When the kpkeys_hardened_pgtables feature is enabled, we need to be able to modify attributes (specifically the pkey/POIndex) in the linear map at page granularity.
Add the appropriate check to can_set_direct_map() and force_pte_mapping(), on the same principle as rodata_full and other features. These functions can be called very early, before POE is actually detected. Introduce a helper that returns whether the hardening feature is/will be enabled, by checking whether POE is supported by the CPU if it hasn't been detected yet. Signed-off-by: Kevin Brodsky <[email protected]> --- arch/arm64/include/asm/kpkeys.h | 18 ++++++++++++++++++ arch/arm64/mm/mmu.c | 3 ++- arch/arm64/mm/pageattr.c | 3 ++- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/kpkeys.h b/arch/arm64/include/asm/kpkeys.h index 64d6e22740ec..eeebbdfe239a 100644 --- a/arch/arm64/include/asm/kpkeys.h +++ b/arch/arm64/include/asm/kpkeys.h @@ -57,6 +57,24 @@ static __always_inline void arch_kpkeys_restore_pkey_reg(u64 pkey_reg) #endif /* CONFIG_ARM64_POE */ +#ifdef CONFIG_KPKEYS_HARDENED_PGTABLES + +static inline bool arm64_supports_kpkeys_hardened_pgtables(void) +{ + /* POE is a boot feature */ + return boot_capabilities_finalized() ? + system_supports_poe() : cpu_has_poe(); +} + +#else /* CONFIG_KPKEYS_HARDENED_PGTABLES */ + +static inline bool arm64_supports_kpkeys_hardened_pgtables(void) +{ + return false; +} + +#endif /* CONFIG_KPKEYS_HARDENED_PGTABLES */ + #endif /* __ASSEMBLY__ */ #endif /* __ASM_KPKEYS_H */ diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index a8e982ac5079..ea1cb1875257 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -764,7 +764,8 @@ static inline bool force_pte_mapping(void) return true; if (bbml2) return false; - return rodata_full || arm64_kfence_can_set_direct_map() || is_realm_world(); + return rodata_full || arm64_kfence_can_set_direct_map() || is_realm_world() || + arm64_supports_kpkeys_hardened_pgtables(); } static DEFINE_MUTEX(pgtable_split_lock); diff --git a/arch/arm64/mm/pageattr.c b/arch/arm64/mm/pageattr.c index d2a7e104a5c2..05e57387c0b5 100644 --- a/arch/arm64/mm/pageattr.c +++ b/arch/arm64/mm/pageattr.c @@ -96,7 +96,8 @@ bool can_set_direct_map(void) * Realms need to make pages shared/protected at page granularity. */ return rodata_full || debug_pagealloc_enabled() || - arm64_kfence_can_set_direct_map() || is_realm_world(); + arm64_kfence_can_set_direct_map() || is_realm_world() || + arm64_supports_kpkeys_hardened_pgtables(); } static int update_range_prot(unsigned long start, unsigned long size, -- 2.51.2
