Re: [RFC PATCH v2 11/11] powerpc/book3s32: Implement Kernel Userspace Access Protection

2018-12-11 Thread Christophe Leroy




On 12/11/2018 05:25 AM, Russell Currey wrote:

On Wed, 2018-11-28 at 09:27 +, Christophe Leroy wrote:

This patch implements Kernel Userspace Access Protection for
book3s/32.

Due to limitations of the processor page protection capabilities,
the protection is only against writing. read protection cannot be
achieved using page protection.

In order to provide the protection, Ku and Ks keys are modified in
Userspace Segment registers, and different PP bits are used to:

PP01 provides RW for Key 0 and RO for Key 1
PP10 provides RW for all
PP11 provides RO for all

Today PP10 is used for RW pages and PP11 for RO pages. This patch
modifies page protection to PP01 for RW pages.

Then segment registers are set to Ku 0 and Ks 1. When kernel needs
to write to RW pages, the associated segment register is changed to
Ks 0 in order to allow write access to the kernel.

In order to avoid having the read all segment registers when
locking/unlocking the access, some data is kept in the thread_struct
and saved on stack on exceptions. The field identifies both the
first unlocked segment and the first segment following the last
unlocked one. When no segment is unlocked, it contains value 0.

Signed-off-by: Christophe Leroy 


Hey Christophe, I tried to test this and got a machine check after the
kernel starts init.


A program check you mean ?



Vector: 700 (Program Check) at [ef0b5e70]
 pc: 0ca4
 lr: b7e1a030
 sp: ef0b5f30
msr: 81002
   current = 0xef0b8000
 pid   = 1, comm = init

Testing with mac99 model in qemu.


That's pretty surprising. At 0xca4 there is nothing particular for me. 
This is a handler for system call. Do you have the same ?
How can this trigger a program check ? According to the MSR, the check 
is due to an illegal instruction (bit 12). An we are with MMU off.


cc00 :
cc00:   7d 50 43 a6 mtsprg  0,r10
cc04:   7d 71 43 a6 mtsprg  1,r11
cc08:   7d 40 00 26 mfcrr10
cc0c:   7d 7b 02 a6 mfsrr1  r11
cc10:   71 6b 40 00 andi.   r11,r11,16384
cc14:   3d 61 40 00 addis   r11,r1,16384
cc18:   41 82 00 14 beq cc2c 
cc1c:   7d 73 42 a6 mfsprg  r11,3
cc20:   81 6b fb d8 lwz r11,-1064(r11)
cc24:   39 6b 20 00 addir11,r11,8192
cc28:   3d 6b 40 00 addis   r11,r11,16384
cc2c:   39 6b ff 40 addir11,r11,-192
cc30:   91 4b 00 a8 stw r10,168(r11)
cc34:   91 8b 00 40 stw r12,64(r11)
cc38:   91 2b 00 34 stw r9,52(r11)
cc3c:   7d 50 42 a6 mfsprg  r10,0
cc40:   91 4b 00 38 stw r10,56(r11)
cc44:   7d 91 42 a6 mfsprg  r12,1
cc48:   91 8b 00 3c stw r12,60(r11)
cc4c:   7d 48 02 a6 mflrr10
cc50:   91 4b 00 a0 stw r10,160(r11)
cc54:   7d 9a 02 a6 mfsrr0  r12
cc58:   7d 3b 02 a6 mfsrr1  r9
cc5c:   90 2b 00 14 stw r1,20(r11)
cc60:   90 2b 00 00 stw r1,0(r11)
cc64:   3c 2b c0 00 addis   r1,r11,-16384
cc68:   39 40 10 02 li  r10,4098
cc6c:   7d 40 01 24 mtmsr   r10
cc70:   90 0b 00 10 stw r0,16(r11)
cc74:   3d 40 72 65 lis r10,29285
cc78:   39 4a 67 73 addir10,r10,26483
cc7c:   91 4b 00 08 stw r10,8(r11)
cc80:   90 6b 00 1c stw r3,28(r11)
cc84:   90 8b 00 20 stw r4,32(r11)
cc88:   90 ab 00 24 stw r5,36(r11)
cc8c:   90 cb 00 28 stw r6,40(r11)
cc90:   90 eb 00 2c stw r7,44(r11)
cc94:   91 0b 00 30 stw r8,48(r11)
cc98:   39 40 0c 01 li  r10,3073
cc9c:   91 4b 00 b0 stw r10,176(r11)
cca0:   39 40 10 32 li  r10,4146
cca4:   51 2a 04 20 rlwimi  r10,r9,0,16,16
cca8:   48 01 13 5d bl  c0012004 

Christophe



- Russell



Re: [RFC PATCH v2 11/11] powerpc/book3s32: Implement Kernel Userspace Access Protection

2018-12-10 Thread Russell Currey
On Wed, 2018-11-28 at 09:27 +, Christophe Leroy wrote:
> This patch implements Kernel Userspace Access Protection for
> book3s/32.
> 
> Due to limitations of the processor page protection capabilities,
> the protection is only against writing. read protection cannot be
> achieved using page protection.
> 
> In order to provide the protection, Ku and Ks keys are modified in
> Userspace Segment registers, and different PP bits are used to:
> 
> PP01 provides RW for Key 0 and RO for Key 1
> PP10 provides RW for all
> PP11 provides RO for all
> 
> Today PP10 is used for RW pages and PP11 for RO pages. This patch
> modifies page protection to PP01 for RW pages.
> 
> Then segment registers are set to Ku 0 and Ks 1. When kernel needs
> to write to RW pages, the associated segment register is changed to
> Ks 0 in order to allow write access to the kernel.
> 
> In order to avoid having the read all segment registers when
> locking/unlocking the access, some data is kept in the thread_struct
> and saved on stack on exceptions. The field identifies both the
> first unlocked segment and the first segment following the last
> unlocked one. When no segment is unlocked, it contains value 0.
> 
> Signed-off-by: Christophe Leroy 

Hey Christophe, I tried to test this and got a machine check after the
kernel starts init.

Vector: 700 (Program Check) at [ef0b5e70]
pc: 0ca4
lr: b7e1a030
sp: ef0b5f30
   msr: 81002
  current = 0xef0b8000
pid   = 1, comm = init

Testing with mac99 model in qemu.

- Russell