| Message ID | 20190508144422.13171-48-kirill.shutemov@linux.intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Intel MKTME enabling | expand |
On Wed, May 08, 2019 at 05:44:07PM +0300, Kirill A. Shutemov wrote: > From: Alison Schofield <alison.schofield@intel.com> > > Memory encryption is only supported for mappings that are ANONYMOUS. > Test the VMA's in an encrypt_mprotect() request to make sure they all > meet that requirement before encrypting any. > > The encrypt_mprotect syscall will return -EINVAL and will not encrypt > any VMA's if this check fails. > > Signed-off-by: Alison Schofield <alison.schofield@intel.com> > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> This should be folded back into the initial implemention, methinks.
On Fri, Jun 14, 2019 at 01:55:20PM +0200, Peter Zijlstra wrote: > On Wed, May 08, 2019 at 05:44:07PM +0300, Kirill A. Shutemov wrote: > > From: Alison Schofield <alison.schofield@intel.com> > > > > Memory encryption is only supported for mappings that are ANONYMOUS. > > Test the VMA's in an encrypt_mprotect() request to make sure they all > > meet that requirement before encrypting any. > > > > The encrypt_mprotect syscall will return -EINVAL and will not encrypt > > any VMA's if this check fails. > > > > Signed-off-by: Alison Schofield <alison.schofield@intel.com> > > Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> > > This should be folded back into the initial implemention, methinks. It is part of the initial implementation. I looked for places to split the implementation into smaller, reviewable patches, hence this split. None of it gets built until the CONFIG_X86_INTEL_MKTME is introduced in a later patch. The encrypt_mprotect() patchset is ordered like this: 1) generalize mprotect to support the mktme extension 2) wire up encrypt_mprotect() 3) implement encrypt_mprotect() 4) keep reference counts on encryption keys (was VMAs) 5) (this patch) restrict to anonymous VMAs. I thought Patch 5) was a small, but meaningful split. It accentuates the fact that MKTME is restricted to anonymous memory. Alas, I want to make it logical to review, so I'll move it.
diff --git a/mm/mprotect.c b/mm/mprotect.c index 38d766b5cc20..53bd41f99a67 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -346,6 +346,24 @@ static int prot_none_walk(struct vm_area_struct *vma, unsigned long start, return walk_page_range(start, end, &prot_none_walk); } +/* + * Encrypted mprotect is only supported on anonymous mappings. + * If this test fails on any single VMA, the entire mprotect + * request fails. + */ +static bool mem_supports_encryption(struct vm_area_struct *vma, unsigned long end) +{ + struct vm_area_struct *test_vma = vma; + + do { + if (!vma_is_anonymous(test_vma)) + return false; + + test_vma = test_vma->vm_next; + } while (test_vma && test_vma->vm_start < end); + return true; +} + int mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev, unsigned long start, unsigned long end, unsigned long newflags, @@ -532,6 +550,12 @@ static int do_mprotect_ext(unsigned long start, size_t len, goto out; } } + + if (keyid > 0 && !mem_supports_encryption(vma, end)) { + error = -EINVAL; + goto out; + } + if (start > vma->vm_start) prev = vma;