| Message ID | 20240829010151.2813377-1-samuel.holland@sifive.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | riscv: Userspace pointer masking and tagged address ABI | expand |
On Thu, Aug 29, 2024 at 6:31 AM Samuel Holland <samuel.holland@sifive.com> wrote: > > RISC-V defines three extensions for pointer masking[1]: > - Smmpm: configured in M-mode, affects M-mode > - Smnpm: configured in M-mode, affects the next lower mode (S or U-mode) > - Ssnpm: configured in S-mode, affects the next lower mode (VS, VU, or U-mode) > > This series adds support for configuring Smnpm or Ssnpm (depending on > which privilege mode the kernel is running in) to allow pointer masking > in userspace (VU or U-mode), extending the PR_SET_TAGGED_ADDR_CTRL API > from arm64. Unlike arm64 TBI, userspace pointer masking is not enabled > by default on RISC-V. Additionally, the tag width (referred to as PMLEN) > is variable, so userspace needs to ask the kernel for a specific tag > width, which is interpreted as a lower bound on the number of tag bits. > > This series also adds support for a tagged address ABI similar to arm64 > and x86. Since accesses from the kernel to user memory use the kernel's > pointer masking configuration, not the user's, the kernel must untag > user pointers in software before dereferencing them. And since the tag > width is variable, as with LAM on x86, it must be kept the same across > all threads in a process so untagged_addr_remote() can work. > > This series depends on my per-thread envcfg series[3]. > > This series can be tested in QEMU by applying a patch set[2]. > > KASAN support will be added in a separate patch series. > > [1]: https://github.com/riscv/riscv-j-extension/releases/download/pointer-masking-v1.0.0-rc2/pointer-masking-v1.0.0-rc2.pdf > [2]: https://lore.kernel.org/qemu-devel/20240511101053.1875596-1-me@deliversmonkey.space/ > [3]: https://lore.kernel.org/linux-riscv/20240814081126.956287-1-samuel.holland@sifive.com/ > > Changes in v4: > - Switch IS_ENABLED back to #ifdef to fix riscv32 build > - Combine __untagged_addr() and __untagged_addr_remote() > > Changes in v3: > - Note in the commit message that the ISA extension spec is frozen > - Rebase on riscv/for-next (ISA extension list conflicts) > - Remove RISCV_ISA_EXT_SxPM, which was not used anywhere > - Use shifts instead of large numbers in ENVCFG_PMM* macro definitions > - Rename CONFIG_RISCV_ISA_POINTER_MASKING to CONFIG_RISCV_ISA_SUPM, > since it only controls the userspace part of pointer masking > - Use IS_ENABLED instead of #ifdef when possible > - Use an enum for the supported PMLEN values > - Simplify the logic in set_tagged_addr_ctrl() > - Use IS_ENABLED instead of #ifdef when possible > - Implement mm_untag_mask() > - Remove pmlen from struct thread_info (now only in mm_context_t) > > Changes in v2: > - Drop patch 4 ("riscv: Define is_compat_thread()"), as an equivalent > patch was already applied > - Move patch 5 ("riscv: Split per-CPU and per-thread envcfg bits") to a > different series[3] > - Update pointer masking specification version reference > - Provide macros for the extension affecting the kernel and userspace > - Use the correct name for the hstatus.HUPMM field > - Rebase on riscv/linux.git for-next > - Add and use the envcfg_update_bits() helper function > - Inline flush_tagged_addr_state() > - Implement untagged_addr_remote() > - Restrict PMLEN changes once a process is multithreaded > - Rename "tags" directory to "pm" to avoid .gitignore rules > - Add .gitignore file to ignore the compiled selftest binary > - Write to a pipe to force dereferencing the user pointer > - Handle SIGSEGV in the child process to reduce dmesg noise > - Export Supm via hwprobe > - Export Smnpm and Ssnpm to KVM guests > > Samuel Holland (10): > dt-bindings: riscv: Add pointer masking ISA extensions > riscv: Add ISA extension parsing for pointer masking > riscv: Add CSR definitions for pointer masking > riscv: Add support for userspace pointer masking > riscv: Add support for the tagged address ABI > riscv: Allow ptrace control of the tagged address ABI > selftests: riscv: Add a pointer masking test > riscv: hwprobe: Export the Supm ISA extension > RISC-V: KVM: Allow Smnpm and Ssnpm extensions for guests > KVM: riscv: selftests: Add Smnpm and Ssnpm to get-reg-list test Please CC kvm-riscv mailing list for KVM changes otherwise the KVM RISC-V patchwork can't track patches. > > Documentation/arch/riscv/hwprobe.rst | 3 + > .../devicetree/bindings/riscv/extensions.yaml | 18 + > arch/riscv/Kconfig | 11 + > arch/riscv/include/asm/csr.h | 16 + > arch/riscv/include/asm/hwcap.h | 5 + > arch/riscv/include/asm/mmu.h | 7 + > arch/riscv/include/asm/mmu_context.h | 13 + > arch/riscv/include/asm/processor.h | 8 + > arch/riscv/include/asm/switch_to.h | 11 + > arch/riscv/include/asm/uaccess.h | 43 ++- > arch/riscv/include/uapi/asm/hwprobe.h | 1 + > arch/riscv/include/uapi/asm/kvm.h | 2 + > arch/riscv/kernel/cpufeature.c | 3 + > arch/riscv/kernel/process.c | 154 ++++++++ > arch/riscv/kernel/ptrace.c | 42 +++ > arch/riscv/kernel/sys_hwprobe.c | 3 + > arch/riscv/kvm/vcpu_onereg.c | 3 + > include/uapi/linux/elf.h | 1 + > include/uapi/linux/prctl.h | 3 + > .../selftests/kvm/riscv/get-reg-list.c | 8 + > tools/testing/selftests/riscv/Makefile | 2 +- > tools/testing/selftests/riscv/pm/.gitignore | 1 + > tools/testing/selftests/riscv/pm/Makefile | 10 + > .../selftests/riscv/pm/pointer_masking.c | 330 ++++++++++++++++++ > 24 files changed, 692 insertions(+), 6 deletions(-) > create mode 100644 tools/testing/selftests/riscv/pm/.gitignore > create mode 100644 tools/testing/selftests/riscv/pm/Makefile > create mode 100644 tools/testing/selftests/riscv/pm/pointer_masking.c > > -- > 2.45.1 > Regards, Anup
On Wed, Aug 28, 2024 at 06:01:22PM -0700, Samuel Holland wrote: > RISC-V defines three extensions for pointer masking[1]: > - Smmpm: configured in M-mode, affects M-mode > - Smnpm: configured in M-mode, affects the next lower mode (S or U-mode) > - Ssnpm: configured in S-mode, affects the next lower mode (VS, VU, or U-mode) > > This series adds support for configuring Smnpm or Ssnpm (depending on > which privilege mode the kernel is running in) to allow pointer masking > in userspace (VU or U-mode), extending the PR_SET_TAGGED_ADDR_CTRL API > from arm64. Unlike arm64 TBI, userspace pointer masking is not enabled > by default on RISC-V. Additionally, the tag width (referred to as PMLEN) > is variable, so userspace needs to ask the kernel for a specific tag > width, which is interpreted as a lower bound on the number of tag bits. > > This series also adds support for a tagged address ABI similar to arm64 > and x86. Since accesses from the kernel to user memory use the kernel's > pointer masking configuration, not the user's, the kernel must untag > user pointers in software before dereferencing them. And since the tag > width is variable, as with LAM on x86, it must be kept the same across > all threads in a process so untagged_addr_remote() can work. > > This series depends on my per-thread envcfg series[3]. > > This series can be tested in QEMU by applying a patch set[2]. > > KASAN support will be added in a separate patch series. > > [1]: https://github.com/riscv/riscv-j-extension/releases/download/pointer-masking-v1.0.0-rc2/pointer-masking-v1.0.0-rc2.pdf > [2]: https://lore.kernel.org/qemu-devel/20240511101053.1875596-1-me@deliversmonkey.space/ > [3]: https://lore.kernel.org/linux-riscv/20240814081126.956287-1-samuel.holland@sifive.com/ > > Changes in v4: > - Switch IS_ENABLED back to #ifdef to fix riscv32 build > - Combine __untagged_addr() and __untagged_addr_remote() > > Changes in v3: > - Note in the commit message that the ISA extension spec is frozen > - Rebase on riscv/for-next (ISA extension list conflicts) > - Remove RISCV_ISA_EXT_SxPM, which was not used anywhere > - Use shifts instead of large numbers in ENVCFG_PMM* macro definitions > - Rename CONFIG_RISCV_ISA_POINTER_MASKING to CONFIG_RISCV_ISA_SUPM, > since it only controls the userspace part of pointer masking > - Use IS_ENABLED instead of #ifdef when possible > - Use an enum for the supported PMLEN values > - Simplify the logic in set_tagged_addr_ctrl() > - Use IS_ENABLED instead of #ifdef when possible > - Implement mm_untag_mask() > - Remove pmlen from struct thread_info (now only in mm_context_t) > > Changes in v2: > - Drop patch 4 ("riscv: Define is_compat_thread()"), as an equivalent > patch was already applied > - Move patch 5 ("riscv: Split per-CPU and per-thread envcfg bits") to a > different series[3] > - Update pointer masking specification version reference > - Provide macros for the extension affecting the kernel and userspace > - Use the correct name for the hstatus.HUPMM field > - Rebase on riscv/linux.git for-next > - Add and use the envcfg_update_bits() helper function > - Inline flush_tagged_addr_state() > - Implement untagged_addr_remote() > - Restrict PMLEN changes once a process is multithreaded > - Rename "tags" directory to "pm" to avoid .gitignore rules > - Add .gitignore file to ignore the compiled selftest binary > - Write to a pipe to force dereferencing the user pointer > - Handle SIGSEGV in the child process to reduce dmesg noise > - Export Supm via hwprobe > - Export Smnpm and Ssnpm to KVM guests > > Samuel Holland (10): > dt-bindings: riscv: Add pointer masking ISA extensions > riscv: Add ISA extension parsing for pointer masking > riscv: Add CSR definitions for pointer masking > riscv: Add support for userspace pointer masking > riscv: Add support for the tagged address ABI > riscv: Allow ptrace control of the tagged address ABI > selftests: riscv: Add a pointer masking test > riscv: hwprobe: Export the Supm ISA extension > RISC-V: KVM: Allow Smnpm and Ssnpm extensions for guests > KVM: riscv: selftests: Add Smnpm and Ssnpm to get-reg-list test > > Documentation/arch/riscv/hwprobe.rst | 3 + Would you be open to writing documentation similar to what is available for arm? https://www.kernel.org/doc/html/next/arm64/tagged-address-abi.html - Charlie > .../devicetree/bindings/riscv/extensions.yaml | 18 + > arch/riscv/Kconfig | 11 + > arch/riscv/include/asm/csr.h | 16 + > arch/riscv/include/asm/hwcap.h | 5 + > arch/riscv/include/asm/mmu.h | 7 + > arch/riscv/include/asm/mmu_context.h | 13 + > arch/riscv/include/asm/processor.h | 8 + > arch/riscv/include/asm/switch_to.h | 11 + > arch/riscv/include/asm/uaccess.h | 43 ++- > arch/riscv/include/uapi/asm/hwprobe.h | 1 + > arch/riscv/include/uapi/asm/kvm.h | 2 + > arch/riscv/kernel/cpufeature.c | 3 + > arch/riscv/kernel/process.c | 154 ++++++++ > arch/riscv/kernel/ptrace.c | 42 +++ > arch/riscv/kernel/sys_hwprobe.c | 3 + > arch/riscv/kvm/vcpu_onereg.c | 3 + > include/uapi/linux/elf.h | 1 + > include/uapi/linux/prctl.h | 3 + > .../selftests/kvm/riscv/get-reg-list.c | 8 + > tools/testing/selftests/riscv/Makefile | 2 +- > tools/testing/selftests/riscv/pm/.gitignore | 1 + > tools/testing/selftests/riscv/pm/Makefile | 10 + > .../selftests/riscv/pm/pointer_masking.c | 330 ++++++++++++++++++ > 24 files changed, 692 insertions(+), 6 deletions(-) > create mode 100644 tools/testing/selftests/riscv/pm/.gitignore > create mode 100644 tools/testing/selftests/riscv/pm/Makefile > create mode 100644 tools/testing/selftests/riscv/pm/pointer_masking.c > > -- > 2.45.1 > > > _______________________________________________ > linux-riscv mailing list > linux-riscv@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-riscv
RISC-V defines three extensions for pointer masking[1]: - Smmpm: configured in M-mode, affects M-mode - Smnpm: configured in M-mode, affects the next lower mode (S or U-mode) - Ssnpm: configured in S-mode, affects the next lower mode (VS, VU, or U-mode) This series adds support for configuring Smnpm or Ssnpm (depending on which privilege mode the kernel is running in) to allow pointer masking in userspace (VU or U-mode), extending the PR_SET_TAGGED_ADDR_CTRL API from arm64. Unlike arm64 TBI, userspace pointer masking is not enabled by default on RISC-V. Additionally, the tag width (referred to as PMLEN) is variable, so userspace needs to ask the kernel for a specific tag width, which is interpreted as a lower bound on the number of tag bits. This series also adds support for a tagged address ABI similar to arm64 and x86. Since accesses from the kernel to user memory use the kernel's pointer masking configuration, not the user's, the kernel must untag user pointers in software before dereferencing them. And since the tag width is variable, as with LAM on x86, it must be kept the same across all threads in a process so untagged_addr_remote() can work. This series depends on my per-thread envcfg series[3]. This series can be tested in QEMU by applying a patch set[2]. KASAN support will be added in a separate patch series. [1]: https://github.com/riscv/riscv-j-extension/releases/download/pointer-masking-v1.0.0-rc2/pointer-masking-v1.0.0-rc2.pdf [2]: https://lore.kernel.org/qemu-devel/20240511101053.1875596-1-me@deliversmonkey.space/ [3]: https://lore.kernel.org/linux-riscv/20240814081126.956287-1-samuel.holland@sifive.com/ Changes in v4: - Switch IS_ENABLED back to #ifdef to fix riscv32 build - Combine __untagged_addr() and __untagged_addr_remote() Changes in v3: - Note in the commit message that the ISA extension spec is frozen - Rebase on riscv/for-next (ISA extension list conflicts) - Remove RISCV_ISA_EXT_SxPM, which was not used anywhere - Use shifts instead of large numbers in ENVCFG_PMM* macro definitions - Rename CONFIG_RISCV_ISA_POINTER_MASKING to CONFIG_RISCV_ISA_SUPM, since it only controls the userspace part of pointer masking - Use IS_ENABLED instead of #ifdef when possible - Use an enum for the supported PMLEN values - Simplify the logic in set_tagged_addr_ctrl() - Use IS_ENABLED instead of #ifdef when possible - Implement mm_untag_mask() - Remove pmlen from struct thread_info (now only in mm_context_t) Changes in v2: - Drop patch 4 ("riscv: Define is_compat_thread()"), as an equivalent patch was already applied - Move patch 5 ("riscv: Split per-CPU and per-thread envcfg bits") to a different series[3] - Update pointer masking specification version reference - Provide macros for the extension affecting the kernel and userspace - Use the correct name for the hstatus.HUPMM field - Rebase on riscv/linux.git for-next - Add and use the envcfg_update_bits() helper function - Inline flush_tagged_addr_state() - Implement untagged_addr_remote() - Restrict PMLEN changes once a process is multithreaded - Rename "tags" directory to "pm" to avoid .gitignore rules - Add .gitignore file to ignore the compiled selftest binary - Write to a pipe to force dereferencing the user pointer - Handle SIGSEGV in the child process to reduce dmesg noise - Export Supm via hwprobe - Export Smnpm and Ssnpm to KVM guests Samuel Holland (10): dt-bindings: riscv: Add pointer masking ISA extensions riscv: Add ISA extension parsing for pointer masking riscv: Add CSR definitions for pointer masking riscv: Add support for userspace pointer masking riscv: Add support for the tagged address ABI riscv: Allow ptrace control of the tagged address ABI selftests: riscv: Add a pointer masking test riscv: hwprobe: Export the Supm ISA extension RISC-V: KVM: Allow Smnpm and Ssnpm extensions for guests KVM: riscv: selftests: Add Smnpm and Ssnpm to get-reg-list test Documentation/arch/riscv/hwprobe.rst | 3 + .../devicetree/bindings/riscv/extensions.yaml | 18 + arch/riscv/Kconfig | 11 + arch/riscv/include/asm/csr.h | 16 + arch/riscv/include/asm/hwcap.h | 5 + arch/riscv/include/asm/mmu.h | 7 + arch/riscv/include/asm/mmu_context.h | 13 + arch/riscv/include/asm/processor.h | 8 + arch/riscv/include/asm/switch_to.h | 11 + arch/riscv/include/asm/uaccess.h | 43 ++- arch/riscv/include/uapi/asm/hwprobe.h | 1 + arch/riscv/include/uapi/asm/kvm.h | 2 + arch/riscv/kernel/cpufeature.c | 3 + arch/riscv/kernel/process.c | 154 ++++++++ arch/riscv/kernel/ptrace.c | 42 +++ arch/riscv/kernel/sys_hwprobe.c | 3 + arch/riscv/kvm/vcpu_onereg.c | 3 + include/uapi/linux/elf.h | 1 + include/uapi/linux/prctl.h | 3 + .../selftests/kvm/riscv/get-reg-list.c | 8 + tools/testing/selftests/riscv/Makefile | 2 +- tools/testing/selftests/riscv/pm/.gitignore | 1 + tools/testing/selftests/riscv/pm/Makefile | 10 + .../selftests/riscv/pm/pointer_masking.c | 330 ++++++++++++++++++ 24 files changed, 692 insertions(+), 6 deletions(-) create mode 100644 tools/testing/selftests/riscv/pm/.gitignore create mode 100644 tools/testing/selftests/riscv/pm/Makefile create mode 100644 tools/testing/selftests/riscv/pm/pointer_masking.c