Re: [RFC PATCH] x86/pkeys: update PKRU to enable pkey 0 before XSAVE

From: Dave Hansen
Date: Thu Mar 14 2024 - 13:54:26 EST


On 3/14/24 10:29, Aruna Ramakrishna wrote:
> This patch is a workaround for a bug where the PKRU value is not
> restored to the init value before the signal handler is invoked.

I don't think we should touch this with a ten foot pole without a test
for it in tools/testing/selftests/mm/protection_keys.c.

I'm not sure this is worth the trouble. Protection keys is not a
security feature. This isn't a regression. It's been the behavior
since day one. This really is a feature request for a behavioral
improvement, not a bug fix.

The need for this new feature is highly dependent on the threat model
that it supports. I'm highly dubious that there's a true need to
protect against an attacker with arbitrary write access in the same
address space. We need to have a lot more information there.

I haven't even more than glanced at the code. It looks pretty
unspeakably ugly even at a glance.