1*dab59af3SLi-Wen Hsu.\" Copyright (c) 2019 The FreeBSD Foundation 24bc66c0fSBrooks Davis.\" 34bc66c0fSBrooks Davis.\" This documentation was written by 44bc66c0fSBrooks Davis.\" Konstantin Belousov <kib@FreeBSD.org> under sponsorship 54bc66c0fSBrooks Davis.\" from the FreeBSD Foundation. 64bc66c0fSBrooks Davis.\" 74bc66c0fSBrooks Davis.\" Redistribution and use in source and binary forms, with or without 84bc66c0fSBrooks Davis.\" modification, are permitted provided that the following conditions 94bc66c0fSBrooks Davis.\" are met: 104bc66c0fSBrooks Davis.\" 1. Redistributions of source code must retain the above copyright 114bc66c0fSBrooks Davis.\" notice, this list of conditions and the following disclaimer. 124bc66c0fSBrooks Davis.\" 2. Redistributions in binary form must reproduce the above copyright 134bc66c0fSBrooks Davis.\" notice, this list of conditions and the following disclaimer in the 144bc66c0fSBrooks Davis.\" documentation and/or other materials provided with the distribution. 154bc66c0fSBrooks Davis.\" 164bc66c0fSBrooks Davis.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 174bc66c0fSBrooks Davis.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 184bc66c0fSBrooks Davis.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 194bc66c0fSBrooks Davis.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 204bc66c0fSBrooks Davis.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 214bc66c0fSBrooks Davis.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 224bc66c0fSBrooks Davis.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 234bc66c0fSBrooks Davis.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 244bc66c0fSBrooks Davis.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 254bc66c0fSBrooks Davis.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 264bc66c0fSBrooks Davis.\" SUCH DAMAGE. 274bc66c0fSBrooks Davis.\" 284bc66c0fSBrooks Davis.Dd February 16, 2019 294bc66c0fSBrooks Davis.Dt PKRU 3 304bc66c0fSBrooks Davis.Os 314bc66c0fSBrooks Davis.Sh NAME 324bc66c0fSBrooks Davis.Nm Protection Key Rights for User pages 334bc66c0fSBrooks Davis.Nd provide fast user-managed key-based access control for pages 344bc66c0fSBrooks Davis.Sh LIBRARY 354bc66c0fSBrooks Davis.Lb libc 364bc66c0fSBrooks Davis.Sh SYNOPSIS 374bc66c0fSBrooks Davis.In machine/sysarch.h 384bc66c0fSBrooks Davis.Ft int 394bc66c0fSBrooks Davis.Fn x86_pkru_get_perm "unsigned int keyidx" "int *access" "int *modify" 404bc66c0fSBrooks Davis.Ft int 414bc66c0fSBrooks Davis.Fn x86_pkru_set_perm "unsigned int keyidx" "int access" "int modify" 424bc66c0fSBrooks Davis.Ft int 434bc66c0fSBrooks Davis.Fo x86_pkru_protect_range 444bc66c0fSBrooks Davis.Fa "void *addr" 454bc66c0fSBrooks Davis.Fa "unsigned long len" 464bc66c0fSBrooks Davis.Fa "unsigned int keyidx" 474bc66c0fSBrooks Davis.Fa "int flag" 484bc66c0fSBrooks Davis.Fc 494bc66c0fSBrooks Davis.Ft int 504bc66c0fSBrooks Davis.Fn x86_pkru_unprotect_range "void *addr" "unsigned long len" 514bc66c0fSBrooks Davis.Sh DESCRIPTION 524bc66c0fSBrooks DavisThe protection keys feature provides an additional mechanism, besides the 534bc66c0fSBrooks Davisnormal page permissions as established by 544bc66c0fSBrooks Davis.Xr mmap 2 554bc66c0fSBrooks Davisand 564bc66c0fSBrooks Davis.Xr mprotect 2 , 574bc66c0fSBrooks Davisto control access to user-mode addresses. 584bc66c0fSBrooks DavisThe mechanism gives safety measures which can be used to avoid 594bc66c0fSBrooks Davisincidental read or modification of sensitive memory, 604bc66c0fSBrooks Davisor as a debugging feature. 614bc66c0fSBrooks DavisIt cannot guard against conscious accesses since permissions 624bc66c0fSBrooks Davisare user-controllable. 634bc66c0fSBrooks Davis.Pp 644bc66c0fSBrooks DavisIf supported by hardware, each mapped user linear address 654bc66c0fSBrooks Davishas an associated 4-bit protection key. 664bc66c0fSBrooks DavisA new per-thread PKRU hardware register determines, for each protection 674bc66c0fSBrooks Daviskey, whether user-mode addresses with that protection key may be 684bc66c0fSBrooks Davisread or written. 694bc66c0fSBrooks Davis.Pp 704bc66c0fSBrooks DavisOnly one key may apply to a given range at a time. 714bc66c0fSBrooks DavisThe default protection key index is zero, it is used even if no key 724bc66c0fSBrooks Daviswas explicitly assigned to the address, or if the key was removed. 734bc66c0fSBrooks Davis.Pp 744bc66c0fSBrooks DavisThe protection prevents the system from accessing user addresses as well 754bc66c0fSBrooks Davisas the user applications. 764bc66c0fSBrooks DavisWhen a system call was unable to read or write user memory due to key 774bc66c0fSBrooks Davisprotection, it returns the 784bc66c0fSBrooks Davis.Er EFAULT 794bc66c0fSBrooks Daviserror code. 804bc66c0fSBrooks DavisNote that some side effects may have occurred if this error is reported. 814bc66c0fSBrooks Davis.Pp 824bc66c0fSBrooks DavisProtection keys require that the system uses 4-level paging 834bc66c0fSBrooks Davis(also called long mode), 844bc66c0fSBrooks Daviswhich means that it is only available on amd64 system. 854bc66c0fSBrooks DavisBoth 64-bit and 32-bit applications can use protection keys. 864bc66c0fSBrooks DavisMore information about the hardware feature is provided in the IA32 Software 874bc66c0fSBrooks DavisDeveloper's Manual published by Intel Corp. 884bc66c0fSBrooks Davis.Pp 894bc66c0fSBrooks DavisThe key indexes written into the page table entries are managed by the 904bc66c0fSBrooks Davis.Fn sysarch 914bc66c0fSBrooks Davissyscall. 924bc66c0fSBrooks DavisPer-key permissions are managed using the user-mode instructions 934bc66c0fSBrooks Davis.Em RDPKRU 944bc66c0fSBrooks Davisand 954bc66c0fSBrooks Davis.Em WRPKRU . 964bc66c0fSBrooks DavisThe system provides convenient library helpers for both the syscall and 974bc66c0fSBrooks Davisthe instructions, described below. 984bc66c0fSBrooks Davis.Pp 994bc66c0fSBrooks DavisThe 1004bc66c0fSBrooks Davis.Fn x86_pkru_protect_range 1014bc66c0fSBrooks Davisfunction assigns key 1024bc66c0fSBrooks Davis.Fa keyidx 1034bc66c0fSBrooks Davisto the range starting at 1044bc66c0fSBrooks Davis.Fa addr 1054bc66c0fSBrooks Davisand having length 1064bc66c0fSBrooks Davis.Fa len . 1074bc66c0fSBrooks DavisStarting address is truncated to the page start, 1084bc66c0fSBrooks Davisand the end is rounded up to the end of the page. 1094bc66c0fSBrooks DavisAfter a successful call, the range has the specified key assigned, 1104bc66c0fSBrooks Daviseven if the key is zero and it did not change the page table entries. 1114bc66c0fSBrooks Davis.Pp 1124bc66c0fSBrooks DavisThe 1134bc66c0fSBrooks Davis.Fa flags 1144bc66c0fSBrooks Davisargument takes the logical OR of the following values: 1154bc66c0fSBrooks Davis.Bl -tag -width 1164bc66c0fSBrooks Davis.It Bq Va AMD64_PKRU_EXCL 1174bc66c0fSBrooks DavisOnly assign the key if the range does not have any other keys assigned 1184bc66c0fSBrooks Davis(including the zero key). 1194bc66c0fSBrooks DavisYou must first remove any existing key with 1204bc66c0fSBrooks Davis.Fn x86_pkru_unprotect_range 1214bc66c0fSBrooks Davisin order for this request to succeed. 1224bc66c0fSBrooks DavisIf the 1234bc66c0fSBrooks Davis.Va AMD64_PKRU_EXCL 1244bc66c0fSBrooks Davisflag is not specified, 1254bc66c0fSBrooks Davis.Fn x86_pkru_protect_range 1264bc66c0fSBrooks Davisreplaces any existing key. 1274bc66c0fSBrooks Davis.It Bq Va AMD64_PKRU_PERSIST 1284bc66c0fSBrooks DavisThe keys assigned to the range are persistent. 1294bc66c0fSBrooks DavisThey are re-established when the current mapping is destroyed 1304bc66c0fSBrooks Davisand a new mapping is created in any sub-range of the specified range. 1314bc66c0fSBrooks DavisYou must use a 1324bc66c0fSBrooks Davis.Fn x86_pkru_unprotect_range 1334bc66c0fSBrooks Daviscall to forget the key. 1344bc66c0fSBrooks Davis.El 1354bc66c0fSBrooks Davis.Pp 1364bc66c0fSBrooks DavisThe 1374bc66c0fSBrooks Davis.Fn x86_pkru_unprotect_range 1384bc66c0fSBrooks Davisfunction removes any keys assigned to the specified range. 1394bc66c0fSBrooks DavisExisting mappings are changed to use key index zero in page table entries. 1404bc66c0fSBrooks DavisKeys are no longer considered installed for all mappings in the range, 1414bc66c0fSBrooks Davisfor the purposes of 1424bc66c0fSBrooks Davis.Fn x86_pkru_protect_range 1434bc66c0fSBrooks Daviswith the 1444bc66c0fSBrooks Davis.Va AMD64_PKRU_EXCL 1454bc66c0fSBrooks Davisflag. 1464bc66c0fSBrooks Davis.Pp 1474bc66c0fSBrooks DavisThe 1484bc66c0fSBrooks Davis.Fn x86_pkru_get_perm 1494bc66c0fSBrooks Davisfunction returns access rights for the key specified by the 1504bc66c0fSBrooks Davis.Fa keyidx 1514bc66c0fSBrooks Davisargument. 1524bc66c0fSBrooks DavisIf the value pointed to by 1534bc66c0fSBrooks Davis.Fa access 1544bc66c0fSBrooks Davisis zero after the call, no read or write permissions is granted for 1554bc66c0fSBrooks Davismappings which are assigned the key 1564bc66c0fSBrooks Davis.Fa keyidx . 1574bc66c0fSBrooks DavisIf 1584bc66c0fSBrooks Davis.Fa access 1594bc66c0fSBrooks Davisis not zero, read access is permitted. 1604bc66c0fSBrooks DavisThe non-zero value of the variable pointed to by the 1614bc66c0fSBrooks Davis.Fa modify 1624bc66c0fSBrooks Davisargument indicates that write access is permitted. 1634bc66c0fSBrooks Davis.Pp 1644bc66c0fSBrooks DavisConversely, the 1654bc66c0fSBrooks Davis.Fn x86_pkru_set_perm 1664bc66c0fSBrooks Davisestablishes the access and modify permissions for the given key index 1674bc66c0fSBrooks Davisas specified by its arguments. 1684bc66c0fSBrooks Davis.Sh RETURN VALUES 1694bc66c0fSBrooks Davis.Rv -std 1704bc66c0fSBrooks Davis.Sh ERRORS 1714bc66c0fSBrooks Davis.Bl -tag -width Er 1724bc66c0fSBrooks Davis.It Bq Er EOPNOTSUPP 1734bc66c0fSBrooks DavisThe hardware does not support protection keys. 1744bc66c0fSBrooks Davis.It Bq Er EINVAL 1754bc66c0fSBrooks DavisThe supplied key index is invalid (greater than 15). 1764bc66c0fSBrooks Davis.It Bq Er EINVAL 1774bc66c0fSBrooks DavisThe supplied 1784bc66c0fSBrooks Davis.Fa flags 1794bc66c0fSBrooks Davisargument for 1804bc66c0fSBrooks Davis.Fn x86_pkru_protect_range 1814bc66c0fSBrooks Davishas reserved bits set. 1824bc66c0fSBrooks Davis.It Bq Er EFAULT 1834bc66c0fSBrooks DavisThe supplied address range does not completely fit into the user-managed 1844bc66c0fSBrooks Davisaddress range. 1854bc66c0fSBrooks Davis.It Bq Er ENOMEM 1864bc66c0fSBrooks DavisThe memory shortage prevents the completion of the operation. 1874bc66c0fSBrooks Davis.It Bq Er EBUSY 1884bc66c0fSBrooks DavisThe 1894bc66c0fSBrooks Davis.Va AMD64_PKRU_EXCL 1904bc66c0fSBrooks Davisflag was specified for 1914bc66c0fSBrooks Davis.Fn x86_pkru_protect_range 1924bc66c0fSBrooks Davisand the range already has defined protection keys. 1934bc66c0fSBrooks Davis.El 1944bc66c0fSBrooks Davis.Sh SEE ALSO 1954bc66c0fSBrooks Davis.Xr mmap 2 , 1964bc66c0fSBrooks Davis.Xr mprotect 2 , 1974bc66c0fSBrooks Davis.Xr munmap 2 , 1986e1fc011SGraham Percival.Xr sysarch 2 1994bc66c0fSBrooks Davis.Sh STANDARDS 2004bc66c0fSBrooks DavisThe 2014bc66c0fSBrooks Davis.Nm 2024bc66c0fSBrooks Davisfunctions are non-standard and first appeared in 2034bc66c0fSBrooks Davis.Fx 13.0 . 204