbqEmlhVITY8hQyXskg8LpXj3q8NWMGi0UPwI3JfTcfJbNhfxVZyCS
         o+MAHIvuGBdeGmDl7tTteHkKk7s+7OnrnNtEfKXWvEwUBrt0G9aVapJ6CN8Ekao2ckNk
         a3PKKQAJjX2Y9tCpv6dtDCX3DkuFCl63oOXCFlc8YQ/H+Q4FL2Uxk+UjGfvH0Mn6M7WD
         77QA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga09.intel.com (mga09.intel.com. [134.134.136.24])
        by mx.google.com with ESMTPS id
 s123si14323638pgs.93.2018.12.03.23.37.24
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.24 as permitted sender) client-ip=134.134.136.24;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.24 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga006.jf.intel.com ([10.7.209.51])
  by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:22 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="97861634"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by orsmga006.jf.intel.com with ESMTP; 03 Dec 2018 23:37:22 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 01/13] x86/mktme: Document the MKTME APIs
Date: Mon,  3 Dec 2018 23:39:48 -0800
Message-Id: 
 <c2276bbbb19f3a28bd37c3dd6b1021e2d9a10916.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

This includes an overview, a section on each API: MTKME Keys and
system call encrypt_mprotect(), and a demonstration program.

(Some of this info is destined for man pages.)

Change-Id: I34dc9ff1a1308c057ec4bb3e652c4d7ce6995606
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 Documentation/x86/mktme/index.rst          |  11 +++
 Documentation/x86/mktme/mktme_demo.rst     |  53 ++++++++++++++
 Documentation/x86/mktme/mktme_encrypt.rst  |  58 +++++++++++++++
 Documentation/x86/mktme/mktme_keys.rst     | 109 +++++++++++++++++++++++++++++
 Documentation/x86/mktme/mktme_overview.rst |  60 ++++++++++++++++
 5 files changed, 291 insertions(+)
 create mode 100644 Documentation/x86/mktme/index.rst
 create mode 100644 Documentation/x86/mktme/mktme_demo.rst
 create mode 100644 Documentation/x86/mktme/mktme_encrypt.rst
 create mode 100644 Documentation/x86/mktme/mktme_keys.rst
 create mode 100644 Documentation/x86/mktme/mktme_overview.rst

diff --git a/Documentation/x86/mktme/index.rst b/Documentation/x86/mktme/index.rst
new file mode 100644
index 000000000000..8c556d04cbc4
--- /dev/null
+++ b/Documentation/x86/mktme/index.rst
@@ -0,0 +1,11 @@
+
+=============================================
+Multi-Key Total Memory Encryption (MKTME) API
+=============================================
+
+.. toctree::
+
+   mktme_overview
+   mktme_keys
+   mktme_encrypt
+   mktme_demo
diff --git a/Documentation/x86/mktme/mktme_demo.rst b/Documentation/x86/mktme/mktme_demo.rst
new file mode 100644
index 000000000000..afd50772e65d
--- /dev/null
+++ b/Documentation/x86/mktme/mktme_demo.rst
@@ -0,0 +1,53 @@
+Demonstration Program using MKTME API's
+=======================================
+
+/* Compile with the keyutils library: cc -o mdemo mdemo.c -lkeyutils */
+
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <keyutils.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#define PAGE_SIZE sysconf(_SC_PAGE_SIZE)
+#define sys_encrypt_mprotect 335
+
+void main(void)
+{
+	char *options_CPU = "algorithm=aes-xts-128 type=cpu";
+	long size = PAGE_SIZE;
+        key_serial_t key;
+	void *ptra;
+	int ret;
+
+        /* Allocate an MKTME Key */
+	key = add_key("mktme", "testkey", options_CPU, strlen(options_CPU),
+                      KEY_SPEC_THREAD_KEYRING);
+
+	if (key == -1) {
+		printf("addkey FAILED\n");
+		return;
+	}
+        /* Map a page of ANONYMOUS memory */
+	ptra = mmap(NULL, size, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
+	if (!ptra) {
+		printf("failed to mmap");
+		goto inval_key;
+	}
+        /* Encrypt that page of memory with the MKTME Key */
+	ret = syscall(sys_encrypt_mprotect, ptra, size, PROT_NONE, key);
+	if (ret)
+		printf("mprotect error [%d]\n", ret);
+
+        /* Enjoy that page of encrypted memory */
+
+        /* Free the memory */
+	ret = munmap(ptra, size);
+
+inval_key:
+        /* Free the Key */
+	if (keyctl(KEYCTL_INVALIDATE, key) == -1)
+		printf("invalidate failed on key [%d]\n", key);
+}
diff --git a/Documentation/x86/mktme/mktme_encrypt.rst b/Documentation/x86/mktme/mktme_encrypt.rst
new file mode 100644
index 000000000000..ede5237183fc
--- /dev/null
+++ b/Documentation/x86/mktme/mktme_encrypt.rst
@@ -0,0 +1,58 @@
+MKTME API: system call encrypt_mprotect()
+=========================================
+
+Synopsis
+--------
+int encrypt_mprotect(void \*addr, size_t len, int prot, key_serial_t serial);
+
+Where *key_serial_t serial* is the serial number of a key allocated
+using the MKTME Key Service.
+
+Description
+-----------
+    encrypt_mprotect() encrypts the memory pages containing any part
+    of the address range in the interval specified by addr and len.
+
+    encrypt_mprotect() supports the legacy mprotect() behavior plus
+    the enabling of memory encryption. That means that in addition
+    to encrypting the memory, the protection flags will be updated
+    as requested in the call.
+
+    The *addr* and *len* must be aligned to a page boundary.
+
+    The caller must have *KEY_NEED_VIEW* permission on the key.
+
+    The range of memory that is to be protected must be mapped as
+    *ANONYMOUS*.
+
+Errors
+------
+    In addition to the Errors returned from legacy mprotect()
+    encrypt_mprotect will return:
+
+    ENOKEY *serial* parameter does not represent a valid key.
+
+    EINVAL *len* parameter is not page aligned.
+
+    EACCES Caller does not have *KEY_NEED_VIEW* permission on the key.
+
+EXAMPLE
+--------
+  Allocate an MKTME Key::
+        serial = add_key("mktme", "name", "type=cpu algorithm=aes-xts-128" @u
+
+  Map ANONYMOUS memory::
+        ptr = mmap(NULL, size, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
+
+  Protect memory::
+        ret = syscall(SYS_encrypt_mprotect, ptr, size, PROT_READ|PROT_WRITE,
+                      serial);
+
+  Use the encrypted memory
+
+  Free memory::
+        ret = munmap(ptr, size);
+
+  Free the key resource::
+        ret = keyctl(KEYCTL_INVALIDATE, serial);
+
diff --git a/Documentation/x86/mktme/mktme_keys.rst b/Documentation/x86/mktme/mktme_keys.rst
new file mode 100644
index 000000000000..5837909b2c54
--- /dev/null
+++ b/Documentation/x86/mktme/mktme_keys.rst
@@ -0,0 +1,109 @@
+MKTME Key Service API
+=====================
+MKTME is a new key service type added to the Linux Kernel Key Service.
+
+The MKTME Key Service type is available when CONFIG_X86_INTEL_MKTME is
+turned on in Intel platforms that support the MKTME feature.
+
+The MKTME Key Service type manages the allocation of hardware encryption
+keys. Users can request an MKTME type key and then use that key to
+encrypt memory with the encrypt_mprotect() system call.
+
+Usage
+-----
+    When using the Kernel Key Service to request an *mktme* key,
+    specify the *payload* as follows:
+
+    type=
+        *user*	User will supply the encryption key data. Use this
+                type to directly program a hardware encryption key.
+
+        *cpu*	User requests a CPU generated encryption key.
+                The CPU generates and assigns an ephemeral key.
+
+        *clear* User requests that a hardware encryption key be
+                cleared. This will clear the encryption key from
+                the hardware. On execution this hardware key gets
+                TME behavior.
+
+        *no-encrypt*
+                 User requests that hardware does not encrypt
+                 memory when this key is in use.
+
+    algorithm=
+        When type=user or type=cpu the algorithm field must be
+        *aes-xts-128*
+
+        When type=clear or type=no-encrypt the algorithm field
+        must not be present in the payload.
+
+    key=
+        When type=user the user must supply a 128 bit encryption
+        key as exactly 32 ASCII hexadecimal characters.
+
+	When type=cpu the user may optionally supply 128 bits of
+        entropy for the CPU generated encryption key in this field.
+        It must be exactly 32 ASCII hexadecimal characters.
+
+	When type=clear or type=no-encrypt this key field must
+        not be present in the payload.
+
+    tweak=
+	When type=user the user must supply a 128 bit tweak key
+        as exactly 32 ASCII hexadecimal characters.
+
+	When type=cpu the user may optionally supply 128 bits of
+        entropy for the CPU generated tweak key in this field. It
+        must be exactly 32 ASCII hexadecimal characters.
+
+        When type=clear or type=no-encrypt the tweak field must
+	not be present in the payload.
+
+ERRORS
+------
+    In addition to the Errors returned from the Kernel Key Service,
+    add_key(2) or keyctl(1) commands, the MKTME Key Service type may
+    return the following errors:
+
+    EINVAL for any payload specification that does not match the
+           MKTME type payload as defined above.
+    EACCES for access denied. MKTME key type uses capabilities to
+           restrict the allocation of keys. CAP_SYS_RESOURCE is
+           required, but it will accept the broader capability of
+           CAP_SYS_ADMIN.  See capabilities(7).
+
+    ENOKEY if a hardware key cannot be allocated. Additional error
+           messages will describe the hardware programming errors.
+
+EXAMPLES
+--------
+    Add a 'user' type key::
+
+        char \*options_USER = "type=user
+                               algorithm=aes-xts-128
+                               key=12345678912345671234567891234567
+                               tweak=12345678912345671234567891234567";
+
+        key = add_key("mktme", "name", options_USER, strlen(options_USER),
+                      KEY_SPEC_THREAD_KEYRING);
+
+    Add a 'cpu' type key::
+
+        char \*options_USER = "type=cpu algorithm=aes-xts-128";
+
+        key = add_key("mktme", "name", options_CPU, strlen(options_CPU),
+                      KEY_SPEC_THREAD_KEYRING);
+
+    Update a key to 'Clear' type::
+
+        Note: This has the effect of clearing out the previously programmed
+        encryption data in the hardware. Use this to clear the hardware slot
+        prior to invalidating the key.
+
+        ret = keyctl(KEYCTL_UPDATE, key, "type=clear", strlen(options_CLEAR);
+
+    Add a "no-encrypt' type key::
+
+	key = add_key("mktme", "name", "no-encrypt", strlen(options_CPU),
+		      KEY_SPEC_THREAD_KEYRING);
+
diff --git a/Documentation/x86/mktme/mktme_overview.rst b/Documentation/x86/mktme/mktme_overview.rst
new file mode 100644
index 000000000000..cc2c4a8320e7
--- /dev/null
+++ b/Documentation/x86/mktme/mktme_overview.rst
@@ -0,0 +1,60 @@
+Overview
+========
+MKTME (Multi-Key Total Memory Encryption) is a technology that allows
+memory encryption on Intel platforms. The main use case for the feature
+is virtual machine isolation. The API should apply to a wide range of
+use cases.
+
+Find the Intel Architecture Specification for MKTME here:
+https://software.intel.com/sites/default/files/managed/a5/16/Multi-Key-Total-Memory-Encryption-Spec.pdf
+
+The Encryption Process
+----------------------
+Userspace will see MKTME encryption as a Step Process.
+
+Step 1: Use the MKTME Key Service API to allocate an encryption key.
+
+Step 2: Use the encrypt_mprotect() system call to protect memory
+        with the encryption key obtained in Step 1.
+
+Definitions
+-----------
+Keys:	References to Keys in this document are to Userspace Keys.
+	These keys are requested by users and jointly managed by the
+	MKTME Key Service Type, and more broadly by the Kernel Key
+        Service of which MKTME is a part.
+
+	This document does not intend to document KKS, but only the
+	MKTME type of the KKS. The options of the KKS can be grouped
+	into 2 classes for purposes of understanding how MKTME operates
+	within the broader KKS.
+
+KeyIDs: References to KeyIDs in this document are to the hardware KeyID
+	slots that are available on Intel Platforms. A KeyID is a
+	numerical index into a software programmable slot in the Intel
+	hardware. Refer to the Intel specification linked above for
+	details on the implementation of MKTME in Intel platforms.
+
+Key<-->KeyID Mapping:
+	The MKTME Key Service maintains a mapping between Keys and KeyIDS.
+	This mapping is known only to the kernel. Userspace does not need
+	to know which hardware KeyID slot it's Userspace Key has been
+	assigned.
+
+Configuration
+-------------
+
+CONFIG_X86_INTEL_MKTME
+        MKTME is enabled by selecting CONFIG_X86_INTEL_MKTME on Intel
+        platforms supporting the MKTME feature.
+
+mktme_savekeys
+        mktme_savekeys is a kernel cmdline parameter.
+
+        This parameter allows the kernel to save the user specified
+        MKTME key payload. Saving this payload means that the MKTME
+        Key Service can always allow the addition of new physical
+        packages. If the mktme_savekeys parameter is not present,
+        users key data will not be saved, and new physical packages
+        may only be added to the system if no user type MKTME keys
+        are in use.

From patchwork Tue Dec  4 07:39:49 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711195
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D27D017D5
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:27 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C1A662A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:27 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B581F2A53E; Tue,  4 Dec 2018 07:37:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 538E82A544
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:27 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 5942A6B6D8E; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 4FAA26B6D8F; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3D9DB6B6D8F; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com
 [209.85.214.198])
	by kanga.kvack.org (Postfix) with ESMTP id EEC0B6B6D89
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:25 -0500 (EST)
Received: by mail-pl1-f198.google.com with SMTP id c14so11918984pls.21
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:25 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=WybEUEiDuAjjd0vP2dWpp/whbcHNaigXIsPAjqgoO/w=;
        b=qYXDMrTlVU9DxV0g4p/l5UJKV3RoTJdbQehSE0mPcIdLiLCebcPYLmWyq0NCB5lfPS
         Q4cP71JA2wa5EbjnVwAxGWLZWm3RQaSKDn5XdFFY3TyLsX8g5ouFSv4vZDGG2iY58udL
         RnwdIRvDfl2aYZKyBdRRu6FGVvlrI1m+dcYkUYXy3tNIjBvF1UPsSaUAZ8uohhBrXD47
         aH/cE9arrZmt8MubTCa2UByVW3ZBsiTvEcPFe+9XJpU99I5Pli/emrDNz7nX4xD2aDeE
         cIZ2b5IkuGKwtYBTzrIiF0X0MUgsdWXPV3x2ZR/sfo4M8ImMq2V+wRLe+AhrgHoPUl+0
         XaZA==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.100 as permitted sender)
 smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWbfaCCF1tAnzhL9krqiUJOlykKvA1LoaQqfascueIfDJvsZ+6/U
	EjVSDvQ5UW42sRY2uqW5U5isKm0yA4zeAmYREMpXQ5Iql2c5Dkp62jkJIyR6g4P+1FqCn0D8hTY
	7Cu0OMN1S3FoeDnRUgtKHttqNZW6s2UcowtX4sZdO3Kx0gzChjgzJq4XhnO6OECD1UQ==
X-Received: by 2002:a63:2f86:: with SMTP id
 v128mr15322367pgv.407.1543909045630;
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/UefBAm3v0T5zElooVmroLKnknX+nF0tZZFn0UpenDfjY8/CBWMqj4qwdsxDcufIBEWfF9l
X-Received: by 2002:a63:2f86:: with SMTP id
 v128mr15322339pgv.407.1543909044856;
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909044; cv=none;
        d=google.com; s=arc-20160816;
        b=il1Tkwrf45DJSwCAeQycFq7OWI4mp1HHuZSrwTjV1BrQnWw+W00KFtkFGlhuFVbBaL
         f+s6GYecFY5sY+CG8mv4n6Ue4mSsK2+SyArqynyHsZCby9PXeIVvKG+ZO38uAFseuk+W
         ilCOH+gV2ouzUTJYn+/lGHtyQrn9Hovm7HKaa8uMxIMeO0p+99kOupab7g0bVEgLGzuy
         zhtEdUZ1gRz0yoPKHls8vFyO3CwfQ4hpOhf7tTxvffOhjpWFZZrIUi4Ableex1kG7SJ1
         YdTKwpADhCfYSL9KaAVWsJoMbmmU6F6Ra1gGr6r5mH/4tk3xSBOXjcQD+Pe99qAxg5Yd
         l4+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=WybEUEiDuAjjd0vP2dWpp/whbcHNaigXIsPAjqgoO/w=;
        b=PDd2tzZwQ9WAJtOqv8NIeVLOk2zGpdKbozwwUID3n5lykH4wDiFTLXXbgrZggnLbli
         3fP5sdckX5YzTgBNbCE2IIdXC8BnEe8IPGz4DtVS8mrXZvg8UGpsiXBrYY61unjnAKhG
         A9ClPgOgQIfLMAMJXiyDO67sj1iFFuzOt33eZNqlwhqI4/RCAD97MHPfyx+pjjt9WXKP
         4LkHbkJiPjicCPKhxmugg+1HRmeX2xagFAn9n7bHWOLuyD+rruwniRF4ZGcetUw5oh4D
         RuX2l0BfGOT/X0Kqr4wgeBVlcy/cBtVJSBAMnty6frQLh3iwtL9xxH1P3DIVDymRg5P8
         ukXA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.100 as permitted sender)
 smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga07.intel.com (mga07.intel.com. [134.134.136.100])
        by mx.google.com with ESMTPS id
 q16si15649055pfh.138.2018.12.03.23.37.24
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.100 as permitted sender) client-ip=134.134.136.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.100 as permitted sender)
 smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga008.jf.intel.com ([10.7.209.65])
  by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:24 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="98463926"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by orsmga008.jf.intel.com with ESMTP; 03 Dec 2018 23:37:22 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 02/13] mm: Generalize the mprotect implementation to support
 extensions
Date: Mon,  3 Dec 2018 23:39:49 -0800
Message-Id: 
 <3389bc8e46479ba102f88c157aebd49b905ac289.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Today mprotect is implemented to support legacy mprotect behavior
plus an extension for memory protection keys. Make it more generic
so that it can support additional extensions in the future.

This is done is preparation for adding a new system call for memory
encyption keys. The intent is that the new encrypted mprotect will be
another extension to legacy mprotect.

Change-Id: Ib09b9d1b605b12d0254d7fb4968dfcc8e3c79dd7
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 mm/mprotect.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/mm/mprotect.c b/mm/mprotect.c
index df408956dccc..b57075e278fb 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -35,6 +35,8 @@
 
 #include "internal.h"
 
+#define NO_KEY	-1
+
 static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
 		unsigned long addr, unsigned long end, pgprot_t newprot,
 		int dirty_accountable, int prot_numa)
@@ -451,9 +453,9 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 }
 
 /*
- * pkey==-1 when doing a legacy mprotect()
+ * When pkey==NO_KEY we get legacy mprotect behavior here.
  */
-static int do_mprotect_pkey(unsigned long start, size_t len,
+static int do_mprotect_ext(unsigned long start, size_t len,
 		unsigned long prot, int pkey)
 {
 	unsigned long nstart, end, tmp, reqprot;
@@ -577,7 +579,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
 SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot)
 {
-	return do_mprotect_pkey(start, len, prot, -1);
+	return do_mprotect_ext(start, len, prot, NO_KEY);
 }
 
 #ifdef CONFIG_ARCH_HAS_PKEYS
@@ -585,7 +587,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 SYSCALL_DEFINE4(pkey_mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot, int, pkey)
 {
-	return do_mprotect_pkey(start, len, prot, pkey);
+	return do_mprotect_ext(start, len, prot, pkey);
 }
 
 SYSCALL_DEFINE2(pkey_alloc, unsigned long, flags, unsigned long, init_val)

From patchwork Tue Dec  4 07:39:50 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711221
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1136013BF
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:34 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 008802A53E
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:34 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E8B172A46B; Tue,  4 Dec 2018 07:37:33 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 852772A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:33 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 12BBA6B6D91; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 00B206B6D92; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A6C936B6D8D; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com
 [209.85.215.199])
	by kanga.kvack.org (Postfix) with ESMTP id 4172A6B6D89
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
Received: by mail-pg1-f199.google.com with SMTP id p4so8455016pgj.21
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=1mC9C/kibRKzC5GCk1dJ1h8TbH+ZC47dbrRu4UIn/kQ=;
        b=pWeTsW7ThmsRgoglsh95nXjSYQ+JcAbPMQVxbKwwz+Um3gaUQX+HV3IHetC46Bdtpz
         DZmJH1FZHzQKFe4KlptObb8zkoVuKmNr9QxG2e2NVNuKgQtmV6+n4QBUgFnOFCYkPrOP
         xyX5d22hWr4nnVtORJYIwu0olDGlA7qKPUxud4vg9sL6fpV6BX0BzXQ9SzyWMa3siIKH
         0ThCrb+yAtYXF4M46KpDVEhh+3+tDsiixqWFXvkqn4BCvKJMcJJx2LvHOpGUfF+895OT
         XbOPdRWHN9ICb+txpzwK3zNRhMw4EkbkfQPFPvhMsHbQN4+JZ9LHXagkXrsCPKVRG2+9
         T/5g==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWbPnRHm4EsoJag52jJlnZwIh1f5bx9vYmO7PeJGQzxf36nzZwSa
	69Vh0GT5pEgfmlbaYoztFpIDHgOTjIA+hzr0rjSCjpqcktayOSzj6iTN2Y86PH994lNjTekbdie
	pqpW30UPmAE1b5+oLaj4cBYuJNnFSlMGtBGHUOQtzVxI1lageQ5hA6siSWhPLFUz3cw==
X-Received: by 2002:a17:902:42e4:: with SMTP id
 h91mr19414939pld.18.1543909045879;
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/XDASJCiavOCndP/HHUISTX2TSUKyO//kcmjzQaglBuAKMNLGngDnjcTW2W/mOQajXb/FH3
X-Received: by 2002:a17:902:42e4:: with SMTP id
 h91mr19414903pld.18.1543909044879;
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909044; cv=none;
        d=google.com; s=arc-20160816;
        b=0HWOVjlNwCnKPmnU8AXn8kDgPhUZlkXi3d0q9DitX2/zq+w+gXM4JpJYwT5RcY+gvO
         PHD5VCHy+Q8Hd8P1NhgGynOmE0JYokM1880bm2zyLGQ1jP1RTVfljokQ3W7CPguteZu4
         MquMYSrCS1R91dDnqOj0o8hyhVZaYIoPT9tEa32mDipsDhbmaNNPLo6rLndnxqF5ttvs
         1mJm8mlXhar1U568gmb8IsuKfGpB1iO5Kfj/tQxEtQxdpZCXom4p9N27BnKgjP4WINjH
         cUxhrkJcZC2jTrvhJAn9VuW7ZB+904YqtewCtqsfaoxw9l0XGTGRQjTj5BnC6e2thQeD
         1ybg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=1mC9C/kibRKzC5GCk1dJ1h8TbH+ZC47dbrRu4UIn/kQ=;
        b=WnB/TqhR+DW/Ibhly/rS2Uq7cAkWu1++Dk13jwRJllYbaTsykuHdBCv3m9PLhVYqIY
         2GYdnABewMR8RUXhjXH0JGQ7eMQ1hO5z5eUYNVmj9N4PxCBEM4I1kXlC/OjP2cOCjYkM
         sH6GE0zJhlplt0TVEKc0AskPXHe1oOl3go/GLJBiIJNeT5FymVtTpoWkTt5tarn/YfSM
         RygezCyMbPxV2ZY/Jq460UpO0ymOh3Z1FNX7oA2Jn3FbFam5Lmv7/KM8FMreO0rZ6rzq
         IgwSxanhD8YAn/XxbMmlh4/bkVVC7+8SwB9ywEtM8H8MIJ6mCEI2nqr8FkCpWobEvCfS
         xAwg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga02.intel.com (mga02.intel.com. [134.134.136.20])
        by mx.google.com with ESMTPS id
 o16si15820728pgd.117.2018.12.03.23.37.24
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.20 as permitted sender) client-ip=134.134.136.20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:22 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="95937319"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by orsmga007.jf.intel.com with ESMTP; 03 Dec 2018 23:37:22 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 03/13] syscall/x86: Wire up a new system call for memory
 encryption keys
Date: Mon,  3 Dec 2018 23:39:50 -0800
Message-Id: 
 <952381f6d8b394242590f03a4f7122789681ffbb.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

encrypt_mprotect() is a new system call to support memory encryption.

It takes the same parameters as legacy mprotect, plus an additional
key serial number that is mapped to an encryption keyid.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 arch/x86/entry/syscalls/syscall_32.tbl | 1 +
 arch/x86/entry/syscalls/syscall_64.tbl | 1 +
 include/linux/syscalls.h               | 2 ++
 include/uapi/asm-generic/unistd.h      | 4 +++-
 kernel/sys_ni.c                        | 2 ++
 5 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/arch/x86/entry/syscalls/syscall_32.tbl b/arch/x86/entry/syscalls/syscall_32.tbl
index 3cf7b533b3d1..f41ad857d5c6 100644
--- a/arch/x86/entry/syscalls/syscall_32.tbl
+++ b/arch/x86/entry/syscalls/syscall_32.tbl
@@ -398,3 +398,4 @@
 384	i386	arch_prctl		sys_arch_prctl			__ia32_compat_sys_arch_prctl
 385	i386	io_pgetevents		sys_io_pgetevents		__ia32_compat_sys_io_pgetevents
 386	i386	rseq			sys_rseq			__ia32_sys_rseq
+387	i386	encrypt_mprotect	sys_encrypt_mprotect		__ia32_sys_encrypt_mprotect
diff --git a/arch/x86/entry/syscalls/syscall_64.tbl b/arch/x86/entry/syscalls/syscall_64.tbl
index f0b1709a5ffb..cf2decfa6119 100644
--- a/arch/x86/entry/syscalls/syscall_64.tbl
+++ b/arch/x86/entry/syscalls/syscall_64.tbl
@@ -343,6 +343,7 @@
 332	common	statx			__x64_sys_statx
 333	common	io_pgetevents		__x64_sys_io_pgetevents
 334	common	rseq			__x64_sys_rseq
+335	common	encrypt_mprotect	__x64_sys_encrypt_mprotect
 
 #
 # x32-specific system call numbers start at 512 to avoid cache impact
diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
index 2ac3d13a915b..c728b47e9004 100644
--- a/include/linux/syscalls.h
+++ b/include/linux/syscalls.h
@@ -907,6 +907,8 @@ asmlinkage long sys_statx(int dfd, const char __user *path, unsigned flags,
 			  unsigned mask, struct statx __user *buffer);
 asmlinkage long sys_rseq(struct rseq __user *rseq, uint32_t rseq_len,
 			 int flags, uint32_t sig);
+asmlinkage long sys_encrypt_mprotect(unsigned long start, size_t len,
+				     unsigned long prot, key_serial_t serial);
 
 /*
  * Architecture-specific system calls
diff --git a/include/uapi/asm-generic/unistd.h b/include/uapi/asm-generic/unistd.h
index 538546edbfbd..696c222ebe40 100644
--- a/include/uapi/asm-generic/unistd.h
+++ b/include/uapi/asm-generic/unistd.h
@@ -738,9 +738,11 @@ __SYSCALL(__NR_statx,     sys_statx)
 __SC_COMP(__NR_io_pgetevents, sys_io_pgetevents, compat_sys_io_pgetevents)
 #define __NR_rseq 293
 __SYSCALL(__NR_rseq, sys_rseq)
+#define __NR_encrypt_mprotect 294
+__SYSCALL(__NR_encrypt_mprotect, sys_encrypt_mprotect)
 
 #undef __NR_syscalls
-#define __NR_syscalls 294
+#define __NR_syscalls 295
 
 /*
  * 32 bit systems traditionally used different
diff --git a/kernel/sys_ni.c b/kernel/sys_ni.c
index df556175be50..1b48f709c265 100644
--- a/kernel/sys_ni.c
+++ b/kernel/sys_ni.c
@@ -336,6 +336,8 @@ COND_SYSCALL(pkey_mprotect);
 COND_SYSCALL(pkey_alloc);
 COND_SYSCALL(pkey_free);
 
+/* multi-key total memory encryption keys */
+COND_SYSCALL(encrypt_mprotect);
 
 /*
  * Architecture specific weak syscall entries.

From patchwork Tue Dec  4 07:39:51 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711203
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D638317D5
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:29 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C3B562A53E
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:29 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B84B82A59A; Tue,  4 Dec 2018 07:37:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 43EE82A53E
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:29 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A6F106B6D95; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 95B7F6B6D8C; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 736886B6D92; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com
 [209.85.215.197])
	by kanga.kvack.org (Postfix) with ESMTP id 1BC4E6B6D8C
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
Received: by mail-pg1-f197.google.com with SMTP id o17so8476334pgi.14
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=/Nhp3kwZF4v4zDXobDHgXHEMKTvSpHkoiQHlILIsSBs=;
        b=ChTPjHB2trmE2y6jTTFv02tvFylyyuxw1Bm9RVsHQn4aC9ms0Go5IRsxoorYudhRik
         JaUerisZerVldx2IBIp2ZKPNffrkmB6tG7KVRvkRx9v6aHKi9rUa7tz4lhYdZ7OXXeMJ
         YNMhR1CMsnG86mDm61U2PlTikygBPTKn/SRIWtWD4rR+X3ZW1xpKeoUsqFoX67biIYxO
         UeByZ21eR9JrpS0BYh3AMnwHB9fwAEldQeyhie0Idnm94lzuiPx6+/Q8rYnY4BsT98/T
         q3LmSvpVpCz999t1SHmnyXYcYDm32Bb90ujfy+xKhHpYH7IK+F4E1wXYx5a3Ky0ovH5w
         K7MQ==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.126 as permitted sender)
 smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWazwUBXD9S6XygP/VePJDKz2t8HngVOPIwormamUbioYP2YslVV
	eZIFDWmdRg3ZaigfK/ZaW+mORu1U5NNZsxLd/PMVf4CzPScTDHavFC6+bTJV0v4N68k03SyCNUN
	GfqyNXbF60W5WHTRlSohRhvR/YfDpNCthCydFzJQfuGRe0MXcpd/l/yZTLLuxRAdEzw==
X-Received: by 2002:a62:399b:: with SMTP id
 u27mr19728014pfj.181.1543909045753;
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/WmdWG7dz76I7SIlfCSER4XNVHSsrn4EBJQQF3Zxy+rrlt6JCIC5zQa25JBv1O6Qmm2U5VI
X-Received: by 2002:a62:399b:: with SMTP id
 u27mr19727982pfj.181.1543909044807;
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909044; cv=none;
        d=google.com; s=arc-20160816;
        b=FOxFnwxY54LAd5AYfJHR2pv3h4+zy3M6sAsdeVXSGCJsp+zNtw5cMbfCIJQZOXVDfU
         bsiTuNwhsMImL4STc3SIilxgkdGmNurCkik1GHszu8H5hSnwthQnOv8frVmgnhr+vttU
         c2puSFFv0MJPxm12FGhG4v4llJ4/L94ITAtWdD9CPQbN14W4QNmHBLv3JAXvGxvS35+O
         ipvhLVIN9rqD6m9Cf2nD9hcY/UMiSxtaRmnWDXkityksNV7KAp7ScrTkekfn20+Wj5gl
         U+G5W7jt+sjnTVeqA09jxG5Lf3mxmh5JdcvzWrloMFLZRmcu/iSkzyTwlh4oNTBjrEMl
         xQ2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=/Nhp3kwZF4v4zDXobDHgXHEMKTvSpHkoiQHlILIsSBs=;
        b=ufvrlnqcSNmH/AKeQzveZhpWT2leCGqPLL4v4v5/ga0o+OwjEe84cpdbSJsQsScjuk
         0KanenMcnuEbnyShOaxrsHLrizoMCcqB9gcyKL0m9/9ctqlzmNxYvwCRr06/a996yO26
         cBMdo/PnvmhNtx99i3PFWP+56iO773g3oyOn2Jaigxl4+DlVvQIu70d8VWV3YTuw+NLG
         8nI9pT69EoPLWiCcPhSISlyshhqdVLU8oBCNfXF3OdQ/oeRg2BYNfzE3BEK22r+yjLfZ
         rcRCpHGn+ifcFRYmgDFz1DYT6vTCw+FXgFng7QzgtuSEbope48Nn4nlHrcF9k5VFV/0F
         QvRQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.126 as permitted sender)
 smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga18.intel.com (mga18.intel.com. [134.134.136.126])
        by mx.google.com with ESMTPS id f1si16900259pld.92.2018.12.03.23.37.24
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.126 as permitted sender) client-ip=134.134.136.126;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.126 as permitted sender)
 smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga004.jf.intel.com ([10.7.209.38])
  by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:22 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="256618438"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by orsmga004.jf.intel.com with ESMTP; 03 Dec 2018 23:37:22 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 04/13] x86/mm: Add helper functions for MKTME memory
 encryption keys
Date: Mon,  3 Dec 2018 23:39:51 -0800
Message-Id: 
 <bd83f72d30ccfc7c1bc7ce9ab81bdf66e78a1d7d.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Define a global mapping structure to manage the mapping of userspace
Keys to hardware KeyIDs in MKTME (Multi-Key Total Memory Encryption).
Implement helper functions that access this mapping structure.

The helpers will be used by these MKTME API's:
 >  Key Service API: security/keys/mktme_keys.c
 >  encrypt_mprotect() system call: mm/mprotect.c

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 arch/x86/include/asm/mktme.h | 12 ++++++
 arch/x86/mm/mktme.c          | 91 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 103 insertions(+)

diff --git a/arch/x86/include/asm/mktme.h b/arch/x86/include/asm/mktme.h
index f05baa15e6f6..dbb49909d665 100644
--- a/arch/x86/include/asm/mktme.h
+++ b/arch/x86/include/asm/mktme.h
@@ -12,6 +12,18 @@ extern phys_addr_t mktme_keyid_mask;
 extern int mktme_nr_keyids;
 extern int mktme_keyid_shift;
 
+/* Manage mappings between hardware KeyIDs and userspace Keys */
+extern int mktme_map_alloc(void);
+extern void mktme_map_free(void);
+extern void mktme_map_lock(void);
+extern void mktme_map_unlock(void);
+extern int mktme_map_mapped_keyids(void);
+extern void mktme_map_set_keyid(int keyid, void *key);
+extern void mktme_map_free_keyid(int keyid);
+extern int mktme_map_keyid_from_key(void *key);
+extern void *mktme_map_key_from_keyid(int keyid);
+extern int mktme_map_get_free_keyid(void);
+
 DECLARE_STATIC_KEY_FALSE(mktme_enabled_key);
 static inline bool mktme_enabled(void)
 {
diff --git a/arch/x86/mm/mktme.c b/arch/x86/mm/mktme.c
index c81727540e7c..34224d4e3f45 100644
--- a/arch/x86/mm/mktme.c
+++ b/arch/x86/mm/mktme.c
@@ -40,6 +40,97 @@ int __vma_keyid(struct vm_area_struct *vma)
 	return (prot & mktme_keyid_mask) >> mktme_keyid_shift;
 }
 
+/*
+ * struct mktme_map and the mktme_map_* functions manage the mapping
+ * of userspace Keys to hardware KeyIDs. These are used by the MKTME Key
+ * Service API and the encrypt_mprotect() system call.
+ */
+
+struct mktme_mapping {
+	struct mutex	lock;		/* protect this map & HW state */
+	unsigned int	mapped_keyids;
+	void		*key[];
+};
+
+struct mktme_mapping *mktme_map;
+
+static inline long mktme_map_size(void)
+{
+	long size = 0;
+
+	size += sizeof(*mktme_map);
+	size += sizeof(mktme_map->key[0]) * (mktme_nr_keyids + 1);
+	return size;
+}
+
+int mktme_map_alloc(void)
+{
+	mktme_map = kvzalloc(mktme_map_size(), GFP_KERNEL);
+	if (!mktme_map)
+		return 0;
+	mutex_init(&mktme_map->lock);
+	return 1;
+}
+
+void mktme_map_free(void)
+{
+	kvfree(mktme_map);
+}
+
+void mktme_map_lock(void)
+{
+	mutex_lock(&mktme_map->lock);
+}
+
+void mktme_map_unlock(void)
+{
+	mutex_unlock(&mktme_map->lock);
+}
+
+int mktme_map_mapped_keyids(void)
+{
+	return mktme_map->mapped_keyids;
+}
+
+void mktme_map_set_keyid(int keyid, void *key)
+{
+	mktme_map->key[keyid] = key;
+	mktme_map->mapped_keyids++;
+}
+
+void mktme_map_free_keyid(int keyid)
+{
+	mktme_map->key[keyid] = 0;
+	mktme_map->mapped_keyids--;
+}
+
+int mktme_map_keyid_from_key(void *key)
+{
+	int i;
+
+	for (i = 1; i <= mktme_nr_keyids; i++)
+		if (mktme_map->key[i] == key)
+			return i;
+	return 0;
+}
+
+void *mktme_map_key_from_keyid(int keyid)
+{
+	return mktme_map->key[keyid];
+}
+
+int mktme_map_get_free_keyid(void)
+{
+	int i;
+
+	if (mktme_map->mapped_keyids < mktme_nr_keyids) {
+		for (i = 1; i <= mktme_nr_keyids; i++)
+			if (mktme_map->key[i] == 0)
+				return i;
+	}
+	return 0;
+}
+
 /* Prepare page to be used for encryption. Called from page allocator. */
 void __prep_encrypted_page(struct page *page, int order, int keyid, bool zero)
 {

From patchwork Tue Dec  4 07:39:52 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711213
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 016CA13BF
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:32 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E4A3C2A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:31 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D91152A544; Tue,  4 Dec 2018 07:37:31 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 71B2E2A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:31 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id D2A606B6D8C; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id CB2D46B6D89; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 8977C6B6D8F; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf1-f197.google.com (mail-pf1-f197.google.com
 [209.85.210.197])
	by kanga.kvack.org (Postfix) with ESMTP id 28E446B6D8D
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
Received: by mail-pf1-f197.google.com with SMTP id p9so13349559pfj.3
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=yWKLvARv3dMDlSzdpqz1+sqef7vYh6J6y+fNOkxPdEc=;
        b=bQ/UUsTaMvnaPjBNCvtmIkq5acUzHFpnYtxMyJiMJe/QxrAPiv549W0h3UGjJB2cJg
         KocgD5onBRTJX6Q/NidpRPFpgZoRmS7/teihoh/005g9DFfFmHbUcpGq8QH3cccSkn4j
         xl7NFMLcyuWXTqlg2O/F+obz3VnCCfssBcf7Zlu0eI4RJbbf4aI5Cl5c0NI516NvmGcC
         DxfDTPae1++WK0zcezAz76XMvEY0NjHDisPjVQ82xLOTglpWIzW8C3fiULB84fWfb+Vt
         6xnVZqnSFA6jBgCttS1pUMQ6nXB2qPjYq9NgYmit0413TxBb6BYCRx73DKfv8msCKH9L
         GRuA==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.43 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWbb+o769O89GOFZ39W0O1MNf9L/NO5lUXlxUOS7DqyXy63n4sfI
	e6XrjQTI7k1HxOuIm16L1dWElvILVhmlH7C94BbHibOeniMm6fXYbrQPnK6UPtCFgAdweMLKK2f
	zeHWe3yfcnxMMIG4XD0NudC9uU+uKcntmt1AuJRwwMKanL/jgycqhjL8xwEmRj6uMiw==
X-Received: by 2002:a62:9419:: with SMTP id
 m25mr19955815pfe.147.1543909045833;
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/W1qvlIht+Vj8Er6VSdl0XAtJmRs0zK7zCGSy02jsPKHi8NlPZpcFFSeozT2APduiEJzlJo
X-Received: by 2002:a62:9419:: with SMTP id
 m25mr19955785pfe.147.1543909044866;
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909044; cv=none;
        d=google.com; s=arc-20160816;
        b=HUgIMjzTf+e+7s3Qk9YXx8k3jHRPdIAkzqYp2Z23AUkS+iiqiDlTYw9eyLolFL38sQ
         r3bM1hV0EbokOvJmWOicK70yzipxMIYc2FgHzIGHBFz1gRrIsg4zSQS18XnFoqn+/8Sl
         dhtokrlk5XZ+JF9Z3+s/NIxxFf+TgHU72ugq8vizkGvi0zoi75chKk0aRpVxr7exTHrX
         tuSPOB7psFxbezQk0wsAAbTyS/2lK7wT8hJlYkmJvvpT33wV/3CIRh5egiRStPACt9ev
         IxSongdfnJgdB2I9H11J1ptru3vjZTCK9phb8/Zuc2Tf7rjIIU410ofudmSY0IFMZ7uQ
         TqGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=yWKLvARv3dMDlSzdpqz1+sqef7vYh6J6y+fNOkxPdEc=;
        b=wCea5j2hlf9yQsKDRxukh4hjXSRNp8USNLdRt6MCIqC13hLC2MAhunwu3jggQ93pOP
         5tApL4jHEY4H8GwqXnyv9I2KNSFKPlbGlI5qS2T3TVkf6UEcc1Shu9mcSfT+nXlCJPhI
         enlRzrBHCXzM/nwF3xZlekwUJXwq8fVybHBXZfbUWvrstvG1PvcgpWZfa+nW59jnJzCL
         AKQK2f7+ZnrTJbxxArpkno9HlU7Ne/eJLCux/TpPGwaGpDLd5sa53v3Zn28OLRcWWOYt
         mNZoMnOTIPsfY+KCx/FYvp7pb9cBN3KGysC76eur7wlsPJo6n5+MQT7H72vFw8q4IEVS
         eklg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.43 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga05.intel.com (mga05.intel.com. [192.55.52.43])
        by mx.google.com with ESMTPS id
 y6si15330213pgb.516.2018.12.03.23.37.24
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:24 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.43 as permitted sender) client-ip=192.55.52.43;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.43 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:24 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="299106228"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by fmsmga006.fm.intel.com with ESMTP; 03 Dec 2018 23:37:22 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 05/13] x86/mm: Set KeyIDs in encrypted VMAs
Date: Mon,  3 Dec 2018 23:39:52 -0800
Message-Id: 
 <f0ff967e2015a9dffceef22ac52ecd736a1ddb7e.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

MKTME architecture requires the KeyID to be placed in PTE bits 51:46.
To create an encrypted VMA, place the KeyID in the upper bits of
vm_page_prot that matches the position of those PTE bits.

When the VMA is assigned a KeyID it is always considered a KeyID
change. The VMA is either going from not encrypted to encrypted,
or from encrypted with any KeyID to encrypted with any other KeyID.
To make the change safely, remove the user pages held by the VMA
and unlink the VMA's anonymous chain.

Change-Id: I676056525c49c8803898315a10b196ef5a5c5415
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 arch/x86/include/asm/mktme.h |  4 ++++
 arch/x86/mm/mktme.c          | 26 ++++++++++++++++++++++++++
 include/linux/mm.h           |  6 ++++++
 3 files changed, 36 insertions(+)

diff --git a/arch/x86/include/asm/mktme.h b/arch/x86/include/asm/mktme.h
index dbb49909d665..de3e529f3ab0 100644
--- a/arch/x86/include/asm/mktme.h
+++ b/arch/x86/include/asm/mktme.h
@@ -24,6 +24,10 @@ extern int mktme_map_keyid_from_key(void *key);
 extern void *mktme_map_key_from_keyid(int keyid);
 extern int mktme_map_get_free_keyid(void);
 
+/* Set the encryption keyid bits in a VMA */
+extern void mprotect_set_encrypt(struct vm_area_struct *vma, int newkeyid,
+				unsigned long start, unsigned long end);
+
 DECLARE_STATIC_KEY_FALSE(mktme_enabled_key);
 static inline bool mktme_enabled(void)
 {
diff --git a/arch/x86/mm/mktme.c b/arch/x86/mm/mktme.c
index 34224d4e3f45..e3fdf7b48173 100644
--- a/arch/x86/mm/mktme.c
+++ b/arch/x86/mm/mktme.c
@@ -1,5 +1,6 @@
 #include <linux/mm.h>
 #include <linux/highmem.h>
+#include <linux/rmap.h>
 #include <asm/mktme.h>
 #include <asm/set_memory.h>
 
@@ -131,6 +132,31 @@ int mktme_map_get_free_keyid(void)
 	return 0;
 }
 
+/* Set the encryption keyid bits in a VMA */
+void mprotect_set_encrypt(struct vm_area_struct *vma, int newkeyid,
+			  unsigned long start, unsigned long end)
+{
+	int oldkeyid = vma_keyid(vma);
+	pgprotval_t newprot;
+
+	/* Unmap pages with old KeyID if there's any. */
+	zap_page_range(vma, start, end - start);
+
+	if (oldkeyid == newkeyid)
+		return;
+
+	newprot = pgprot_val(vma->vm_page_prot);
+	newprot &= ~mktme_keyid_mask;
+	newprot |= (unsigned long)newkeyid << mktme_keyid_shift;
+	vma->vm_page_prot = __pgprot(newprot);
+
+	/*
+	 * The VMA doesn't have any inherited pages.
+	 * Start anon VMA tree from scratch.
+	 */
+	unlink_anon_vmas(vma);
+}
+
 /* Prepare page to be used for encryption. Called from page allocator. */
 void __prep_encrypted_page(struct page *page, int order, int keyid, bool zero)
 {
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 1309761bb6d0..e2d87e92ca74 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2806,5 +2806,11 @@ void __init setup_nr_node_ids(void);
 static inline void setup_nr_node_ids(void) {}
 #endif
 
+#ifndef CONFIG_X86_INTEL_MKTME
+static inline void mprotect_set_encrypt(struct vm_area_struct *vma,
+					int newkeyid,
+					unsigned long start,
+					unsigned long end) {}
+#endif /* CONFIG_X86_INTEL_MKTME */
 #endif /* __KERNEL__ */
 #endif /* _LINUX_MM_H */

From patchwork Tue Dec  4 07:39:53 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711237
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4CBAC16B1
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:54 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3BD3F2A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:54 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2FF042A544; Tue,  4 Dec 2018 07:37:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 926662A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:53 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id E6C3F6B6D99; Tue,  4 Dec 2018 02:37:34 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D54EC6B6D9B; Tue,  4 Dec 2018 02:37:34 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id BF1226B6D9A; Tue,  4 Dec 2018 02:37:34 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com
 [209.85.215.200])
	by kanga.kvack.org (Postfix) with ESMTP id 763906B6D96
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:34 -0500 (EST)
Received: by mail-pg1-f200.google.com with SMTP id t26so8447159pgu.18
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=QOdIwJ6hqRtfkyt0n1GfTsF8Clrqvk7MYsx/rOw6bug=;
        b=PySpdn0sXfnXdVsr4xP8dea2a3HPxbOWefV5RCVGxOPRB68z3CuPDD7TTyLJaT6/fa
         AZcAtOKpsQmEbXnVQIGjdnLWX6Ppyraare19Jb3qm84ewKOuN301LVOM7O4oGkx6mgNN
         Fj9AcYi8G9oj3emrvXiK6iwQ28dHViZB5PodGJ7rzyQ+IsVddBbvreQmTr0D9UoJkalc
         Q7IDry/kKJa5blV9VvZkworlnntu5S/VV3c5EbgCIawSnyPNNUY8IcMQMkdRTCBJczqg
         tVKDecrKR1ZmrqivwSKHurtHuWCEMobF4CAR2vhnDm3CeRi+3xuhem+SMKPBUTejccZC
         XLOg==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWYPUVmnfXYwdlUJdGTGOhpmen7RGNZSP30XJWUsE6H5gSEakFw3
	WI19dT3rAPUpmeX5/VHeWvDyQg4gpxai/3XZ5dsMD9hsPT7f5Wq9gVGP/F2GVz84waGJYr/C5UD
	3+eUhACM+rr1bXO2x6XuzYdzmAKeXKDuXPx+7Z4yoE04CxWtWdkL08LGJBIbnQ4p+fg==
X-Received: by 2002:a17:902:d01:: with SMTP id
 1mr19393994plu.127.1543909053990;
        Mon, 03 Dec 2018 23:37:33 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/UQKcKl2BlCLSx1BLQG7fl4bDZUXCi2rUg3xnUBszaNdo2CZixNxxl/HFIQTHXAasCm7xDi
X-Received: by 2002:a17:902:d01:: with SMTP id
 1mr19393698plu.127.1543909045104;
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909045; cv=none;
        d=google.com; s=arc-20160816;
        b=RXxde/QRY85O4O/CRW02WP+oLbphgR8ju5ttINsNvFhpfTpgAJFDvTaFlZ2hFT0jmT
         MRW1k+XoAdaCEb4xxSs2jej2byKQ8u3UKpUCGZxlbt28v0zK+zT0GaUIImErALSEFZ+r
         NHGOyo7eqjhAmsTGylrCWSLBFylBZoOPBw9MM5oxlSTOR4kXg3bR+eoDWga4zc041H29
         IE3ykpRZns3kNFRIqIRTW4ijT+ESP1QUexswPLHEMP3OgxOTipsWbQD4sLVcxrI8iYXo
         RknOin2wV9Qn7FfDILh3SeqxMJ+ZLPJUSx0ZYjWDiJvuFCcTfvpOccT30o57WV62fKyj
         1WMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=QOdIwJ6hqRtfkyt0n1GfTsF8Clrqvk7MYsx/rOw6bug=;
        b=CD6H/iLhEnkjdhE6y6N6rYh2ne/G0U9mP39i/0482Jg9mGDMbfj0YBdHG6DINDUIri
         VRI+8KVijuPqJk1XuRpBu3bB167Sp3nNbfQgnmf8E31RpWJmOsEUbJutcN0OHO2njg7o
         JvxrW+fRSIieMyu7MR4pOb/+O1eWPc7GtiiJFUt7neNxuikJ8OLJBE1yVVyQrRkmVyvk
         3hQDwJc+rRVy8YaZFqtPFDo96F8mkLxIO6N7rrmMLU13ayOi36u/F+zKNTLkEFkodNMn
         V6Cg7koYqpQJcnd9+ON7PN1OzeURo+8eQr19cb/GwZXkwhs4yqFuPZYm+VhpgCeBpHdt
         2j9w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga02.intel.com (mga02.intel.com. [134.134.136.20])
        by mx.google.com with ESMTPS id
 o16si15820728pgd.117.2018.12.03.23.37.24
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.20 as permitted sender) client-ip=134.134.136.20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.20 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:24 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="126888419"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by fmsmga001.fm.intel.com with ESMTP; 03 Dec 2018 23:37:23 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 06/13] mm: Add the encrypt_mprotect() system call
Date: Mon,  3 Dec 2018 23:39:53 -0800
Message-Id: 
 <0c5d9e96c75445ced3b22d9359a8cb3fa2b6f8ad.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Implement memory encryption with a new system call that is an
extension of the legacy mprotect() system call.

In encrypt_mprotect the caller must pass a handle to a previously
allocated and programmed encryption key. Validate the key and store
the keyid bits in the vm_page_prot for each VMA in the protection
range.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 fs/exec.c           |  4 ++--
 include/linux/key.h |  2 ++
 include/linux/mm.h  |  3 ++-
 mm/mprotect.c       | 63 +++++++++++++++++++++++++++++++++++++++++++++++------
 4 files changed, 62 insertions(+), 10 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index fc281b738a98..a0946b23e2c5 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -752,8 +752,8 @@ int setup_arg_pages(struct linux_binprm *bprm,
 	vm_flags |= mm->def_flags;
 	vm_flags |= VM_STACK_INCOMPLETE_SETUP;
 
-	ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
-			vm_flags);
+	ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end, vm_flags,
+			     -1);
 	if (ret)
 		goto out_unlock;
 	BUG_ON(prev != vma);
diff --git a/include/linux/key.h b/include/linux/key.h
index e58ee10f6e58..fb8a7d5f6149 100644
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -346,6 +346,8 @@ static inline key_serial_t key_serial(const struct key *key)
 
 extern void key_set_timeout(struct key *, unsigned);
 
+extern key_ref_t lookup_user_key(key_serial_t id, unsigned long lflags,
+				 key_perm_t perm);
 /*
  * The permissions required on a key that we're looking up.
  */
diff --git a/include/linux/mm.h b/include/linux/mm.h
index e2d87e92ca74..09182d78e7b7 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1607,7 +1607,8 @@ extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long
 			      int dirty_accountable, int prot_numa);
 extern int mprotect_fixup(struct vm_area_struct *vma,
 			  struct vm_area_struct **pprev, unsigned long start,
-			  unsigned long end, unsigned long newflags);
+			  unsigned long end, unsigned long newflags,
+			  int newkeyid);
 
 /*
  * doesn't attempt to fault and will return short.
diff --git a/mm/mprotect.c b/mm/mprotect.c
index b57075e278fb..ad8127dc9aac 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -28,6 +28,7 @@
 #include <linux/ksm.h>
 #include <linux/uaccess.h>
 #include <linux/mm_inline.h>
+#include <linux/key.h>
 #include <asm/pgtable.h>
 #include <asm/cacheflush.h>
 #include <asm/mmu_context.h>
@@ -346,7 +347,8 @@ static int prot_none_walk(struct vm_area_struct *vma, unsigned long start,
 
 int
 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
-	unsigned long start, unsigned long end, unsigned long newflags)
+	       unsigned long start, unsigned long end, unsigned long newflags,
+	       int newkeyid)
 {
 	struct mm_struct *mm = vma->vm_mm;
 	unsigned long oldflags = vma->vm_flags;
@@ -356,7 +358,14 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 	int error;
 	int dirty_accountable = 0;
 
-	if (newflags == oldflags) {
+	/*
+	 * Flags match and Keyids match or we have NO_KEY.
+	 * This _fixup is usually called from do_mprotect_ext() except
+	 * for one special case: caller fs/exec.c/setup_arg_pages()
+	 * In that case, newkeyid is passed as -1 (NO_KEY).
+	 */
+	if (newflags == oldflags &&
+	    (newkeyid == vma_keyid(vma) || newkeyid == NO_KEY)) {
 		*pprev = vma;
 		return 0;
 	}
@@ -422,6 +431,8 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 	}
 
 success:
+	if (newkeyid != NO_KEY)
+		mprotect_set_encrypt(vma, newkeyid, start, end);
 	/*
 	 * vm_flags and vm_page_prot are protected by the mmap_sem
 	 * held in write mode.
@@ -453,10 +464,15 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 }
 
 /*
- * When pkey==NO_KEY we get legacy mprotect behavior here.
+ * do_mprotect_ext() supports the legacy mprotect behavior plus extensions
+ * for Protection Keys and Memory Encryption Keys. These extensions are
+ * mutually exclusive and the behavior is:
+ *	(pkey==NO_KEY && keyid==NO_KEY) ==> legacy mprotect
+ *	(pkey is valid)  ==> legacy mprotect plus Protection Key extensions
+ *	(keyid is valid) ==> legacy mprotect plus Encryption Key extensions
  */
 static int do_mprotect_ext(unsigned long start, size_t len,
-		unsigned long prot, int pkey)
+			   unsigned long prot, int pkey, int keyid)
 {
 	unsigned long nstart, end, tmp, reqprot;
 	struct vm_area_struct *vma, *prev;
@@ -554,7 +570,8 @@ static int do_mprotect_ext(unsigned long start, size_t len,
 		tmp = vma->vm_end;
 		if (tmp > end)
 			tmp = end;
-		error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
+		error = mprotect_fixup(vma, &prev, nstart, tmp, newflags,
+				       keyid);
 		if (error)
 			goto out;
 		nstart = tmp;
@@ -579,7 +596,7 @@ static int do_mprotect_ext(unsigned long start, size_t len,
 SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot)
 {
-	return do_mprotect_ext(start, len, prot, NO_KEY);
+	return do_mprotect_ext(start, len, prot, NO_KEY, NO_KEY);
 }
 
 #ifdef CONFIG_ARCH_HAS_PKEYS
@@ -587,7 +604,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
 SYSCALL_DEFINE4(pkey_mprotect, unsigned long, start, size_t, len,
 		unsigned long, prot, int, pkey)
 {
-	return do_mprotect_ext(start, len, prot, pkey);
+	return do_mprotect_ext(start, len, prot, pkey, NO_KEY);
 }
 
 SYSCALL_DEFINE2(pkey_alloc, unsigned long, flags, unsigned long, init_val)
@@ -636,3 +653,35 @@ SYSCALL_DEFINE1(pkey_free, int, pkey)
 }
 
 #endif /* CONFIG_ARCH_HAS_PKEYS */
+
+#ifdef CONFIG_X86_INTEL_MKTME
+
+SYSCALL_DEFINE4(encrypt_mprotect, unsigned long, start, size_t, len,
+		unsigned long, prot, key_serial_t, serial)
+{
+	key_ref_t key_ref;
+	struct key *key;
+	int ret, keyid;
+
+	if (!PAGE_ALIGNED(len))
+		return -EINVAL;
+
+	key_ref = lookup_user_key(serial, 0, KEY_NEED_VIEW);
+	if (IS_ERR(key_ref))
+		return PTR_ERR(key_ref);
+
+	key = key_ref_to_ptr(key_ref);
+	mktme_map_lock();
+	keyid = mktme_map_keyid_from_key(key);
+	if (!keyid) {
+		mktme_map_unlock();
+		key_ref_put(key_ref);
+		return -EINVAL;
+	}
+	ret = do_mprotect_ext(start, len, prot, NO_KEY, keyid);
+	mktme_map_unlock();
+	key_ref_put(key_ref);
+	return ret;
+}
+
+#endif /* CONFIG_X86_INTEL_MKTME */

From patchwork Tue Dec  4 07:39:54 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711225
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4C55D16B1
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:38 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3B4BB2A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:38 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2F27F2A544; Tue,  4 Dec 2018 07:37:38 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AB5E12A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:37 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 6ECE86B6D90; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 402B26B6D8F; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id EDDC86B6D96; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com
 [209.85.210.198])
	by kanga.kvack.org (Postfix) with ESMTP id 89A866B6D91
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
Received: by mail-pf1-f198.google.com with SMTP id i3so13366863pfj.4
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=dH5QDgU+bIHqzGW/gS1e5wfUCnLH2npmt22lIsLPKdk=;
        b=TUun7snmc7ZXDVzeEDl+cqTqKiLvRT9yRtPukB4juLjQMFrL5fhkWw5UgRK0rTX/Ca
         dlGXHv9KSI9uKz9NJ9lOMLwg25nP23BbC1gOxF4w5MxBjF/FZHv+LrcQiujsDO7ED2XV
         weD0fNgD1o6hk05WdCDNt4+R6LFXpQIZZEXe0zxQy3YsllVa30c4/ZY5b92uZqNYdyBH
         Z2ZReol5SwfNVnTe2IMx8FyADdNxExekK76YWgnvR9NZc2TMo+UrnpTtkAbVrD1dkrnm
         aDn+mgOmpanhAiw/g3WCZQ49js5zTvyguSQqUy9T51Dv7FAKGlXT6SanQyakJuO5nXJE
         Ydrw==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWZ61NeKG89CunecocnutRP84IJ1r8rMwJv/YT0kL3vcLXiZN5qk
	8jP+vXWgW40/GPUVOT+KKEhQ+loBZGUZFgco09tTZ4EQ8c57sbpmwBUMccDeasmTB96nvRVJCwG
	QX7WjKkMvibsqk64HNbtcqcr+C3PYCDQvm4oCYWrhHoZ3VZ9QBZxGCdlQ+YimcBgiGQ==
X-Received: by 2002:a17:902:f091:: with SMTP id
 go17mr19489981plb.235.1543909046213;
        Mon, 03 Dec 2018 23:37:26 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/VyAgaE9b9oF/21SQ2jGBBU4nj9+pgqIbHKDJ5/eK/W1AfNUc8IaL6dl3yEmFygPw9oiZFn
X-Received: by 2002:a17:902:f091:: with SMTP id
 go17mr19489954plb.235.1543909045181;
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909045; cv=none;
        d=google.com; s=arc-20160816;
        b=hxTlXzqG/i3T6RQmVjPXFGAdi5nDJ2uEyujSuNnYogEmWrkoJpD5iJG94f/KRcOwNk
         rK2HsU3785JSveJbJRBwc2xqRe69W6vi/wLOLnySGv/jeUUor0uFW8rtTTUw3Gvk1cBW
         5tJ8jo3iC+DrlXyA5P9BJxvwqxdSQDhgV6Vpec8WwFIoVPQdtcYTp3oQUcgsgmtDbiqc
         RIAtEcA0owFIREWarLB5jRIFpfV9/RQ/h7WSPdEhROiYRP1LWI7aStx/QD0DWkTZzIxN
         +3N8tfK5/cuhiMqZHfnfT+JN+jssUBunZ9II7OyJzCSpmx0skyXEQSs3vwzrB3SeeQEu
         j6eA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=dH5QDgU+bIHqzGW/gS1e5wfUCnLH2npmt22lIsLPKdk=;
        b=zO3D95CQGxuZ642089+XqiYNN8Uzx1YrsXN0y0QXLvsg9sHRIcoJrRSNGeIVOOjjgn
         r4XpBvHT5m+i17eDgveQUmquyFMG8z94fvr61W7bStPLnQnfnVuTawlLrR8XjFaj0HY3
         yKYcZNd16ziidJNjN50yPFRx52ufxPhuwOzMckpgHxGwBR1eNAQeQlwFTCOAf/GmoYlu
         /UH8hcsJg/iMo0kA9kT4ei+z3dSAs7KnYunASizjjesQxv6Z+Z2vDE1sKf30o7bIqEfO
         MVoFgayT9EapIOH1B3IDgCKh37uR6nTjEZQwi0Lp+zUZ4d/pfFV64oRfjkI1FsRaSmF9
         s0Dw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga01.intel.com (mga01.intel.com. [192.55.52.88])
        by mx.google.com with ESMTPS id 28si21308808pfm.50.2018.12.03.23.37.24
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.88 as permitted sender) client-ip=192.55.52.88;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:24 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="106817038"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by fmsmga008.fm.intel.com with ESMTP; 03 Dec 2018 23:37:23 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 07/13] x86/mm: Add helpers for reference counting encrypted
 VMAs
Date: Mon,  3 Dec 2018 23:39:54 -0800
Message-Id: 
 <e4407d95c74300c4a6b4c5f9321660e9097fff8f.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

In order to safely manage the usage of memory encryption keys, VMAs
using each KeyID need to be counted. This count allows the MKTME
(Multi-Key Total Memory Encryption) Key Service to know when the KeyID
resource is actually in use, or when it is idle and may be considered
for reuse.

Define a global refcount_t array and provide helper functions to
manipulate the counts.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 arch/x86/include/asm/mktme.h |  9 +++++++
 arch/x86/mm/mktme.c          | 58 ++++++++++++++++++++++++++++++++++++++++++++
 include/linux/mm.h           |  2 ++
 3 files changed, 69 insertions(+)

diff --git a/arch/x86/include/asm/mktme.h b/arch/x86/include/asm/mktme.h
index de3e529f3ab0..22d52635562c 100644
--- a/arch/x86/include/asm/mktme.h
+++ b/arch/x86/include/asm/mktme.h
@@ -28,6 +28,15 @@ extern int mktme_map_get_free_keyid(void);
 extern void mprotect_set_encrypt(struct vm_area_struct *vma, int newkeyid,
 				unsigned long start, unsigned long end);
 
+/* Manage the MTKME encrypt_count references */
+extern int mktme_alloc_encrypt_array(void);
+extern void mktme_free_encrypt_array(void);
+extern int mktme_read_encrypt_ref(int keyid);
+extern void vma_get_encrypt_ref(struct vm_area_struct *vma);
+extern void vma_put_encrypt_ref(struct vm_area_struct *vma);
+extern void key_get_encrypt_ref(int keyid);
+extern void key_put_encrypt_ref(int keyid);
+
 DECLARE_STATIC_KEY_FALSE(mktme_enabled_key);
 static inline bool mktme_enabled(void)
 {
diff --git a/arch/x86/mm/mktme.c b/arch/x86/mm/mktme.c
index e3fdf7b48173..facf08f9cb74 100644
--- a/arch/x86/mm/mktme.c
+++ b/arch/x86/mm/mktme.c
@@ -157,6 +157,64 @@ void mprotect_set_encrypt(struct vm_area_struct *vma, int newkeyid,
 	unlink_anon_vmas(vma);
 }
 
+/*
+ *  Helper functions manage the encrypt_count[] array that counts
+ *  references on each MKTME hardware keyid. The gets & puts are
+ *  used in core mm code that allocates and free's VMA's. The alloc,
+ *  free, and read functions are used by the MKTME key service to
+ *  manage key allocation and programming.
+ */
+refcount_t *encrypt_count;
+
+int mktme_alloc_encrypt_array(void)
+{
+	encrypt_count = kvcalloc(mktme_nr_keyids, sizeof(refcount_t),
+				 GFP_KERNEL);
+	if (!encrypt_count)
+		return -ENOMEM;
+	return 0;
+}
+
+void mktme_free_encrypt_array(void)
+{
+	kvfree(encrypt_count);
+}
+
+int mktme_read_encrypt_ref(int keyid)
+{
+	return refcount_read(&encrypt_count[keyid]);
+}
+
+void vma_get_encrypt_ref(struct vm_area_struct *vma)
+{
+	if (vma_keyid(vma))
+		refcount_inc(&encrypt_count[vma_keyid(vma)]);
+}
+
+void vma_put_encrypt_ref(struct vm_area_struct *vma)
+{
+	if (vma_keyid(vma))
+		if (refcount_dec_and_test(&encrypt_count[vma_keyid(vma)])) {
+			mktme_map_lock();
+			mktme_map_free_keyid(vma_keyid(vma));
+			mktme_map_unlock();
+		}
+}
+
+void key_get_encrypt_ref(int keyid)
+{
+	refcount_inc(&encrypt_count[keyid]);
+}
+
+void key_put_encrypt_ref(int keyid)
+{
+	if (refcount_dec_and_test(&encrypt_count[keyid])) {
+		mktme_map_lock();
+		mktme_map_free_keyid(keyid);
+		mktme_map_unlock();
+	}
+}
+
 /* Prepare page to be used for encryption. Called from page allocator. */
 void __prep_encrypted_page(struct page *page, int order, int keyid, bool zero)
 {
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 09182d78e7b7..453d675dd116 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2812,6 +2812,8 @@ static inline void mprotect_set_encrypt(struct vm_area_struct *vma,
 					int newkeyid,
 					unsigned long start,
 					unsigned long end) {}
+static inline void vma_get_encrypt_ref(struct vm_area_struct *vma) {}
+static inline void vma_put_encrypt_ref(struct vm_area_struct *vma) {}
 #endif /* CONFIG_X86_INTEL_MKTME */
 #endif /* __KERNEL__ */
 #endif /* _LINUX_MM_H */

From patchwork Tue Dec  4 07:39:55 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711229
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3958D13BF
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2796C2A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1AEB82A544; Tue,  4 Dec 2018 07:37:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB9FB2A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:42 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id C8C356B6D8D; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 95D386B6D93; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 5FE506B6D94; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf1-f197.google.com (mail-pf1-f197.google.com
 [209.85.210.197])
	by kanga.kvack.org (Postfix) with ESMTP id D6B2D6B6D90
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:26 -0500 (EST)
Received: by mail-pf1-f197.google.com with SMTP id i3so13366870pfj.4
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:26 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=VMi4JcyKXvHAwfNOWqwaIbkVM7b+Bbw86BRoAAgBw6M=;
        b=Okfynzis0c8/SL4czDaepmXkftkFE+1C5Mqxw+s6mKNhrA/E6VqacY6LJIAiLOVljP
         B2COrbrGBr06Rt86pDqqZbwC3pLJG3InsgIM56gzQFmzK2QvboH0O2E8YhFS8hIB0nTE
         d5E1RWqMnc0ekBV9mXEirbBZmMbRXoeQbbwh2prIKWuZjiJ19JJAZOIIG9K4unDeqnPM
         pjsxgbIF2sczkvb9tQMaf7cZVXLmQgeSMla9+o9KL9ueil8WlJmENPql4AkgiaAl4jxz
         iTbqjKzpH9jJBGDTq5/NBhq0qsMWrkNRpoAyKd7jjefTVVBVLsrNNcXqambpwulanKnn
         nhxg==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWbSUt5U+6WzSFijAO1CQBXltE32w4pGLqPi6it1uKMfu3htcOEN
	FWh54gTwTPWvf7Ky3M4RIKDVrU3MVa5NjOiFIJrpyAOPuYVyVQZTOOzmkLm1zlSnJzL3kpczNOU
	oCzkRMnFOnVNMNovWPhsTHWxhmnKf53SVWzQvNuyysTF+XoK9ZxUVXX4iB6Ytlr7V/g==
X-Received: by 2002:a63:f34b:: with SMTP id
 t11mr15994206pgj.341.1543909046527;
        Mon, 03 Dec 2018 23:37:26 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/XZwOh7qdUxA7g8lfhrzQ+kXRCUSyM/nSf79nH5deNI2qqSmxgpFFbnL9kAR8RnZKfiu1uV
X-Received: by 2002:a63:f34b:: with SMTP id
 t11mr15994185pgj.341.1543909045653;
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909045; cv=none;
        d=google.com; s=arc-20160816;
        b=Z81j5Ors9mRDLzQEFxGM7I2IWjU9s5TO5aMPq3QKFSz7D1UKVxdGK4+rbGlUPyARMB
         FOXpQ1KtAop2mYGMbcW9Cbq0qz6MvZQxvIZRlEtDazIQXVGihQ903KIpn74b2hFYxo3h
         OM/M82u8G61ppNTlPSDeeAi2XisAHq0mr+2aqUn5I4xyAVejUu2+Cuj2Xiqa0gjBfJ9K
         6bEXVhkPbVzQ6834lOsZglE1IhZQjRXy0jFvM5JSvlkNZriS1x6nyjb6EBQqP2P3gGN9
         rbP/rgB57zCnYaJb3BbnXckmp7L4rVugkMCUcfbZkqsr7/wGQJxkm2kayTWfBZ3usMFb
         6iQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=VMi4JcyKXvHAwfNOWqwaIbkVM7b+Bbw86BRoAAgBw6M=;
        b=fQYxHiMXASzM6Vg48N5bW4n7QttnbrO603VZD/BNOJkL280ym/h5RqOAm7qbl4LisR
         sJmnYHgy01DcxT+fNxxd2u96TaICsDOWZ+0/0qhnWn3um8lmYGw106BR3aHseHF5q07O
         5IxYPoSE7jZ4iDsFWEqB0BHcUBKVbU+vCxSj+64rvP8V74UPMGStLG723vW8wQcdfLxg
         UXRM1yrhRN1MCbNl6z4rAlO1bcFVgc6fn4VBmLqFBVgiLJGHDA0afRQxhvAxn7t3DKgf
         7DcpNMKXxwAc6vU37fV09mHDvxh4NiKnXvXGdPN075QFYnFAyR0DX+jiOgNdfyFEnh/Q
         A3Rg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga01.intel.com (mga01.intel.com. [192.55.52.88])
        by mx.google.com with ESMTPS id 28si21308808pfm.50.2018.12.03.23.37.25
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:25 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.88 as permitted sender) client-ip=192.55.52.88;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.88 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
  by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:25 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="115858977"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by FMSMGA003.fm.intel.com with ESMTP; 03 Dec 2018 23:37:24 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 08/13] mm: Use reference counting for encrypted VMAs
Date: Mon,  3 Dec 2018 23:39:55 -0800
Message-Id: 
 <985ba614d49986fdfc0397434fd1dd9eb5646c6f.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The MKTME (Multi-Key Total Memory Encryption) Key Service needs
a reference count on encrypted VMAs. This reference count is used
to determine when a hardware encryption keyid is in use, which in
turn, tells the key service what operations can be safely performed
with this keyid.

The approach is:
1) Increment/decrement the reference count during encrypt_mprotect()
system call for initial or updated encryption on a VMA.

2) Piggy back on the new vm_area_dup/free() helpers. If the VMAs being
duplicated, or freed are encrypted, adjust the reference count.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 arch/x86/mm/mktme.c | 2 ++
 kernel/fork.c       | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/arch/x86/mm/mktme.c b/arch/x86/mm/mktme.c
index facf08f9cb74..55d34beb9b81 100644
--- a/arch/x86/mm/mktme.c
+++ b/arch/x86/mm/mktme.c
@@ -145,10 +145,12 @@ void mprotect_set_encrypt(struct vm_area_struct *vma, int newkeyid,
 	if (oldkeyid == newkeyid)
 		return;
 
+	vma_put_encrypt_ref(vma);
 	newprot = pgprot_val(vma->vm_page_prot);
 	newprot &= ~mktme_keyid_mask;
 	newprot |= (unsigned long)newkeyid << mktme_keyid_shift;
 	vma->vm_page_prot = __pgprot(newprot);
+	vma_get_encrypt_ref(vma);
 
 	/*
 	 * The VMA doesn't have any inherited pages.
diff --git a/kernel/fork.c b/kernel/fork.c
index 07cddff89c7b..d12d27b50966 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -341,12 +341,14 @@ struct vm_area_struct *vm_area_dup(struct vm_area_struct *orig)
 	if (new) {
 		*new = *orig;
 		INIT_LIST_HEAD(&new->anon_vma_chain);
+		vma_get_encrypt_ref(new);
 	}
 	return new;
 }
 
 void vm_area_free(struct vm_area_struct *vma)
 {
+	vma_put_encrypt_ref(vma);
 	kmem_cache_free(vm_area_cachep, vma);
 }
 

From patchwork Tue Dec  4 07:39:56 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711231
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CFBEB16B1
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:45 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BEEBF2A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:45 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id B2AE52A544; Tue,  4 Dec 2018 07:37:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 577762A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:45 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 58DA86B6D8F; Tue,  4 Dec 2018 02:37:28 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 517066B6D93; Tue,  4 Dec 2018 02:37:28 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2F54E6B6D94; Tue,  4 Dec 2018 02:37:28 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pl1-f198.google.com (mail-pl1-f198.google.com
 [209.85.214.198])
	by kanga.kvack.org (Postfix) with ESMTP id D15036B6D8F
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:27 -0500 (EST)
Received: by mail-pl1-f198.google.com with SMTP id j8so2280512plb.1
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:27 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=ZqLgbxDqZp4zyv2bWQyitPmwBdJAnCsgQZh0AYa3w1w=;
        b=HKqrXqhSV1e1Dw5rGYLSefugk6cIE0QXzm7hjwce7ZZ6nUfjXJ/pIWP6SQg6Lpk3/3
         VWmA6WntiRaCI4v21vdQK/Q/46r5Mvg5fGfbL+bslhrJ+DTJho5hih2fLvbK7MlCxQXs
         Y12METzUYNzoOgCmG/evRVZdeF5wSHOIjJOwWcBOb2UQM6iOotLnHxnm9udn2OyA/DN+
         208ua9NBdyxwV0cg4hf3HeBxWRE4b1Br6pv1bwg2o7dIHnj48g/8kHygBtlNlXQKazIm
         jHwtSJA+9RWbIplEn+Xop3RnnPwHsYW7al3Wj12thAkqlL4+IzRAoUBWL0gZ065IFLEe
         keQg==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWYcwCzjloUyFCQZVCNN2vqB3LjbTS2RRIkbqJI1dJSev9/Zr32o
	4p7sgZxOq+Om+AlWG6ZHZi9xLS8stDmK6sJp5uRMeSA7CaJ/yOc8cIzh5hDRm61oJ8gKHTKGs6F
	Cu5Bq1ZftGwNjIZommxsL/JWwcTUkbwYEvf+vPd/6OxM+OT7fPFfxBx2ALbnGJE56BA==
X-Received: by 2002:a63:ce08:: with SMTP id y8mr15822326pgf.388.1543909047506;
        Mon, 03 Dec 2018 23:37:27 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/XwqUYN7f9JKigKA/N5PzC5TgSsIW1Ptj/hQ6BSJT4RRKBTh3Tu7MM9TBwOJywes0KMy6kT
X-Received: by 2002:a63:ce08:: with SMTP id y8mr15822289pgf.388.1543909046387;
        Mon, 03 Dec 2018 23:37:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909046; cv=none;
        d=google.com; s=arc-20160816;
        b=YpkY3SjUqWndz8BZQ6F4iIpZd0mtDUNxUZ8GakjqGvFiBX2Pyr+mbxgvJucdxqAz4s
         l9QoQQIK01aeGDOkTTo4d31lIo5FIdjoCRGkHTAZUn45U7Ru6+G5tzvjtytu3UrHTfhw
         Klqjjo70OzwLfM96Uz7K4/A0kEZFiNbXhFvX1Q8tlRM/DK1U7ZIBlAh9uWHilkOmPM5S
         R0VvvwnSyZRxb3qcZVsb46u7yh4P9AlkA113mfXs+kCbR6aZCAyESW1NGlxZi+W52AME
         oEoHL7ZwAw8DyXZRSgaMclqOHZLdXg8LF6U7hO3l7EBCdKHn1kLHTJRCY6v0vwHqs6j+
         RgHg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=ZqLgbxDqZp4zyv2bWQyitPmwBdJAnCsgQZh0AYa3w1w=;
        b=mDGLCyJgdSKEbilBek0oQ+l332Yrh28fPWZjj/pheODZunMDgmoDP2Bq5vkzYiir+b
         8+iVn5sNBoCX9RHWkBYZlDj2CxhVc9a0EIdNLwcoE/JLlveM4cnF1mM3vMtmwj0wkLxU
         PRGGL+o1kaq4ddTapHGlA8sR0uFiMEB0sHGfpDfdK7E2jvMZlwf2m38LfX+EkF5Ci/4G
         aV/hhhG2neq+j/rAQkTBkF4vH8J75PhzIjccfw4WMzv7Q5kCBXGCrEIdcjYmUirg2kVA
         J03IYgAmBeV2Uk4y8KjOCXC/+TMyA8z5UqN/r0890nKIn7MeWoMgnDYMbuh9MSr0rM9e
         PXpA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga11.intel.com (mga11.intel.com. [192.55.52.93])
        by mx.google.com with ESMTPS id
 s13si14970777pgc.509.2018.12.03.23.37.26
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:26 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.93 as permitted sender) client-ip=192.55.52.93;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:26 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="124858776"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by fmsmga004.fm.intel.com with ESMTP; 03 Dec 2018 23:37:25 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 09/13] mm: Restrict memory encryption to anonymous VMA's
Date: Mon,  3 Dec 2018 23:39:56 -0800
Message-Id: 
 <0b294e74f06a0d6bee51efcd7b0eb1f20b00babe.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

Memory encryption is only supported for mappings that are ANONYMOUS.
Test the entire range of VMA's in an encrypt_mprotect() request to
make sure they all meet that requirement before encrypting any.

The encrypt_mprotect syscall will return -EINVAL and will not encrypt
any VMA's if this check fails.

Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 mm/mprotect.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/mm/mprotect.c b/mm/mprotect.c
index ad8127dc9aac..f1c009409134 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -345,6 +345,24 @@ static int prot_none_walk(struct vm_area_struct *vma, unsigned long start,
 	return walk_page_range(start, end, &prot_none_walk);
 }
 
+/*
+ * Encrypted mprotect is only supported on anonymous mappings.
+ * All VMA's in the requested range must be anonymous. If this
+ * test fails on any single VMA, the entire mprotect request fails.
+ */
+bool mem_supports_encryption(struct vm_area_struct *vma, unsigned long end)
+{
+	struct vm_area_struct *test_vma = vma;
+
+	do {
+		if (!vma_is_anonymous(test_vma))
+			return false;
+
+		test_vma = test_vma->vm_next;
+	} while (test_vma && test_vma->vm_start < end);
+	return true;
+}
+
 int
 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
 	       unsigned long start, unsigned long end, unsigned long newflags,
@@ -531,6 +549,12 @@ static int do_mprotect_ext(unsigned long start, size_t len,
 				goto out;
 		}
 	}
+
+	if (keyid > 0 && !mem_supports_encryption(vma, end)) {
+		error = -EINVAL;
+		goto out;
+	}
+
 	if (start > vma->vm_start)
 		prev = vma;
 

From patchwork Tue Dec  4 07:39:57 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711241
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 18DE613BF
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:38:00 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 04AFC2A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:38:00 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id EBFCD2A544; Tue,  4 Dec 2018 07:37:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0AE002A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:59 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 937086B6D96; Tue,  4 Dec 2018 02:37:35 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8999F6B6D9A; Tue,  4 Dec 2018 02:37:35 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 4A54B6B6D96; Tue,  4 Dec 2018 02:37:35 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f200.google.com (mail-pg1-f200.google.com
 [209.85.215.200])
	by kanga.kvack.org (Postfix) with ESMTP id A70626B6D98
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:34 -0500 (EST)
Received: by mail-pg1-f200.google.com with SMTP id y8so8459869pgq.12
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=TkYnSAdwy7UNlaefTKxLRknGMpDIpQCdQ0nbe0NyCO0=;
        b=JNw5qbVYGN4GF5DNF6ac62l9Q0gbHiWsDfOSMjiMxiGZCjvJ0uWWWC0KqqcU4YO7Xk
         PsMbdLk/VhsHDkwuv1R0FeOKWMuDMt3Eb5viGOU5gsTf4gPNj/yZQcAhaSi8qhc0zsu9
         6Xoh5GsN7yG8ZiTbaGjBZhQVjs4Ux6ErZmE4tvlnQb0MUE0nzl0SAKlMA+9tF3GHnccJ
         gGQ307WsSQeJpczrvJ4kwG4TCt4cbQiUiqsWbiujvZ4Q2NwAF4Ms4oOpFIa4hnFOGl0C
         4baX1guXZmvnPdd68G4YW0ttsl92AHMMX3Pm5WUoyTuxkYenm9+Y5fHSLhiDBEjsCtRP
         t1KQ==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.43 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWY3u+/a4AIgCLj/UIZo5q6+JheoFFqMQSC+OYEEbihC5qCyUFQu
	0ZTzqJxdmKpy1tNLK69d1U698JG3JeqRmJtfLrI5db1lc84hnW2JMst7bWON/RgE2kRb+DWDEw9
	OIBqZQ87Ybvm9hFYJHEPZ1Sx75Yj8f6NmWaUFgDmzkl5aJoYEa7xT/xjt7gq057aGqw==
X-Received: by 2002:a17:902:bd4a:: with SMTP id
 b10mr19136028plx.232.1543909054290;
        Mon, 03 Dec 2018 23:37:34 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/WInIV05ig6kaop7kBa2wBeCSa217cj6Ub+03VesAqR5/mikJ9edr8lgcuNrpnYI0lvgOve
X-Received: by 2002:a17:902:bd4a:: with SMTP id
 b10mr19135788plx.232.1543909047193;
        Mon, 03 Dec 2018 23:37:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909047; cv=none;
        d=google.com; s=arc-20160816;
        b=RE8I/KQmeGSgBO0EMfd4HAHYd/dnbfLPDvyQ7ZRXfp1SzmxpRsVNNU24X/hg1Fl/ih
         LlcxHNT2eYaZGzmFhr+4LvFk/GpdkbgDXPlvB8Ad3hRfV9KR7aB7SWGe6RBaEfh+ZOLe
         NxYQJZ+2ZPrp/kVWHbDRxRyRoJzYbGSUJn4WY0akGLZswpcYuoFlr3eQXuYJ/by4Hyqt
         IbpheRHxPSV0aDFu9PLZTIdLRTznVpm7laiO2fR3+qwdlGpQCyhiEeMu8CLsdv3tuyEi
         lT8DTDPNJo9omtnaaZAE2s0wr5+jGDbr4ikW4Qy/2FyarjcaLi0a7Antzc8bhWHfJzwE
         kvXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=TkYnSAdwy7UNlaefTKxLRknGMpDIpQCdQ0nbe0NyCO0=;
        b=a6IjudUJKMIbaDZFUZHb0KykjXMcqVX0kfNnbi+3ZsQa2y9wmK8sqqLs12TS0VBw5w
         O3GceNYmic9cGa2eT+kZk74IVAofpuc0NzTx0iMKesFc06sWgKO0yPmaEwpinhH4IcXm
         k194lYLREawprqqYRgvxSYPzIPl6Gw1xkskCqmY0+tsk1fQHQGECdvF2mVVXpI/obJH0
         aRVRMyC7V/hFM2AjBcZtfOM+vl0EblTE6kBWjh6YpARb1fwo8I/AI6VgwghybynfztK9
         4wYZ3V/TEfC8rBONE7CVM6yGW0EE+5GFt08IVl9DvcTGK/is9k9JUOQ42LhfVpQMimx+
         4BOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.43 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga05.intel.com (mga05.intel.com. [192.55.52.43])
        by mx.google.com with ESMTPS id
 y6si15330213pgb.516.2018.12.03.23.37.26
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:27 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.43 as permitted sender) client-ip=192.55.52.43;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.43 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:26 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="300822536"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by fmsmga005.fm.intel.com with ESMTP; 03 Dec 2018 23:37:26 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 10/13] keys/mktme: Add the MKTME Key Service type for memory
 encryption
Date: Mon,  3 Dec 2018 23:39:57 -0800
Message-Id: 
 <42d44fb5ddbbf7241a2494fc688e274ade641965.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

MKTME (Multi-Key Total Memory Encryption) is a technology that allows
transparent memory encryption in upcoming Intel platforms. MKTME will
support mulitple encryption domains, each having their own key. The main
use case for the feature is virtual machine isolation. The API needs the
flexibility to work for a wide range of uses.

The MKTME key service type manages the addition and removal of the memory
encryption keys. It maps Userspace Keys to hardware KeyIDs. It programs
the hardware with the user requested encryption options.

The only supported encryption algorithm is AES-XTS 128.

The MKTME key service is half of the MKTME API level solution. It pairs
with a new memory encryption system call: encrypt_mprotect() that uses
the keys to encrypt memory.

See Documentation/x86/mktme/mktme.rst

Change-Id: Idda4af2beabb739c77719897affff183ee9fa716
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 arch/x86/Kconfig           |   1 +
 include/keys/mktme-type.h  |  41 ++++++
 security/keys/Kconfig      |  11 ++
 security/keys/Makefile     |   1 +
 security/keys/mktme_keys.c | 339 +++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 393 insertions(+)
 create mode 100644 include/keys/mktme-type.h
 create mode 100644 security/keys/mktme_keys.c

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 7ac78e2856c7..c2e3bb5af077 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -1531,6 +1531,7 @@ config X86_INTEL_MKTME
 	bool "Intel Multi-Key Total Memory Encryption"
 	select DYNAMIC_PHYSICAL_MASK
 	select PAGE_EXTENSION
+	select MKTME_KEYS
 	depends on X86_64 && CPU_SUP_INTEL
 	---help---
 	  Say yes to enable support for Multi-Key Total Memory Encryption.
diff --git a/include/keys/mktme-type.h b/include/keys/mktme-type.h
new file mode 100644
index 000000000000..c63c6568087f
--- /dev/null
+++ b/include/keys/mktme-type.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/* Key service for Multi-KEY Total Memory Encryption */
+
+#ifndef _KEYS_MKTME_TYPE_H
+#define _KEYS_MKTME_TYPE_H
+
+#include <linux/key.h>
+
+/*
+ * The AES-XTS 128 encryption algorithm requires 128 bits for each
+ * user supplied data key and tweak key.
+ */
+#define MKTME_AES_XTS_SIZE	16	/* 16 bytes, 128 bits */
+
+enum mktme_alg {
+	MKTME_ALG_AES_XTS_128,
+};
+
+const char *const mktme_alg_names[] = {
+	[MKTME_ALG_AES_XTS_128]	= "aes-xts-128",
+};
+
+enum mktme_type {
+	MKTME_TYPE_ERROR = -1,
+	MKTME_TYPE_USER,
+	MKTME_TYPE_CPU,
+	MKTME_TYPE_CLEAR,
+	MKTME_TYPE_NO_ENCRYPT,
+};
+
+const char *const mktme_type_names[] = {
+	[MKTME_TYPE_USER]	= "user",
+	[MKTME_TYPE_CPU]	= "cpu",
+	[MKTME_TYPE_CLEAR]	= "clear",
+	[MKTME_TYPE_NO_ENCRYPT]	= "no-encrypt",
+};
+
+extern struct key_type key_type_mktme;
+
+#endif /* _KEYS_MKTME_TYPE_H */
diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index 6462e6654ccf..c36972113e67 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -101,3 +101,14 @@ config KEY_DH_OPERATIONS
 	 in the kernel.
 
 	 If you are unsure as to whether this is required, answer N.
+
+config MKTME_KEYS
+	bool "Multi-Key Total Memory Encryption Keys"
+	depends on KEYS && X86_INTEL_MKTME
+	help
+	  This option provides support for Multi-Key Total Memory
+	  Encryption (MKTME) on Intel platforms offering the feature.
+	  MKTME allows userspace to manage the hardware encryption
+	  keys through the kernel key services.
+
+	  If you are unsure as to whether this is required, answer N.
diff --git a/security/keys/Makefile b/security/keys/Makefile
index 9cef54064f60..94c84f10a857 100644
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -30,3 +30,4 @@ obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += keyctl_pkey.o
 obj-$(CONFIG_BIG_KEYS) += big_key.o
 obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
 obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/
+obj-$(CONFIG_MKTME_KEYS) += mktme_keys.o
diff --git a/security/keys/mktme_keys.c b/security/keys/mktme_keys.c
new file mode 100644
index 000000000000..e615eb58e600
--- /dev/null
+++ b/security/keys/mktme_keys.c
@@ -0,0 +1,339 @@
+// SPDX-License-Identifier: GPL-3.0
+
+/* Documentation/x86/mktme/mktme_keys.rst */
+
+#include <linux/cred.h>
+#include <linux/cpu.h>
+#include <linux/err.h>
+#include <linux/init.h>
+#include <linux/key.h>
+#include <linux/key-type.h>
+#include <linux/init.h>
+#include <linux/parser.h>
+#include <linux/random.h>
+#include <linux/slab.h>
+#include <linux/string.h>
+#include <asm/intel_pconfig.h>
+#include <asm/mktme.h>
+#include <keys/mktme-type.h>
+#include <keys/user-type.h>
+
+#include "internal.h"
+
+struct kmem_cache *mktme_prog_cache;	/* Hardware programming cache */
+
+static const char * const mktme_program_err[] = {
+	"KeyID was successfully programmed",	/* 0 */
+	"Invalid KeyID programming command",	/* 1 */
+	"Insufficient entropy",			/* 2 */
+	"KeyID not valid",			/* 3 */
+	"Invalid encryption algorithm chosen",	/* 4 */
+	"Failure to access key table",		/* 5 */
+};
+
+enum mktme_opt_id {
+	OPT_ERROR = -1,
+	OPT_TYPE,
+	OPT_KEY,
+	OPT_TWEAK,
+	OPT_ALGORITHM,
+};
+
+static const match_table_t mktme_token = {
+	{OPT_TYPE, "type=%s"},
+	{OPT_KEY, "key=%s"},
+	{OPT_TWEAK, "tweak=%s"},
+	{OPT_ALGORITHM, "algorithm=%s"},
+	{OPT_ERROR, NULL}
+};
+
+struct mktme_payload {
+	u32		keyid_ctrl;	/* Command & Encryption Algorithm */
+	u8		data_key[MKTME_AES_XTS_SIZE];
+	u8		tweak_key[MKTME_AES_XTS_SIZE];
+};
+
+/* Key Service Method called when Key is garbage collected. */
+static void mktme_destroy_key(struct key *key)
+{
+	key_put_encrypt_ref(mktme_map_keyid_from_key(key));
+}
+
+/* Copy the payload to the HW programming structure and program this KeyID */
+static int mktme_program_keyid(int keyid, struct mktme_payload *payload)
+{
+	struct mktme_key_program *kprog = NULL;
+	u8 kern_entropy[MKTME_AES_XTS_SIZE];
+	int i, ret;
+
+	kprog = kmem_cache_zalloc(mktme_prog_cache, GFP_KERNEL);
+	if (!kprog)
+		return -ENOMEM;
+
+	/* Hardware programming requires cached aligned struct */
+	kprog->keyid = keyid;
+	kprog->keyid_ctrl = payload->keyid_ctrl;
+	memcpy(kprog->key_field_1, payload->data_key, MKTME_AES_XTS_SIZE);
+	memcpy(kprog->key_field_2, payload->tweak_key, MKTME_AES_XTS_SIZE);
+
+	/* Strengthen the entropy fields for CPU generated keys */
+	if ((payload->keyid_ctrl & 0xff) == MKTME_KEYID_SET_KEY_RANDOM) {
+		get_random_bytes(&kern_entropy, sizeof(kern_entropy));
+		for (i = 0; i < (MKTME_AES_XTS_SIZE); i++) {
+			kprog->key_field_1[i] ^= kern_entropy[i];
+			kprog->key_field_2[i] ^= kern_entropy[i];
+		}
+	}
+	ret = mktme_key_program(kprog);
+	kmem_cache_free(mktme_prog_cache, kprog);
+	return ret;
+}
+
+/* Key Service Method to update an existing key. */
+static int mktme_update_key(struct key *key,
+			    struct key_preparsed_payload *prep)
+{
+	struct mktme_payload *payload = prep->payload.data[0];
+	int keyid, ref_count;
+	int ret;
+
+	mktme_map_lock();
+	keyid = mktme_map_keyid_from_key(key);
+	if (keyid <= 0)
+		return -EINVAL;
+	/*
+	 * ref_count will be at least one when we get here because the
+	 * key already exists. If ref_count is not > 1, it is safe to
+	 * update the key while holding the mktme_map_lock.
+	 */
+	ref_count = mktme_read_encrypt_ref(keyid);
+	if (ref_count > 1) {
+		pr_debug("mktme not updating keyid[%d] encrypt_count[%d]\n",
+			 keyid, ref_count);
+		return -EBUSY;
+	}
+	ret = mktme_program_keyid(keyid, payload);
+	if (ret != MKTME_PROG_SUCCESS) {
+		pr_debug("%s: %s\n", __func__, mktme_program_err[ret]);
+		ret = -ENOKEY;
+	}
+	mktme_map_unlock();
+	return ret;
+}
+
+/* Key Service Method to create a new key. Payload is preparsed. */
+int mktme_instantiate_key(struct key *key, struct key_preparsed_payload *prep)
+{
+	struct mktme_payload *payload = prep->payload.data[0];
+	int keyid, ret;
+
+	mktme_map_lock();
+	keyid = mktme_map_get_free_keyid();
+	if (keyid == 0) {
+		ret = -ENOKEY;
+		goto out;
+	}
+	ret = mktme_program_keyid(keyid, payload);
+	if (ret != MKTME_PROG_SUCCESS) {
+		pr_debug("%s: %s\n", __func__, mktme_program_err[ret]);
+		ret = -ENOKEY;
+		goto out;
+	}
+	mktme_map_set_keyid(keyid, key);
+	key_get_encrypt_ref(keyid);
+out:
+	mktme_map_unlock();
+	return ret;
+}
+
+/* Verify the user provided the needed arguments for the TYPE of Key */
+static int mktme_check_options(struct mktme_payload *payload,
+			       unsigned long token_mask, enum mktme_type type)
+{
+	if (!token_mask)
+		return -EINVAL;
+
+	switch (type) {
+	case MKTME_TYPE_USER:
+		if (test_bit(OPT_ALGORITHM, &token_mask))
+			payload->keyid_ctrl |= MKTME_AES_XTS_128;
+		else
+			return -EINVAL;
+
+		if ((test_bit(OPT_KEY, &token_mask)) &&
+		    (test_bit(OPT_TWEAK, &token_mask)))
+			payload->keyid_ctrl |= MKTME_KEYID_SET_KEY_DIRECT;
+		else
+			return -EINVAL;
+		break;
+
+	case MKTME_TYPE_CPU:
+		if (test_bit(OPT_ALGORITHM, &token_mask))
+			payload->keyid_ctrl |= MKTME_AES_XTS_128;
+		else
+			return -EINVAL;
+
+		payload->keyid_ctrl |= MKTME_KEYID_SET_KEY_RANDOM;
+		break;
+
+	case MKTME_TYPE_CLEAR:
+		payload->keyid_ctrl |= MKTME_KEYID_CLEAR_KEY;
+		break;
+
+	case MKTME_TYPE_NO_ENCRYPT:
+		payload->keyid_ctrl |= MKTME_KEYID_NO_ENCRYPT;
+		break;
+
+	default:
+		return -EINVAL;
+	}
+	return 0;
+}
+
+/* Parse the options and store the key programming data in the payload. */
+static int mktme_get_options(char *options, struct mktme_payload *payload)
+{
+	enum mktme_type type = MKTME_TYPE_ERROR;
+	substring_t args[MAX_OPT_ARGS];
+	unsigned long token_mask = 0;
+	char *p = options;
+	int ret, token;
+
+	while ((p = strsep(&options, " \t"))) {
+		if (*p == '\0' || *p == ' ' || *p == '\t')
+			continue;
+		token = match_token(p, mktme_token, args);
+		if (test_and_set_bit(token, &token_mask))
+			return -EINVAL;
+
+		switch (token) {
+		case OPT_KEY:
+			ret = hex2bin(payload->data_key, args[0].from,
+				      MKTME_AES_XTS_SIZE);
+			if (ret < 0)
+				return -EINVAL;
+			break;
+
+		case OPT_TWEAK:
+			ret = hex2bin(payload->tweak_key, args[0].from,
+				      MKTME_AES_XTS_SIZE);
+			if (ret < 0)
+				return -EINVAL;
+			break;
+
+		case OPT_TYPE:
+			type = match_string(mktme_type_names,
+					    ARRAY_SIZE(mktme_type_names),
+					    args[0].from);
+			if (type < 0)
+				return -EINVAL;
+			break;
+
+		case OPT_ALGORITHM:
+			ret = match_string(mktme_alg_names,
+					   ARRAY_SIZE(mktme_alg_names),
+					   args[0].from);
+			if (ret < 0)
+				return -EINVAL;
+			break;
+
+		default:
+			return -EINVAL;
+		}
+	}
+	return mktme_check_options(payload, token_mask, type);
+}
+
+void mktme_free_preparsed_key(struct key_preparsed_payload *prep)
+{
+	kzfree(prep->payload.data[0]);
+}
+
+/*
+ * Key Service Method to preparse a payload before a key is created.
+ * Check permissions and the options. Load the proposed key field
+ * data into the payload for use by instantiate and update methods.
+ */
+int mktme_preparse_key(struct key_preparsed_payload *prep)
+{
+	struct mktme_payload *mktme_payload;
+	size_t datalen = prep->datalen;
+	char *options;
+	int ret;
+
+	if (!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
+		return -EACCES;
+
+	if (datalen <= 0 || datalen > 1024 || !prep->data)
+		return -EINVAL;
+
+	options = kmemdup(prep->data, datalen + 1, GFP_KERNEL);
+	if (!options)
+		return -ENOMEM;
+
+	options[datalen] = '\0';
+
+	mktme_payload = kzalloc(sizeof(*mktme_payload), GFP_KERNEL);
+	if (!mktme_payload) {
+		ret = -ENOMEM;
+		goto out;
+	}
+	ret = mktme_get_options(options, mktme_payload);
+	if (ret < 0)
+		goto out;
+
+	prep->quotalen = sizeof(mktme_payload);
+	prep->payload.data[0] = mktme_payload;
+out:
+	kzfree(options);
+	return ret;
+}
+
+struct key_type key_type_mktme = {
+	.name		= "mktme",
+	.preparse	= mktme_preparse_key,
+	.free_preparse	= mktme_free_preparsed_key,
+	.instantiate	= mktme_instantiate_key,
+	.update		= mktme_update_key,
+	.describe	= user_describe,
+	.destroy	= mktme_destroy_key,
+};
+
+/*
+ * Allocate the global mktme_map structure based on the available keyids.
+ * Create a cache for the hardware structure. Initialize the encrypt_count
+ * array to track * VMA's per keyid. Once all that succeeds, register the
+ * 'mktme' key type.
+ */
+static int __init init_mktme(void)
+{
+	int ret;
+
+	/* Verify keys are present */
+	if (!(mktme_nr_keyids > 0))
+		return -EINVAL;
+
+	if (!mktme_map_alloc())
+		return -ENOMEM;
+
+	mktme_prog_cache = KMEM_CACHE(mktme_key_program, SLAB_PANIC);
+	if (!mktme_prog_cache)
+		goto free_map;
+
+	if (mktme_alloc_encrypt_array() < 0)
+		goto free_cache;
+
+	ret = register_key_type(&key_type_mktme);
+	if (!ret)
+		return ret;			/* SUCCESS */
+
+	mktme_free_encrypt_array();
+free_cache:
+	kmem_cache_destroy(mktme_prog_cache);
+free_map:
+	mktme_map_free();
+
+	return -ENOMEM;
+}
+
+late_initcall(init_mktme);

From patchwork Tue Dec  4 07:39:58 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711235
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 511E013BF
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3F7C52A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:51 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 33BB82A544; Tue,  4 Dec 2018 07:37:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B362B2A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:50 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 9871D6B6D94; Tue,  4 Dec 2018 02:37:29 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8736A6B6D97; Tue,  4 Dec 2018 02:37:29 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 58B586B6D98; Tue,  4 Dec 2018 02:37:29 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com
 [209.85.215.199])
	by kanga.kvack.org (Postfix) with ESMTP id 0779C6B6D94
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:29 -0500 (EST)
Received: by mail-pg1-f199.google.com with SMTP id g188so8437136pgc.22
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:28 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=LbACiwBCx2a3uE3XT2IfbdeHHGQ/4kGMSrVxRuSHvMI=;
        b=Va2T1z1TlhdlyLlo0wG9xEqd/U3I7Q4RFXcX7VEZ17+iNtJiPBauEhLVxEs8Y4cmCs
         09HS4G7Lbppp9HMD/zFXZpBdpmi7TOUJruwr38zTGYFI1bA/NI+ginlJCrcJyYgbIKo+
         bI0ENWWiiImYDX5ubI7vvnGYoC0VeRu55Q2x80W5VdD53tM3Evlw2Yc23XDZ5YCpmKtv
         /NAkdcmaXnuj08RY9z1lKpAuBMl6IuJbfzTFDiNdBzKNt/KZ5wNST4T5ixKwO0j6INyB
         1kEcAJG4uO4FH67ka4ha7muocH4dNn+QshGAFfhMBUJ203xgWth43EcCIZYoN04+/GtC
         G4mA==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.31 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWbGxqJ8InZeO6St0f4EZDBnkLD7jpV2S5+Jo4n2BF9ql4mQpKEc
	rwl0yr17VFB3ZC9tUh1vYX8YKwBKe60JNIdRmlZIc9uKCUKJQUqvkWC4pJBI7ZXoU6+9FgJAqAK
	aFHCfggkwpwOrCBPdtvgvC8c6RUk7PX4/xha8ci3vQG4O9HZLmgG1gqLsZfI51VXV+A==
X-Received: by 2002:a17:902:7b88:: with SMTP id
 w8mr18840454pll.320.1543909048668;
        Mon, 03 Dec 2018 23:37:28 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/UGmjl9Jv2bRfmqI+o+XEHMw3TtzTbBCPqhC69dissSwE6X9lJkbSUDb3DghaR7MPIf4hMJ
X-Received: by 2002:a17:902:7b88:: with SMTP id
 w8mr18840414pll.320.1543909047314;
        Mon, 03 Dec 2018 23:37:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909047; cv=none;
        d=google.com; s=arc-20160816;
        b=0bo+oLC79dkFlNGrgVuOakMBPNZHo7TKLAfdo/KUjXos4NGDXV97pgR8qxrdXo94gx
         aYnNxB60tXEFG1EQR+dhtpRYi2FLV7MFDcJcNKGh60nR2n61iSBahq8skd/2e/euGEbq
         bTV/sasQUUrPGCNiM68R2c+VQSBjeNBVgE56iIryO/DmfTvtS4Wk20Kxya5cpi/Py6Tv
         e48kpQimMfmN8y1yQj2ecuykv9PodsHqNsVAJpCR+QNeVM+XedL+Wg3dUMuMF3rZJuMX
         wc5u81WztMg/MeyltvQWzPexjJhZhDUhginF3l6H+rj63Ytfoj1JeHbQffzpk3Sa9Q/u
         pqEw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=LbACiwBCx2a3uE3XT2IfbdeHHGQ/4kGMSrVxRuSHvMI=;
        b=Ihpe5TzwWJUOcw8bZCtJR3WIFvtKoSDG390D6QwdkTsualIfAqWPLfFh2FSEZmiyu3
         pIC2g9h22kIWMHgvQ6JuFZ5JWdSutY3Y9kACa9DSmnsdrO1dr6/eKVVZcedhJHyjGa/f
         c77QC90JDJe2ajx/GoouRpK+Yoz9RWaCI/iTM1XZQbJmKS8YqiZeDLUEWPRcYfCOCF3Z
         bWXFn9k9lxh2DLGVT/oPDqxKfiTSX+ar/TTCBMl8iIuByAdBlFQ5h2pOSzMhEFgYxQS4
         gfbasnTzkYBLZbtrGnvrKwovYBCyQ6F7WSAuR3vQ4SrXu57dKmzu7PRr3nrIUj/28Khr
         SkLA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.31 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga06.intel.com (mga06.intel.com. [134.134.136.31])
        by mx.google.com with ESMTPS id 3si17199771plx.33.2018.12.03.23.37.27
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:27 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.31 as permitted sender) client-ip=134.134.136.31;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.31 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga001.jf.intel.com ([10.7.209.18])
  by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:26 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="115772840"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by orsmga001.jf.intel.com with ESMTP; 03 Dec 2018 23:37:26 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 11/13] keys/mktme: Program memory encryption keys on a system
 wide basis
Date: Mon,  3 Dec 2018 23:39:58 -0800
Message-Id: 
 <72dd5f38c1fdbc4c532f8caf2d2010f1ddfa8439.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The kernel manages the MKTME (Multi-Key Total Memory Encryption) Keys
as a system wide single pool of keys. The hardware, however, manages
the keys on a per physical package basis. Each physical package
maintains a Key Table that all CPU's in that package share.

In order to maintain the consistent, system wide view that the kernel
requires, program all physical packages during a key program request.

Change-Id: I0ff46f37fde47a0305842baeb8ea600b6c568639
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
---
 security/keys/mktme_keys.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 60 insertions(+), 1 deletion(-)

diff --git a/security/keys/mktme_keys.c b/security/keys/mktme_keys.c
index e615eb58e600..7f113146acf2 100644
--- a/security/keys/mktme_keys.c
+++ b/security/keys/mktme_keys.c
@@ -21,6 +21,7 @@
 #include "internal.h"
 
 struct kmem_cache *mktme_prog_cache;	/* Hardware programming cache */
+cpumask_var_t mktme_leadcpus;		/* one cpu per pkg to program keys */
 
 static const char * const mktme_program_err[] = {
 	"KeyID was successfully programmed",	/* 0 */
@@ -59,6 +60,37 @@ static void mktme_destroy_key(struct key *key)
 	key_put_encrypt_ref(mktme_map_keyid_from_key(key));
 }
 
+struct mktme_hw_program_info {
+	struct mktme_key_program *key_program;
+	unsigned long status;
+};
+
+/* Program a KeyID on a single package. */
+static void mktme_program_package(void *hw_program_info)
+{
+	struct mktme_hw_program_info *info = hw_program_info;
+	int ret;
+
+	ret = mktme_key_program(info->key_program);
+	if (ret != MKTME_PROG_SUCCESS)
+		WRITE_ONCE(info->status, ret);
+}
+
+/* Program a KeyID across the entire system. */
+static int mktme_program_system(struct mktme_key_program *key_program,
+				cpumask_var_t mktme_cpumask)
+{
+	struct mktme_hw_program_info info = {
+		.key_program = key_program,
+		.status = MKTME_PROG_SUCCESS,
+	};
+	get_online_cpus();
+	on_each_cpu_mask(mktme_cpumask, mktme_program_package, &info, 1);
+	put_online_cpus();
+
+	return info.status;
+}
+
 /* Copy the payload to the HW programming structure and program this KeyID */
 static int mktme_program_keyid(int keyid, struct mktme_payload *payload)
 {
@@ -84,7 +116,7 @@ static int mktme_program_keyid(int keyid, struct mktme_payload *payload)
 			kprog->key_field_2[i] ^= kern_entropy[i];
 		}
 	}
-	ret = mktme_key_program(kprog);
+	ret = mktme_program_system(kprog, mktme_leadcpus);
 	kmem_cache_free(mktme_prog_cache, kprog);
 	return ret;
 }
@@ -299,6 +331,28 @@ struct key_type key_type_mktme = {
 	.destroy	= mktme_destroy_key,
 };
 
+static int mktme_build_leadcpus_mask(void)
+{
+	int online_cpu, mktme_cpu;
+	int online_pkgid, mktme_pkgid = -1;
+
+	if (!zalloc_cpumask_var(&mktme_leadcpus, GFP_KERNEL))
+		return -ENOMEM;
+
+	for_each_online_cpu(online_cpu) {
+		online_pkgid = topology_physical_package_id(online_cpu);
+
+		for_each_cpu(mktme_cpu, mktme_leadcpus) {
+			mktme_pkgid = topology_physical_package_id(mktme_cpu);
+			if (mktme_pkgid == online_pkgid)
+				break;
+		}
+		if (mktme_pkgid != online_pkgid)
+			cpumask_set_cpu(online_cpu, mktme_leadcpus);
+	}
+	return 0;
+}
+
 /*
  * Allocate the global mktme_map structure based on the available keyids.
  * Create a cache for the hardware structure. Initialize the encrypt_count
@@ -323,10 +377,15 @@ static int __init init_mktme(void)
 	if (mktme_alloc_encrypt_array() < 0)
 		goto free_cache;
 
+	if (mktme_build_leadcpus_mask() < 0)
+		goto free_array;
+
 	ret = register_key_type(&key_type_mktme);
 	if (!ret)
 		return ret;			/* SUCCESS */
 
+	free_cpumask_var(mktme_leadcpus);
+free_array:
 	mktme_free_encrypt_array();
 free_cache:
 	kmem_cache_destroy(mktme_prog_cache);

From patchwork Tue Dec  4 07:39:59 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711233
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A236D16B1
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:48 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 900A02A53E
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:48 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 839592A57C; Tue,  4 Dec 2018 07:37:48 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D98492A53E
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:47 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 675996B6D93; Tue,  4 Dec 2018 02:37:29 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 5D9126B6D94; Tue,  4 Dec 2018 02:37:29 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3BA456B6D97; Tue,  4 Dec 2018 02:37:29 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com
 [209.85.210.198])
	by kanga.kvack.org (Postfix) with ESMTP id D7A276B6D93
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:28 -0500 (EST)
Received: by mail-pf1-f198.google.com with SMTP id q63so11740204pfi.19
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:28 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=tubwhfYO15WrCeHLEN2Wetu1bfycaakkDjpZbYAavEg=;
        b=lHDxuzcpDNQrVBu5r0MmsTi370sxozs8JgdjM753IHm5q7eLjb1ozLq76QeP7FPkAD
         Sge0wMRnBi1NHsywjgerKW9e8hlCWWHA6gr27JUGyiJ8RzdEYe8spb1LYntiM0FjjP1r
         fXXmsm6f1tSV3H1Jm8GLDwNjTRoTB0uvGiHOfRMbIi5HFhHX9RPSl1VjTHhTQHr/z4mE
         YRkOeV6rtLp9ZzWGVS199zM8J25+N/cshCSe2NZcErU5BRK0Oki9XDseGZwbn2WQuBab
         QiVBEksplRy6p1kE2K6Tlb8z3xyIecszrWQ1WzMRv01nBtt9IVwMmdjJ6bK6w+opnHAf
         6nQg==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.65 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWaRmSJpS4aHioXs0tIc6+DlIisHgIWc7d8Uu1h/XHGJ6giOrE+v
	dU8F0sFBgwnSj//yf96mhRqV3/kkJT1jLrvvrYbDGJ59LlJS7bD/UKqNS+/80BHjONu9B2VpP/C
	EYlYkp5tXfAWpRZbd2SQxheF0pmfwWVbvNxq+7WEQnJWqNYrSjY9ubuS5adoz5VuHSQ==
X-Received: by 2002:a17:902:e10a:: with SMTP id
 cc10mr4410474plb.165.1543909048505;
        Mon, 03 Dec 2018 23:37:28 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/Xm/PUCu37K37cZFRYrHL76YD0TN+uEZZabSKtyw8Hqp+nrubPIu2qhNLQaFZntDT6Ot6vP
X-Received: by 2002:a17:902:e10a:: with SMTP id
 cc10mr4410429plb.165.1543909047310;
        Mon, 03 Dec 2018 23:37:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909047; cv=none;
        d=google.com; s=arc-20160816;
        b=E0hnLT/DLh7eiXCQD6j9RZKJvrIPVgqvA+Tmtl+/3JCJZD008btoi6r2c3kNBcHmrF
         6r6bSA5mM/IHIYwbNbxv4O83I/4xCjHelVZdK6g930r0XPvX1VheTPAx95KWHuPVfM15
         zKOV3uk9tYnv60wsHl6HYRbeVKI6GCyVqYlRbvcXYgN8lEoDs4IQYSbh84yeLsbHj2ti
         m0Ws6Rc16+DIZxiHp5sFEHuYK+mNzaFxdK2bjw223mycXwttdHZwzzP5Zwm+yPef1xcG
         l17p325wcUwXS45aPxHvQo5BAREi76rp00+MtqUR0/bASasi+h3dccaFaGkIi8c8qt+6
         jVNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=tubwhfYO15WrCeHLEN2Wetu1bfycaakkDjpZbYAavEg=;
        b=sS5M8SKGVJRvazZz1Q5vsiOWGMe9neLiE+jGKQFb14HZkFJYLvc6hBM3iWwV5CXE3M
         vX3A47NZRsHMZyT9mzmyYJZUVOzHuxUbaZUas8H1y+SYrWirsAOCMcSOFuaeiId+8dV5
         SU27KOc6zFdokmSgARTsfSfJyGfMUildydUwfaFwIDq3xo69w0f7LX9GO4cG0sl7t8dp
         lvdJfxo17xpBfHIPFwbhwWdTPUGMRhw+VjrdvXcBVS+tA6OoGIt+iYjTaTILKFnj36ep
         nnzJ1vCIkL5NFn8fGj3lv/F6Z6CjoAmX9g9cBwnR7SJgjEPO79UUvOUHm7TZRMgRfkFT
         Q9nA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.65 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga03.intel.com (mga03.intel.com. [134.134.136.65])
        by mx.google.com with ESMTPS id
 h67si18732885pfb.146.2018.12.03.23.37.27
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:27 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 134.134.136.65 as permitted sender) client-ip=134.134.136.65;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 134.134.136.65 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga002.jf.intel.com ([10.7.209.21])
  by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:27 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="115451411"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by orsmga002.jf.intel.com with ESMTP; 03 Dec 2018 23:37:26 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 12/13] keys/mktme: Save MKTME data if kernel cmdline
 parameter allows
Date: Mon,  3 Dec 2018 23:39:59 -0800
Message-Id: 
 <c2668d6d260bff3c88440ad097eb1445ea005860.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

MKTME (Multi-Key Total Memory Encryption) key payloads may include
data encryption keys, tweak keys, and additional entropy bits. These
are used to program the MKTME encryption hardware. By default, the
kernel destroys this payload data once the hardware is programmed.

However, in order to fully support CPU Hotplug, saving the key data
becomes important. The MKTME Key Service cannot allow a new physical
package to come online unless it can program the new packages Key Table
to match the Key Tables of all existing physical packages.

With CPU generated keys (a.k.a. random keys or ephemeral keys) the
saving of user key data is not an issue. The kernel and MKTME hardware
can generate strong encryption keys without recalling any user supplied
data.

With USER directed keys (a.k.a. user type) saving the key programming
data (data and tweak key) becomes an issue. The data and tweak keys
are required to program those keys on a new physical package.

In preparation for adding CPU hotplug support:

   Add an 'mktme_vault' where key data is stored.

   Add 'mktme_savekeys' kernel command line parameter that directs
   what key data can be stored. If it is not set, kernel does not
   store users data key or tweak key.

   Add 'mktme_bitmap_user_type' to track when USER type keys are in
   use. If no USER type keys are currently in use, a physical package
   may be brought online, despite the absence of 'mktme_savekeys'.

Change-Id: If57414862f1ac131dd97e29bf4f3937ac33777f6
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 Documentation/admin-guide/kernel-parameters.rst |  1 +
 Documentation/admin-guide/kernel-parameters.txt | 11 +++++
 arch/x86/mm/mktme.c                             |  2 +
 security/keys/mktme_keys.c                      | 65 +++++++++++++++++++++++++
 4 files changed, 79 insertions(+)

diff --git a/Documentation/admin-guide/kernel-parameters.rst b/Documentation/admin-guide/kernel-parameters.rst
index b8d0bc07ed0a..1b62b86d0666 100644
--- a/Documentation/admin-guide/kernel-parameters.rst
+++ b/Documentation/admin-guide/kernel-parameters.rst
@@ -120,6 +120,7 @@ parameter is applicable::
 			Documentation/m68k/kernel-options.txt.
 	MDA	MDA console support is enabled.
 	MIPS	MIPS architecture is enabled.
+	MKTME	Multi-Key Total Memory Encryption is enabled.
 	MOUSE	Appropriate mouse support is enabled.
 	MSI	Message Signaled Interrupts (PCI).
 	MTD	MTD (Memory Technology Device) support is enabled.
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 81d1d5a74728..c777dbf0f75c 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2497,6 +2497,17 @@
 			in the "bleeding edge" mini2440 support kernel at
 			http://repo.or.cz/w/linux-2.6/mini2440.git
 
+	mktme_savekeys  [X86, MKTME] When CONFIG_X86_INTEL_MKTME is set
+			this parameter allows the kernel to save the user
+			specified MKTME key payload. Saving this payload
+			means that the MKTME Key Service can always allows
+			the addition of new physical packages. If the
+			mktme_savekeys parameter is not present, users key
+			data will not be saved, and new physical packages
+			may only be added to the system if no user type
+			MKTME keys are in use.
+			See Documentation/x86/mktme.rst
+
 	mminit_loglevel=
 			[KNL] When CONFIG_DEBUG_MEMORY_INIT is set, this
 			parameter allows control of the logging verbosity for
diff --git a/arch/x86/mm/mktme.c b/arch/x86/mm/mktme.c
index 55d34beb9b81..f96f4f2884e8 100644
--- a/arch/x86/mm/mktme.c
+++ b/arch/x86/mm/mktme.c
@@ -99,10 +99,12 @@ void mktme_map_set_keyid(int keyid, void *key)
 	mktme_map->mapped_keyids++;
 }
 
+extern unsigned long *mktme_bitmap_user_type;
 void mktme_map_free_keyid(int keyid)
 {
 	mktme_map->key[keyid] = 0;
 	mktme_map->mapped_keyids--;
+	clear_bit(keyid, mktme_bitmap_user_type);
 }
 
 int mktme_map_keyid_from_key(void *key)
diff --git a/security/keys/mktme_keys.c b/security/keys/mktme_keys.c
index 7f113146acf2..e9c7d306cba1 100644
--- a/security/keys/mktme_keys.c
+++ b/security/keys/mktme_keys.c
@@ -23,6 +23,11 @@
 struct kmem_cache *mktme_prog_cache;	/* Hardware programming cache */
 cpumask_var_t mktme_leadcpus;		/* one cpu per pkg to program keys */
 
+/* Kernel command line parameter allows saving of users key payload. */
+static bool mktme_savekeys;
+/* Track the existence of user type keys to make package hotplug decisions. */
+unsigned long *mktme_bitmap_user_type;
+
 static const char * const mktme_program_err[] = {
 	"KeyID was successfully programmed",	/* 0 */
 	"Invalid KeyID programming command",	/* 1 */
@@ -54,6 +59,9 @@ struct mktme_payload {
 	u8		tweak_key[MKTME_AES_XTS_SIZE];
 };
 
+/* Store keys in this vault if cmdline parameter mktme_savekeys allows */
+struct mktme_payload *mktme_vault;
+
 /* Key Service Method called when Key is garbage collected. */
 static void mktme_destroy_key(struct key *key)
 {
@@ -121,6 +129,23 @@ static int mktme_program_keyid(int keyid, struct mktme_payload *payload)
 	return ret;
 }
 
+static void mktme_load_vault(int keyid, struct mktme_payload *payload)
+{
+	/*
+	 * Always save the control fields to program hotplugged
+	 * packages with RANDOM, CLEAR, or NO_ENCRYPT type keys.
+	 */
+	mktme_vault[keyid].keyid_ctrl = payload->keyid_ctrl;
+
+	/* Only save data and tweak keys if allowed */
+	if (mktme_savekeys) {
+		memcpy(mktme_vault[keyid].data_key, payload->data_key,
+		       MKTME_AES_XTS_SIZE);
+		memcpy(mktme_vault[keyid].tweak_key, payload->tweak_key,
+		       MKTME_AES_XTS_SIZE);
+	}
+}
+
 /* Key Service Method to update an existing key. */
 static int mktme_update_key(struct key *key,
 			    struct key_preparsed_payload *prep)
@@ -144,11 +169,23 @@ static int mktme_update_key(struct key *key,
 			 keyid, ref_count);
 		return -EBUSY;
 	}
+
+	/* Forget if key was user type. */
+	clear_bit(keyid, mktme_bitmap_user_type);
+
 	ret = mktme_program_keyid(keyid, payload);
 	if (ret != MKTME_PROG_SUCCESS) {
 		pr_debug("%s: %s\n", __func__, mktme_program_err[ret]);
 		ret = -ENOKEY;
+		goto out;
 	}
+
+	mktme_load_vault(keyid, payload);
+
+	/* Remember if this key is user type. */
+	if ((payload->keyid_ctrl & 0xff) == MKTME_KEYID_SET_KEY_DIRECT)
+		set_bit(keyid, mktme_bitmap_user_type);
+out:
 	mktme_map_unlock();
 	return ret;
 }
@@ -171,6 +208,13 @@ int mktme_instantiate_key(struct key *key, struct key_preparsed_payload *prep)
 		ret = -ENOKEY;
 		goto out;
 	}
+
+	mktme_load_vault(keyid, payload);
+
+	/* Remember if key is user type. */
+	if ((payload->keyid_ctrl & 0xff) == MKTME_KEYID_SET_KEY_DIRECT)
+		set_bit(keyid, mktme_bitmap_user_type);
+
 	mktme_map_set_keyid(keyid, key);
 	key_get_encrypt_ref(keyid);
 out:
@@ -380,10 +424,23 @@ static int __init init_mktme(void)
 	if (mktme_build_leadcpus_mask() < 0)
 		goto free_array;
 
+	mktme_bitmap_user_type = bitmap_zalloc(mktme_nr_keyids, GFP_KERNEL);
+	if (!mktme_bitmap_user_type)
+		goto free_mask;
+
+	mktme_vault = kzalloc(sizeof(mktme_vault[0]) * (mktme_nr_keyids + 1),
+			      GFP_KERNEL);
+	if (!mktme_vault)
+		goto free_bitmap;
+
 	ret = register_key_type(&key_type_mktme);
 	if (!ret)
 		return ret;			/* SUCCESS */
 
+	kfree(mktme_vault);
+free_bitmap:
+	bitmap_free(mktme_bitmap_user_type);
+free_mask:
 	free_cpumask_var(mktme_leadcpus);
 free_array:
 	mktme_free_encrypt_array();
@@ -396,3 +453,11 @@ static int __init init_mktme(void)
 }
 
 late_initcall(init_mktme);
+
+static int mktme_enable_savekeys(char *__unused)
+{
+	mktme_savekeys = true;
+	return 1;
+}
+__setup("mktme_savekeys", mktme_enable_savekeys);
+

From patchwork Tue Dec  4 07:40:00 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alison Schofield <alison.schofield@intel.com>
X-Patchwork-Id: 10711239
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1D4CB16B1
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:57 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 07D682A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:57 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id EDB342A544; Tue,  4 Dec 2018 07:37:56 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 48E112A46B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Tue,  4 Dec 2018 07:37:56 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4A8DF6B6D97; Tue,  4 Dec 2018 02:37:35 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 31E576B6D9B; Tue,  4 Dec 2018 02:37:35 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E69126B6D97; Tue,  4 Dec 2018 02:37:34 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pf1-f197.google.com (mail-pf1-f197.google.com
 [209.85.210.197])
	by kanga.kvack.org (Postfix) with ESMTP id 836FE6B6D97
	for <linux-mm@kvack.org>; Tue,  4 Dec 2018 02:37:34 -0500 (EST)
Received: by mail-pf1-f197.google.com with SMTP id p9so13349780pfj.3
        for <linux-mm@kvack.org>; Mon, 03 Dec 2018 23:37:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-original-authentication-results:x-gm-message-state:from:to:cc
         :subject:date:message-id:in-reply-to:references:in-reply-to
         :references;
        bh=pH6EeHrq70xtruiRr1ii4DeuPSpkOrWv/qqEkbZW8lo=;
        b=UaL9lBFe5+iyOWbi+hCDmJj4QIfksZMbT3xaoKaok3oiNvRv9ub5mnUs83bRHIL9nx
         eM1J0M9pspcG5bu9h46NmAAx2DsL2fBvu4JicgnmjHSE6mdPqvKRByC4e8rffMmGenwB
         lk0ceGiSOsUqVFEMFK8Mb7Htq5lC7Y/WiIS3O8Lr3XIvKgdxKDpqRPWSLbE7gnK31JJM
         wsEU4DWbYw7WpnADRyfXiChxKAafmyTxQz4UlowdepNykn2apPkceg6CXw8SbX2SdWs/
         RVA+44lHVMVpwE7rBdaaWw4OaU/TSXCUZG43iQTFRtcCF0cufSKXt2uqcjAevX1xrJdf
         l9Cg==
X-Original-Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Gm-Message-State: AA+aEWZ3RHFhfNHb1vWTJiYsumLeA2OIL2GMrJgycBqBH0yJMnZDMaao
	hkJvSeu1G3sqnDOnEkQR8FiFCnpiy0FWYQXqONh0wGbijworECqoqOGLIcV8BCqGw1KlTjjU0Zu
	YA1CfeYisXC9/0w9d2E1RwZb4sycI672b0nQE+MRQg/q149x5xtd4UEnY52IldN9w1w==
X-Received: by 2002:a62:e201:: with SMTP id a1mr18645916pfi.75.1543909054181;
        Mon, 03 Dec 2018 23:37:34 -0800 (PST)
X-Google-Smtp-Source: 
 AFSGD/WfHN3+PYUMHe17aZro46XwOOxk/BYMA/aS1HM+9KmST0iNeMiyHJYM2CzvGKmeYjcfaPm4
X-Received: by 2002:a62:e201:: with SMTP id a1mr18645706pfi.75.1543909047387;
        Mon, 03 Dec 2018 23:37:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543909047; cv=none;
        d=google.com; s=arc-20160816;
        b=gTir9w2X20zPE89Ux0SE3kl96Jlse84TPqZW5Iw0cnLqbuwElFZOeL5p8JmWVGzaCK
         k862m69DxaqdnOgmtWwOTfzYvWrekJUvq70wUPjk8GcnXH0AZhKUNBlstdotuMBei9w7
         4mX9lJ6ylWDEPEMehxwDVq8cXtW7/GTu1dvAGKJD10MHE9nblXpwjS0cKBNVk7WD8jHn
         aMwaqGFRzwPmM0GmR6pAhiKqrFWoY3H04HbZDkPbNJ7X6Txqrr2cZtYTr/nJUj/Bc33J
         g4xg0a9fuCizsXZlo1ezhgZM8eKdu5w6KxQ/DRd6LB1C3z3u0Fe0XkiamF8sfLQPAu1I
         jW2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=references:in-reply-to:references:in-reply-to:message-id:date
         :subject:cc:to:from;
        bh=pH6EeHrq70xtruiRr1ii4DeuPSpkOrWv/qqEkbZW8lo=;
        b=pTUL/XV4BITAb3Ygc3eyOhoxuIgN2cHBmOdRt/Z5ibKAC1i/sAkSgxDGRz0ykpOv2Z
         X6GY2MlSIH+vsjMrJ5vcFDdeKUUOL0I2RLIh8TeDDKmHMj/oHGyyogkjOmn3181ShhDj
         UidOYzJQC+5+UVzM2KlufK/Wq3TCgDz2BXL5IiSdNbaWfRtLFcShk1enD2tVSNjJxmGC
         lTABBiBahmbAqKQVRMoUuPqUG1lmnjsVr+hg1c2X9Df9K4pCbnaCcPOuCxmSAnM8yU0B
         QS28hokBEEjIYOeZrhdtbmmvoNCrHdfgRNBLEcBei7OufdDNMQAk3aN2aKl6cKLB3rPj
         1/xg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from mga11.intel.com (mga11.intel.com. [192.55.52.93])
        by mx.google.com with ESMTPS id
 s13si14970777pgc.509.2018.12.03.23.37.27
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Dec 2018 23:37:27 -0800 (PST)
Received-SPF: pass (google.com: domain of alison.schofield@intel.com
 designates 192.55.52.93 as permitted sender) client-ip=192.55.52.93;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of alison.schofield@intel.com designates
 192.55.52.93 as permitted sender) smtp.mailfrom=alison.schofield@intel.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga003.jf.intel.com ([10.7.209.27])
  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 03 Dec 2018 23:37:26 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,313,1539673200";
   d="scan'208";a="107105277"
Received: from alison-desk.jf.intel.com (HELO alison-desk) ([10.54.74.53])
  by orsmga003.jf.intel.com with ESMTP; 03 Dec 2018 23:37:26 -0800
From: Alison Schofield <alison.schofield@intel.com>
To: dhowells@redhat.com,
	tglx@linutronix.de
Cc: jmorris@namei.org,
	mingo@redhat.com,
	hpa@zytor.com,
	bp@alien8.de,
	luto@kernel.org,
	peterz@infradead.org,
	kirill.shutemov@linux.intel.com,
	dave.hansen@intel.com,
	kai.huang@intel.com,
	jun.nakajima@intel.com,
	dan.j.williams@intel.com,
	jarkko.sakkinen@intel.com,
	keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-mm@kvack.org,
	x86@kernel.org
Subject: [RFC v2 13/13] keys/mktme: Support CPU Hotplug for MKTME keys
Date: Mon,  3 Dec 2018 23:40:00 -0800
Message-Id: 
 <c14d24b09ee2ae37ea4106726ce8fe2aea31f6c7.1543903910.git.alison.schofield@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
In-Reply-To: <cover.1543903910.git.alison.schofield@intel.com>
References: <cover.1543903910.git.alison.schofield@intel.com>
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The MKTME (Multi-Key Memory Encryption Keys) hardware resides on each
physical package. The kernel maintains one Key Table on each physical
package and these Key Tables must all remain in sync.
(From here on, package means physical package.)

Although every CPU on that package has the ability to program the Key
Table, the kernel uses one 'lead' cpu per package to program the Key
Tables. Typically, keys are programmed one at a time, across all
packages, as the 'add key' requests come in from userspace.

Some CPU hotplug scenarios are handled quite simply:
>  Teardown a non lead CPU --> do nothing
>  Teardown a lead CPU --> pick a new lead CPU
>  Teardown a lead/last CPU of a package --> forget this package
>  Startup a CPU in a known package --> do nothing
>  Startup a CPU in a new package and no keys are programmed --> do nothing

Then there is the more interesting case for MKTME: a CPU is starting up
for a new package and keys are programmed on the existing packages. The Key
Table on the new package will need to be programmed to match the Key
Tables on all existing packages.

The issue is whether or not the Key Service has the information it needs
to program the new Key Table. To address this, a new kernel commandline
parameter 'mktme_savekeys' was introduced in a previous patch. It allows
the kernel to save the data needed to program keys, beyond their first
add key request.

When 'mktme_savekeys' is not present, new packages may still be added
if all currently programmed keys are not USER type. This means that
CPU generated keys are an option for users not wanting to save key
data, but who also want to support the addition of new packages.

Change-Id: I219192fc59dd9f433963c4959f33d7f013c9f73a
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
---
 security/keys/mktme_keys.c | 135 ++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 126 insertions(+), 9 deletions(-)

diff --git a/security/keys/mktme_keys.c b/security/keys/mktme_keys.c
index e9c7d306cba1..fb4d4061d2f3 100644
--- a/security/keys/mktme_keys.c
+++ b/security/keys/mktme_keys.c
@@ -86,21 +86,29 @@ static void mktme_program_package(void *hw_program_info)
 
 /* Program a KeyID across the entire system. */
 static int mktme_program_system(struct mktme_key_program *key_program,
-				cpumask_var_t mktme_cpumask)
+				cpumask_var_t mktme_cpumask, int hotplug)
 {
 	struct mktme_hw_program_info info = {
 		.key_program = key_program,
 		.status = MKTME_PROG_SUCCESS,
 	};
-	get_online_cpus();
-	on_each_cpu_mask(mktme_cpumask, mktme_program_package, &info, 1);
-	put_online_cpus();
+
+	if (!hotplug) {
+		get_online_cpus();
+		on_each_cpu_mask(mktme_cpumask, mktme_program_package,
+				 &info, 1);
+		put_online_cpus();
+	} else {
+		on_each_cpu_mask(mktme_cpumask, mktme_program_package,
+				 &info, 1);
+	}
 
 	return info.status;
 }
 
 /* Copy the payload to the HW programming structure and program this KeyID */
-static int mktme_program_keyid(int keyid, struct mktme_payload *payload)
+static int mktme_program_keyid(int keyid, struct mktme_payload *payload,
+			       cpumask_var_t mask, int hotplug)
 {
 	struct mktme_key_program *kprog = NULL;
 	u8 kern_entropy[MKTME_AES_XTS_SIZE];
@@ -124,7 +132,7 @@ static int mktme_program_keyid(int keyid, struct mktme_payload *payload)
 			kprog->key_field_2[i] ^= kern_entropy[i];
 		}
 	}
-	ret = mktme_program_system(kprog, mktme_leadcpus);
+	ret = mktme_program_system(kprog, mktme_leadcpus, hotplug);
 	kmem_cache_free(mktme_prog_cache, kprog);
 	return ret;
 }
@@ -173,7 +181,7 @@ static int mktme_update_key(struct key *key,
 	/* Forget if key was user type. */
 	clear_bit(keyid, mktme_bitmap_user_type);
 
-	ret = mktme_program_keyid(keyid, payload);
+	ret = mktme_program_keyid(keyid, payload, mktme_leadcpus, 0);
 	if (ret != MKTME_PROG_SUCCESS) {
 		pr_debug("%s: %s\n", __func__, mktme_program_err[ret]);
 		ret = -ENOKEY;
@@ -202,7 +210,7 @@ int mktme_instantiate_key(struct key *key, struct key_preparsed_payload *prep)
 		ret = -ENOKEY;
 		goto out;
 	}
-	ret = mktme_program_keyid(keyid, payload);
+	ret = mktme_program_keyid(keyid, payload, mktme_leadcpus, 0);
 	if (ret != MKTME_PROG_SUCCESS) {
 		pr_debug("%s: %s\n", __func__, mktme_program_err[ret]);
 		ret = -ENOKEY;
@@ -375,6 +383,10 @@ struct key_type key_type_mktme = {
 	.destroy	= mktme_destroy_key,
 };
 
+/*
+ * Build mktme_leadcpus mask to include one cpu per physical package.
+ * The mask is used to program the Key Table on each physical package.
+ */
 static int mktme_build_leadcpus_mask(void)
 {
 	int online_cpu, mktme_cpu;
@@ -397,6 +409,102 @@ static int mktme_build_leadcpus_mask(void)
 	return 0;
 }
 
+/* A new packages Key Table is programmed with data saved in mktme_vault. */
+static int mktme_program_new_package(cpumask_var_t mask)
+{
+	struct key *key;
+	int hotplug = 1;
+	int keyid, ret;
+
+	/* When a KeyID slot is freed, it's corresponding Key is 0 */
+	for (keyid = 1; keyid <= mktme_nr_keyids; keyid++) {
+		key = mktme_map_key_from_keyid(keyid);
+		if (!key)
+			continue;
+		/* If one key fails to program, fail the entire package. */
+		ret = mktme_program_keyid(keyid, &mktme_vault[keyid],
+					  mask, hotplug);
+		if (ret != MKTME_PROG_SUCCESS) {
+			pr_debug("%s: %s\n", __func__, mktme_program_err[ret]);
+			ret = -ENOKEY;
+			break;
+		}
+	}
+	return ret;
+}
+
+static int mktme_hotplug_cpu_startup(unsigned int cpu)
+{
+	int lead_cpu, ret = 0;
+	cpumask_var_t newmask;
+	int pkgid = topology_physical_package_id(cpu);
+
+	mktme_map_lock();
+
+	/* Nothing to do if a lead CPU exists for this package. */
+	for_each_cpu(lead_cpu, mktme_leadcpus)
+		if (topology_physical_package_id(lead_cpu) == pkgid)
+			goto out_unlock;
+
+	/* No keys to program. Just add the new lead CPU to mask. */
+	if (!mktme_map_mapped_keyids())
+		goto out_add_cpu;
+
+	/* Keys need to be programmed. Confirm programming can be done. */
+	if (!mktme_savekeys &&
+	    (bitmap_weight(mktme_bitmap_user_type, mktme_nr_keyids))) {
+		ret = -EPERM;
+		goto out_unlock;
+	}
+
+	/* Program only this packages Key Table, not all Key Tables. */
+	if (!zalloc_cpumask_var(&newmask, GFP_KERNEL)) {
+		ret = -ENOMEM;
+		goto out_unlock;
+	}
+	cpumask_set_cpu(cpu, newmask);
+	ret = mktme_program_new_package(newmask);
+	if (ret < 0) {
+		free_cpumask_var(newmask);
+		goto out_unlock;
+	}
+
+	free_cpumask_var(newmask);
+out_add_cpu:
+	/* Make this cpu a lead cpu for all future Key programming requests. */
+	cpumask_set_cpu(cpu, mktme_leadcpus);
+out_unlock:
+	mktme_map_unlock();
+	return ret;
+}
+
+static int mktme_hotplug_cpu_teardown(unsigned int cpu)
+{
+	int pkgid, online_cpu;
+
+	mktme_map_lock();
+	/* Teardown cpu is not a lead cpu, nothing to do. */
+	if (!cpumask_test_and_clear_cpu(cpu, mktme_leadcpus))
+		goto out;
+	/*
+	 * Teardown cpu is a lead cpu. If the physical package
+	 * is still present, pick a new lead cpu. Beware: the
+	 * teardown cpu is still in the online_cpu mask. Do
+	 * not pick it again.
+	 */
+	pkgid = topology_physical_package_id(cpu);
+	for_each_online_cpu(online_cpu)
+		if (online_cpu != cpu &&
+		    pkgid == topology_physical_package_id(online_cpu)) {
+			cpumask_set_cpu(online_cpu, mktme_leadcpus);
+			break;
+	}
+out:
+	mktme_map_unlock();
+	/* Teardowns always succeed. */
+	return 0;
+}
+
 /*
  * Allocate the global mktme_map structure based on the available keyids.
  * Create a cache for the hardware structure. Initialize the encrypt_count
@@ -405,7 +513,7 @@ static int mktme_build_leadcpus_mask(void)
  */
 static int __init init_mktme(void)
 {
-	int ret;
+	int ret, cpuhp;
 
 	/* Verify keys are present */
 	if (!(mktme_nr_keyids > 0))
@@ -433,10 +541,19 @@ static int __init init_mktme(void)
 	if (!mktme_vault)
 		goto free_bitmap;
 
+	cpuhp = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
+					  "keys/mktme_keys:online",
+					  mktme_hotplug_cpu_startup,
+					  mktme_hotplug_cpu_teardown);
+	if (cpuhp < 0)
+		goto free_vault;
+
 	ret = register_key_type(&key_type_mktme);
 	if (!ret)
 		return ret;			/* SUCCESS */
 
+	cpuhp_remove_state_nocalls(cpuhp);
+free_vault:
 	kfree(mktme_vault);
 free_bitmap:
 	bitmap_free(mktme_bitmap_user_type);