arch/x86/mm/pkeys.c

   1 /*
   2  * Intel Memory Protection Keys management
   3  * Copyright (c) 2015, Intel Corporation.
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms and conditions of the GNU General Public License,
   7  * version 2, as published by the Free Software Foundation.
   8  *
   9  * This program is distributed in the hope it will be useful, but WITHOUT
  10  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  11  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
  12  * more details.
  13  */
  14 #include <linux/mm_types.h>             /* mm_struct, vma, etc...       */
  15 #include <linux/pkeys.h>                /* PKEY_*                       */
  16 #include <uapi/asm-generic/mman-common.h>
  17
  18 #include <asm/cpufeature.h>             /* boot_cpu_has, ...            */
  19 #include <asm/mmu_context.h>            /* vma_pkey()                   */
  20 #include <asm/fpu/internal.h>           /* fpregs_active()              */
  21
  22 int __execute_only_pkey(struct mm_struct *mm)
  23 {
  24         int ret;
  25
  26         /*
  27          * We do not want to go through the relatively costly
  28          * dance to set PKRU if we do not need to.  Check it
  29          * first and assume that if the execute-only pkey is
  30          * write-disabled that we do not have to set it
  31          * ourselves.  We need preempt off so that nobody
  32          * can make fpregs inactive.
  33          */
  34         preempt_disable();
  35         if (fpregs_active() &&
  36             !__pkru_allows_read(read_pkru(), PKEY_DEDICATED_EXECUTE_ONLY)) {
  37                 preempt_enable();
  38                 return PKEY_DEDICATED_EXECUTE_ONLY;
  39         }
  40         preempt_enable();
  41         ret = arch_set_user_pkey_access(current, PKEY_DEDICATED_EXECUTE_ONLY,
  42                         PKEY_DISABLE_ACCESS);
  43         /*
  44          * If the PKRU-set operation failed somehow, just return
  45          * 0 and effectively disable execute-only support.
  46          */
  47         if (ret)
  48                 return 0;
  49
  50         return PKEY_DEDICATED_EXECUTE_ONLY;
  51 }
  52
  53 static inline bool vma_is_pkey_exec_only(struct vm_area_struct *vma)
  54 {
  55         /* Do this check first since the vm_flags should be hot */
  56         if ((vma->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) != VM_EXEC)
  57                 return false;
  58         if (vma_pkey(vma) != PKEY_DEDICATED_EXECUTE_ONLY)
  59                 return false;
  60
  61         return true;
  62 }
  63
  64 /*
  65  * This is only called for *plain* mprotect calls.
  66  */
  67 int __arch_override_mprotect_pkey(struct vm_area_struct *vma, int prot, int pkey)
  68 {
  69         /*
  70          * Is this an mprotect_pkey() call?  If so, never
  71          * override the value that came from the user.
  72          */
  73         if (pkey != -1)
  74                 return pkey;
  75         /*
  76          * Look for a protection-key-drive execute-only mapping
  77          * which is now being given permissions that are not
  78          * execute-only.  Move it back to the default pkey.
  79          */
  80         if (vma_is_pkey_exec_only(vma) &&
  81             (prot & (PROT_READ|PROT_WRITE))) {
  82                 return 0;
  83         }
  84         /*
  85          * The mapping is execute-only.  Go try to get the
  86          * execute-only protection key.  If we fail to do that,
  87          * fall through as if we do not have execute-only
  88          * support.
  89          */
  90         if (prot == PROT_EXEC) {
  91                 pkey = execute_only_pkey(vma->vm_mm);
  92                 if (pkey > 0)
  93                         return pkey;
  94         }
  95         /*
  96          * This is a vanilla, non-pkey mprotect (or we failed to
  97          * setup execute-only), inherit the pkey from the VMA we
  98          * are working on.
  99          */
 100         return vma_pkey(vma);
 101 }