pkeys on POWER: Default AMR, UAMOR values
Andy Lutomirski
luto at amacapital.net
Sat May 19 00:35:01 AEST 2018
On Fri, May 18, 2018 at 6:17 AM Florian Weimer <fweimer at redhat.com> wrote:
> I'm working on adding POWER pkeys support to glibc. The coding work is
> done, but I'm faced with some test suite failures.
> Unlike the default x86 configuration, on POWER, existing threads have
> full access to newly allocated keys.
> Or, more precisely, in this scenario:
> * Thread A launches thread B
> * Thread B waits
> * Thread A allocations a protection key with pkey_alloc
> * Thread A applies the key to a page
> * Thread A signals thread B
> * Thread B starts to run and accesses the page
> Then at the end, the access will be granted.
> I hope it's not too late to change this to denied access.
> Furthermore, I think the UAMOR value is wrong as well because it
> prevents thread B at the end to set the AMR register. In particular, if
> I do this
> * … (as before)
> * Thread A signals thread B
> * Thread B sets the access rights for the key to PKEY_DISABLE_ACCESS
> * Thread B reads the current access rights for the key
> then it still gets 0 (all access permitted) because the original UAMOR
> value inherited from thread A prior to the key allocation masks out the
> access right update for the newly allocated key.
This type of issue is why I think that a good protection key ISA would not
have a usermode read-the-whole-register or write-the-whole-register
operation at all. It's still not clear to me that there is any good
kernel-mode solution. But at least x86 defaults to deny-everything, which
is more annoying but considerably safer than POWER's behavior.
--Andy
More information about the Linuxppc-dev
mailing list