Re: [PATCH v7 9/9] sparc64: Add support for ADI (Application Data Integrity)

From: Khalid Aziz
Date: Wed Aug 30 2017 - 19:25:29 EST

Next message: Nadav Amit: "Re: [PATCH 02/13] mm/rmap: update to new mmu_notifier semantic"
Previous message: Joe Stringer: "Re: [PATCH] compiler: Don't perform compiletime_assert with -O0."
In reply to: David Miller: "Re: [PATCH v7 9/9] sparc64: Add support for ADI (Application Data Integrity)"
Next in thread: David Miller: "Re: [PATCH v7 9/9] sparc64: Add support for ADI (Application Data Integrity)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08/30/2017 04:38 PM, David Miller wrote:

From: Khalid Aziz <khalid.aziz@xxxxxxxxxx>
Date: Wed, 30 Aug 2017 16:27:54 -0600

+#define arch_calc_vm_prot_bits(prot, pkey)
sparc_calc_vm_prot_bits(prot)
+static inline unsigned long sparc_calc_vm_prot_bits(unsigned long
prot)
+{
+ if (prot & PROT_ADI) {
+ struct pt_regs *regs;
+
+ if (!current->mm->context.adi) {
+ regs = task_pt_regs(current);
+ regs->tstate |= TSTATE_MCDE;
+ current->mm->context.adi = true;

If a process is multi-threaded when it enables ADI on some memory for
the first time, TSTATE_MCDE will only be set for the calling thread
and it will not be possible to enable it for the other threads.
One possible way to handle this is to enable TSTATE_MCDE for all user
threads when they are initialized if adi_capable() returns true.

Or set TSTATE_MCDE unconditionally here by removing "if
(!current->mm->context.adi)"?

I think you have to make "ADI enabled" a property of the mm_struct.

Then you can broadcast to mm->cpu_vm_mask a per-cpu interrupt that
updates regs->tstate of a thread using 'mm' is currently executing.

And in the context switch code you set TSTATE_MCDE if it's not set
already.

That should cover all threaded case.

That is an interesting idea. This would enable TSTATE_MCDE on all threads of a process as soon as one thread enables it. If we consider the case where the parent creates a shared memory area and spawns a bunch of threads. These threads access the shared memory without ADI enabled. Now one of the threads decides to enable ADI on the shared memory. As soon as it does that, we enable TSTATE_MCDE across all threads and since threads are all using the same TTE for the shared memory, every thread becomes subject to ADI verification. If one of the other threads was in the middle of accessing the shared memory, it will get a sigsegv. If we did not enable TSTATE_MCDE across all threads, it could have continued execution without fault. In other words, updating TSTATE_MCDE across all threads will eliminate the option of running some threads with ADI enabled and some not while accessing the same shared memory. This could be necessary at least for short periods of time before threads can communicate with each other and all switch to accessing shared memory with ADI enabled using same tag. Does that sound like a valid use case or am I off in the weeds here?

Thanks,
Khalid

Next message: Nadav Amit: "Re: [PATCH 02/13] mm/rmap: update to new mmu_notifier semantic"
Previous message: Joe Stringer: "Re: [PATCH] compiler: Don't perform compiletime_assert with -O0."
In reply to: David Miller: "Re: [PATCH v7 9/9] sparc64: Add support for ADI (Application Data Integrity)"
Next in thread: David Miller: "Re: [PATCH v7 9/9] sparc64: Add support for ADI (Application Data Integrity)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]