1.\" Copyright (c) 2019 The FreeBSD Foundation, Inc. 2.\" 3.\" This documentation was written by 4.\" Konstantin Belousov <kib@FreeBSD.org> under sponsorship 5.\" from the FreeBSD Foundation. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd February 16, 2019 29.Dt PKRU 3 30.Os 31.Sh NAME 32.Nm Protection Key Rights for User pages 33.Nd provide fast user-managed key-based access control for pages 34.Sh LIBRARY 35.Lb libc 36.Sh SYNOPSIS 37.In machine/sysarch.h 38.Ft int 39.Fn x86_pkru_get_perm "unsigned int keyidx" "int *access" "int *modify" 40.Ft int 41.Fn x86_pkru_set_perm "unsigned int keyidx" "int access" "int modify" 42.Ft int 43.Fo x86_pkru_protect_range 44.Fa "void *addr" 45.Fa "unsigned long len" 46.Fa "unsigned int keyidx" 47.Fa "int flag" 48.Fc 49.Ft int 50.Fn x86_pkru_unprotect_range "void *addr" "unsigned long len" 51.Sh DESCRIPTION 52The protection keys feature provides an additional mechanism, besides the 53normal page permissions as established by 54.Xr mmap 2 55and 56.Xr mprotect 2 , 57to control access to user-mode addresses. 58The mechanism gives safety measures which can be used to avoid 59incidental read or modification of sensitive memory, 60or as a debugging feature. 61It cannot guard against conscious accesses since permissions 62are user-controllable. 63.Pp 64If supported by hardware, each mapped user linear address 65has an associated 4-bit protection key. 66A new per-thread PKRU hardware register determines, for each protection 67key, whether user-mode addresses with that protection key may be 68read or written. 69.Pp 70Only one key may apply to a given range at a time. 71The default protection key index is zero, it is used even if no key 72was explicitly assigned to the address, or if the key was removed. 73.Pp 74The protection prevents the system from accessing user addresses as well 75as the user applications. 76When a system call was unable to read or write user memory due to key 77protection, it returns the 78.Er EFAULT 79error code. 80Note that some side effects may have occurred if this error is reported. 81.Pp 82Protection keys require that the system uses 4-level paging 83(also called long mode), 84which means that it is only available on amd64 system. 85Both 64-bit and 32-bit applications can use protection keys. 86More information about the hardware feature is provided in the IA32 Software 87Developer's Manual published by Intel Corp. 88.Pp 89The key indexes written into the page table entries are managed by the 90.Fn sysarch 91syscall. 92Per-key permissions are managed using the user-mode instructions 93.Em RDPKRU 94and 95.Em WRPKRU . 96The system provides convenient library helpers for both the syscall and 97the instructions, described below. 98.Pp 99The 100.Fn x86_pkru_protect_range 101function assigns key 102.Fa keyidx 103to the range starting at 104.Fa addr 105and having length 106.Fa len . 107Starting address is truncated to the page start, 108and the end is rounded up to the end of the page. 109After a successful call, the range has the specified key assigned, 110even if the key is zero and it did not change the page table entries. 111.Pp 112The 113.Fa flags 114argument takes the logical OR of the following values: 115.Bl -tag -width 116.It Bq Va AMD64_PKRU_EXCL 117Only assign the key if the range does not have any other keys assigned 118(including the zero key). 119You must first remove any existing key with 120.Fn x86_pkru_unprotect_range 121in order for this request to succeed. 122If the 123.Va AMD64_PKRU_EXCL 124flag is not specified, 125.Fn x86_pkru_protect_range 126replaces any existing key. 127.It Bq Va AMD64_PKRU_PERSIST 128The keys assigned to the range are persistent. 129They are re-established when the current mapping is destroyed 130and a new mapping is created in any sub-range of the specified range. 131You must use a 132.Fn x86_pkru_unprotect_range 133call to forget the key. 134.El 135.Pp 136The 137.Fn x86_pkru_unprotect_range 138function removes any keys assigned to the specified range. 139Existing mappings are changed to use key index zero in page table entries. 140Keys are no longer considered installed for all mappings in the range, 141for the purposes of 142.Fn x86_pkru_protect_range 143with the 144.Va AMD64_PKRU_EXCL 145flag. 146.Pp 147The 148.Fn x86_pkru_get_perm 149function returns access rights for the key specified by the 150.Fa keyidx 151argument. 152If the value pointed to by 153.Fa access 154is zero after the call, no read or write permissions is granted for 155mappings which are assigned the key 156.Fa keyidx . 157If 158.Fa access 159is not zero, read access is permitted. 160The non-zero value of the variable pointed to by the 161.Fa modify 162argument indicates that write access is permitted. 163.Pp 164Conversely, the 165.Fn x86_pkru_set_perm 166establishes the access and modify permissions for the given key index 167as specified by its arguments. 168.Sh RETURN VALUES 169.Rv -std 170.Sh ERRORS 171.Bl -tag -width Er 172.It Bq Er EOPNOTSUPP 173The hardware does not support protection keys. 174.It Bq Er EINVAL 175The supplied key index is invalid (greater than 15). 176.It Bq Er EINVAL 177The supplied 178.Fa flags 179argument for 180.Fn x86_pkru_protect_range 181has reserved bits set. 182.It Bq Er EFAULT 183The supplied address range does not completely fit into the user-managed 184address range. 185.It Bq Er ENOMEM 186The memory shortage prevents the completion of the operation. 187.It Bq Er EBUSY 188The 189.Va AMD64_PKRU_EXCL 190flag was specified for 191.Fn x86_pkru_protect_range 192and the range already has defined protection keys. 193.El 194.Sh SEE ALSO 195.Xr mmap 2 , 196.Xr mprotect 2 , 197.Xr munmap 2 , 198.Xr sysarch 2 199.Sh STANDARDS 200The 201.Nm 202functions are non-standard and first appeared in 203.Fx 13.0 . 204