1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Intel Memory Protection Keys management 4 * Copyright (c) 2015, Intel Corporation. 5 */ 6 #include <linux/debugfs.h> /* debugfs_create_u32() */ 7 #include <linux/mm_types.h> /* mm_struct, vma, etc... */ 8 #include <linux/pkeys.h> /* PKEY_* */ 9 #include <uapi/asm-generic/mman-common.h> 10 11 #include <asm/cpufeature.h> /* boot_cpu_has, ... */ 12 #include <asm/mmu_context.h> /* vma_pkey() */ 13 14 int __execute_only_pkey(struct mm_struct *mm) 15 { 16 bool need_to_set_mm_pkey = false; 17 int execute_only_pkey = mm->context.execute_only_pkey; 18 int ret; 19 20 /* Do we need to assign a pkey for mm's execute-only maps? */ 21 if (execute_only_pkey == -1) { 22 /* Go allocate one to use, which might fail */ 23 execute_only_pkey = mm_pkey_alloc(mm); 24 if (execute_only_pkey < 0) 25 return -1; 26 need_to_set_mm_pkey = true; 27 } 28 29 /* 30 * We do not want to go through the relatively costly 31 * dance to set PKRU if we do not need to. Check it 32 * first and assume that if the execute-only pkey is 33 * write-disabled that we do not have to set it 34 * ourselves. 35 */ 36 if (!need_to_set_mm_pkey && 37 !__pkru_allows_read(read_pkru(), execute_only_pkey)) { 38 return execute_only_pkey; 39 } 40 41 /* 42 * Set up PKRU so that it denies access for everything 43 * other than execution. 44 */ 45 ret = arch_set_user_pkey_access(execute_only_pkey, PKEY_DISABLE_ACCESS); 46 /* 47 * If the PKRU-set operation failed somehow, just return 48 * 0 and effectively disable execute-only support. 49 */ 50 if (ret) { 51 mm_set_pkey_free(mm, execute_only_pkey); 52 return -1; 53 } 54 55 /* We got one, store it and use it from here on out */ 56 if (need_to_set_mm_pkey) 57 mm->context.execute_only_pkey = execute_only_pkey; 58 return execute_only_pkey; 59 } 60 61 static inline bool vma_is_pkey_exec_only(struct vm_area_struct *vma) 62 { 63 /* Do this check first since the vm_flags should be hot */ 64 if ((vma->vm_flags & VM_ACCESS_FLAGS) != VM_EXEC) 65 return false; 66 if (vma_pkey(vma) != vma->vm_mm->context.execute_only_pkey) 67 return false; 68 69 return true; 70 } 71 72 /* 73 * This is only called for *plain* mprotect calls. 74 */ 75 int __arch_override_mprotect_pkey(struct vm_area_struct *vma, int prot, int pkey) 76 { 77 /* 78 * Is this an mprotect_pkey() call? If so, never 79 * override the value that came from the user. 80 */ 81 if (pkey != -1) 82 return pkey; 83 84 /* 85 * The mapping is execute-only. Go try to get the 86 * execute-only protection key. If we fail to do that, 87 * fall through as if we do not have execute-only 88 * support in this mm. 89 */ 90 if (prot == PROT_EXEC) { 91 pkey = execute_only_pkey(vma->vm_mm); 92 if (pkey > 0) 93 return pkey; 94 } else if (vma_is_pkey_exec_only(vma)) { 95 /* 96 * Protections are *not* PROT_EXEC, but the mapping 97 * is using the exec-only pkey. This mapping was 98 * PROT_EXEC and will no longer be. Move back to 99 * the default pkey. 100 */ 101 return ARCH_DEFAULT_PKEY; 102 } 103 104 /* 105 * This is a vanilla, non-pkey mprotect (or we failed to 106 * setup execute-only), inherit the pkey from the VMA we 107 * are working on. 108 */ 109 return vma_pkey(vma); 110 } 111 112 #define PKRU_AD_MASK(pkey) (PKRU_AD_BIT << ((pkey) * PKRU_BITS_PER_PKEY)) 113 114 /* 115 * Make the default PKRU value (at execve() time) as restrictive 116 * as possible. This ensures that any threads clone()'d early 117 * in the process's lifetime will not accidentally get access 118 * to data which is pkey-protected later on. 119 */ 120 u32 init_pkru_value = PKRU_AD_MASK( 1) | PKRU_AD_MASK( 2) | 121 PKRU_AD_MASK( 3) | PKRU_AD_MASK( 4) | 122 PKRU_AD_MASK( 5) | PKRU_AD_MASK( 6) | 123 PKRU_AD_MASK( 7) | PKRU_AD_MASK( 8) | 124 PKRU_AD_MASK( 9) | PKRU_AD_MASK(10) | 125 PKRU_AD_MASK(11) | PKRU_AD_MASK(12) | 126 PKRU_AD_MASK(13) | PKRU_AD_MASK(14) | 127 PKRU_AD_MASK(15); 128 129 static ssize_t init_pkru_read_file(struct file *file, char __user *user_buf, 130 size_t count, loff_t *ppos) 131 { 132 char buf[32]; 133 unsigned int len; 134 135 len = sprintf(buf, "0x%x\n", init_pkru_value); 136 return simple_read_from_buffer(user_buf, count, ppos, buf, len); 137 } 138 139 static ssize_t init_pkru_write_file(struct file *file, 140 const char __user *user_buf, size_t count, loff_t *ppos) 141 { 142 char buf[32]; 143 ssize_t len; 144 u32 new_init_pkru; 145 146 len = min(count, sizeof(buf) - 1); 147 if (copy_from_user(buf, user_buf, len)) 148 return -EFAULT; 149 150 /* Make the buffer a valid string that we can not overrun */ 151 buf[len] = '\0'; 152 if (kstrtouint(buf, 0, &new_init_pkru)) 153 return -EINVAL; 154 155 /* 156 * Don't allow insane settings that will blow the system 157 * up immediately if someone attempts to disable access 158 * or writes to pkey 0. 159 */ 160 if (new_init_pkru & (PKRU_AD_BIT|PKRU_WD_BIT)) 161 return -EINVAL; 162 163 WRITE_ONCE(init_pkru_value, new_init_pkru); 164 return count; 165 } 166 167 static const struct file_operations fops_init_pkru = { 168 .read = init_pkru_read_file, 169 .write = init_pkru_write_file, 170 .llseek = default_llseek, 171 }; 172 173 static int __init create_init_pkru_value(void) 174 { 175 /* Do not expose the file if pkeys are not supported. */ 176 if (!cpu_feature_enabled(X86_FEATURE_OSPKE)) 177 return 0; 178 179 debugfs_create_file("init_pkru", S_IRUSR | S_IWUSR, 180 arch_debugfs_dir, NULL, &fops_init_pkru); 181 return 0; 182 } 183 late_initcall(create_init_pkru_value); 184 185 static __init int setup_init_pkru(char *opt) 186 { 187 u32 new_init_pkru; 188 189 if (kstrtouint(opt, 0, &new_init_pkru)) 190 return 1; 191 192 WRITE_ONCE(init_pkru_value, new_init_pkru); 193 194 return 1; 195 } 196 __setup("init_pkru=", setup_init_pkru); 197