1 // SPDX-License-Identifier: GPL-2.0+
3 * PowerPC Memory Protection Keys management
5 * Copyright 2017, Ram Pai, IBM Corporation.
10 #include <linux/pkeys.h>
11 #include <linux/of_device.h>
13 DEFINE_STATIC_KEY_TRUE(pkey_disabled);
14 bool pkey_execute_disable_supported;
15 int pkeys_total; /* Total pkeys as per device tree */
16 bool pkeys_devtree_defined; /* pkey property exported by device tree */
17 u32 initial_allocation_mask; /* Bits set for reserved keys */
18 u64 pkey_amr_mask; /* Bits in AMR not to be touched */
19 u64 pkey_iamr_mask; /* Bits in AMR not to be touched */
20 u64 pkey_uamor_mask; /* Bits in UMOR not to be touched */
22 #define AMR_BITS_PER_PKEY 2
23 #define AMR_RD_BIT 0x1UL
24 #define AMR_WR_BIT 0x2UL
25 #define IAMR_EX_BIT 0x1UL
26 #define PKEY_REG_BITS (sizeof(u64)*8)
27 #define pkeyshift(pkey) (PKEY_REG_BITS - ((pkey+1) * AMR_BITS_PER_PKEY))
29 static void scan_pkey_feature(void)
32 struct device_node *cpu;
34 cpu = of_find_node_by_type(NULL, "cpu");
38 if (of_property_read_u32_array(cpu,
39 "ibm,processor-storage-keys", vals, 2))
43 * Since any pkey can be used for data or execute, we will just treat
44 * all keys as equal and track them as one entity.
46 pkeys_total = be32_to_cpu(vals[0]);
47 pkeys_devtree_defined = true;
50 static inline bool pkey_mmu_enabled(void)
52 if (firmware_has_feature(FW_FEATURE_LPAR))
55 return cpu_has_feature(CPU_FTR_PKEY);
58 int pkey_initialize(void)
63 * We define PKEY_DISABLE_EXECUTE in addition to the arch-neutral
64 * generic defines for PKEY_DISABLE_ACCESS and PKEY_DISABLE_WRITE.
65 * Ensure that the bits a distinct.
67 BUILD_BUG_ON(PKEY_DISABLE_EXECUTE &
68 (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE));
71 * pkey_to_vmflag_bits() assumes that the pkey bits are contiguous
72 * in the vmaflag. Make sure that is really the case.
74 BUILD_BUG_ON(__builtin_clzl(ARCH_VM_PKEY_FLAGS >> VM_PKEY_SHIFT) +
75 __builtin_popcountl(ARCH_VM_PKEY_FLAGS >> VM_PKEY_SHIFT)
76 != (sizeof(u64) * BITS_PER_BYTE));
78 /* scan the device tree for pkey feature */
82 * Let's assume 32 pkeys on P8 bare metal, if its not defined by device
83 * tree. We make this exception since skiboot forgot to expose this
86 if (!pkeys_devtree_defined && !firmware_has_feature(FW_FEATURE_LPAR) &&
87 cpu_has_feature(CPU_FTRS_POWER8))
91 * Adjust the upper limit, based on the number of bits supported by
94 pkeys_total = min_t(int, pkeys_total,
95 (ARCH_VM_PKEY_FLAGS >> VM_PKEY_SHIFT));
97 if (!pkey_mmu_enabled() || radix_enabled() || !pkeys_total)
98 static_branch_enable(&pkey_disabled);
100 static_branch_disable(&pkey_disabled);
102 if (static_branch_likely(&pkey_disabled))
106 * The device tree cannot be relied to indicate support for
107 * execute_disable support. Instead we use a PVR check.
109 if (pvr_version_is(PVR_POWER7) || pvr_version_is(PVR_POWER7p))
110 pkey_execute_disable_supported = false;
112 pkey_execute_disable_supported = true;
114 #ifdef CONFIG_PPC_4K_PAGES
116 * The OS can manage only 8 pkeys due to its inability to represent them
117 * in the Linux 4K PTE.
119 os_reserved = pkeys_total - 8;
123 initial_allocation_mask = (0x1 << 0) | (0x1 << 1);
125 /* register mask is in BE format */
126 pkey_amr_mask = ~0x0ul;
127 pkey_amr_mask &= ~(0x3ul << pkeyshift(0));
129 pkey_iamr_mask = ~0x0ul;
130 pkey_iamr_mask &= ~(0x3ul << pkeyshift(0));
132 pkey_uamor_mask = ~0x0ul;
133 pkey_uamor_mask &= ~(0x3ul << pkeyshift(0));
135 /* mark the rest of the keys as reserved and hence unavailable */
136 for (i = (pkeys_total - os_reserved); i < pkeys_total; i++) {
137 initial_allocation_mask |= (0x1 << i);
138 pkey_uamor_mask &= ~(0x3ul << pkeyshift(i));
144 arch_initcall(pkey_initialize);
146 void pkey_mm_init(struct mm_struct *mm)
148 if (static_branch_likely(&pkey_disabled))
150 mm_pkey_allocation_map(mm) = initial_allocation_mask;
151 /* -1 means unallocated or invalid */
152 mm->context.execute_only_pkey = -1;
155 static inline u64 read_amr(void)
157 return mfspr(SPRN_AMR);
160 static inline void write_amr(u64 value)
162 mtspr(SPRN_AMR, value);
165 static inline u64 read_iamr(void)
167 if (!likely(pkey_execute_disable_supported))
170 return mfspr(SPRN_IAMR);
173 static inline void write_iamr(u64 value)
175 if (!likely(pkey_execute_disable_supported))
178 mtspr(SPRN_IAMR, value);
181 static inline u64 read_uamor(void)
183 return mfspr(SPRN_UAMOR);
186 static inline void write_uamor(u64 value)
188 mtspr(SPRN_UAMOR, value);
191 static bool is_pkey_enabled(int pkey)
193 u64 uamor = read_uamor();
194 u64 pkey_bits = 0x3ul << pkeyshift(pkey);
195 u64 uamor_pkey_bits = (uamor & pkey_bits);
198 * Both the bits in UAMOR corresponding to the key should be set or
201 WARN_ON(uamor_pkey_bits && (uamor_pkey_bits != pkey_bits));
202 return !!(uamor_pkey_bits);
205 static inline void init_amr(int pkey, u8 init_bits)
207 u64 new_amr_bits = (((u64)init_bits & 0x3UL) << pkeyshift(pkey));
208 u64 old_amr = read_amr() & ~((u64)(0x3ul) << pkeyshift(pkey));
210 write_amr(old_amr | new_amr_bits);
213 static inline void init_iamr(int pkey, u8 init_bits)
215 u64 new_iamr_bits = (((u64)init_bits & 0x1UL) << pkeyshift(pkey));
216 u64 old_iamr = read_iamr() & ~((u64)(0x1ul) << pkeyshift(pkey));
218 write_iamr(old_iamr | new_iamr_bits);
221 static void pkey_status_change(int pkey, bool enable)
225 /* Reset the AMR and IAMR bits for this key */
227 init_iamr(pkey, 0x0);
229 /* Enable/disable key */
230 old_uamor = read_uamor();
232 old_uamor |= (0x3ul << pkeyshift(pkey));
234 old_uamor &= ~(0x3ul << pkeyshift(pkey));
235 write_uamor(old_uamor);
238 void __arch_activate_pkey(int pkey)
240 pkey_status_change(pkey, true);
243 void __arch_deactivate_pkey(int pkey)
245 pkey_status_change(pkey, false);
249 * Set the access rights in AMR IAMR and UAMOR registers for @pkey to that
250 * specified in @init_val.
252 int __arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
253 unsigned long init_val)
255 u64 new_amr_bits = 0x0ul;
256 u64 new_iamr_bits = 0x0ul;
258 if (!is_pkey_enabled(pkey))
261 if (init_val & PKEY_DISABLE_EXECUTE) {
262 if (!pkey_execute_disable_supported)
264 new_iamr_bits |= IAMR_EX_BIT;
266 init_iamr(pkey, new_iamr_bits);
268 /* Set the bits we need in AMR: */
269 if (init_val & PKEY_DISABLE_ACCESS)
270 new_amr_bits |= AMR_RD_BIT | AMR_WR_BIT;
271 else if (init_val & PKEY_DISABLE_WRITE)
272 new_amr_bits |= AMR_WR_BIT;
274 init_amr(pkey, new_amr_bits);
278 void thread_pkey_regs_save(struct thread_struct *thread)
280 if (static_branch_likely(&pkey_disabled))
284 * TODO: Skip saving registers if @thread hasn't used any keys yet.
286 thread->amr = read_amr();
287 thread->iamr = read_iamr();
288 thread->uamor = read_uamor();
291 void thread_pkey_regs_restore(struct thread_struct *new_thread,
292 struct thread_struct *old_thread)
294 if (static_branch_likely(&pkey_disabled))
297 if (old_thread->amr != new_thread->amr)
298 write_amr(new_thread->amr);
299 if (old_thread->iamr != new_thread->iamr)
300 write_iamr(new_thread->iamr);
301 if (old_thread->uamor != new_thread->uamor)
302 write_uamor(new_thread->uamor);
305 void thread_pkey_regs_init(struct thread_struct *thread)
307 if (static_branch_likely(&pkey_disabled))
310 thread->amr = pkey_amr_mask;
311 thread->iamr = pkey_iamr_mask;
312 thread->uamor = pkey_uamor_mask;
314 write_uamor(pkey_uamor_mask);
315 write_amr(pkey_amr_mask);
316 write_iamr(pkey_iamr_mask);
319 static inline bool pkey_allows_readwrite(int pkey)
321 int pkey_shift = pkeyshift(pkey);
323 if (!is_pkey_enabled(pkey))
326 return !(read_amr() & ((AMR_RD_BIT|AMR_WR_BIT) << pkey_shift));
329 int __execute_only_pkey(struct mm_struct *mm)
331 bool need_to_set_mm_pkey = false;
332 int execute_only_pkey = mm->context.execute_only_pkey;
335 /* Do we need to assign a pkey for mm's execute-only maps? */
336 if (execute_only_pkey == -1) {
337 /* Go allocate one to use, which might fail */
338 execute_only_pkey = mm_pkey_alloc(mm);
339 if (execute_only_pkey < 0)
341 need_to_set_mm_pkey = true;
345 * We do not want to go through the relatively costly dance to set AMR
346 * if we do not need to. Check it first and assume that if the
347 * execute-only pkey is readwrite-disabled than we do not have to set it
350 if (!need_to_set_mm_pkey && !pkey_allows_readwrite(execute_only_pkey))
351 return execute_only_pkey;
354 * Set up AMR so that it denies access for everything other than
357 ret = __arch_set_user_pkey_access(current, execute_only_pkey,
358 PKEY_DISABLE_ACCESS |
361 * If the AMR-set operation failed somehow, just return 0 and
362 * effectively disable execute-only support.
365 mm_pkey_free(mm, execute_only_pkey);
369 /* We got one, store it and use it from here on out */
370 if (need_to_set_mm_pkey)
371 mm->context.execute_only_pkey = execute_only_pkey;
372 return execute_only_pkey;
375 static inline bool vma_is_pkey_exec_only(struct vm_area_struct *vma)
377 /* Do this check first since the vm_flags should be hot */
378 if ((vma->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) != VM_EXEC)
381 return (vma_pkey(vma) == vma->vm_mm->context.execute_only_pkey);
385 * This should only be called for *plain* mprotect calls.
387 int __arch_override_mprotect_pkey(struct vm_area_struct *vma, int prot,
391 * If the currently associated pkey is execute-only, but the requested
392 * protection is not execute-only, move it back to the default pkey.
394 if (vma_is_pkey_exec_only(vma) && (prot != PROT_EXEC))
398 * The requested protection is execute-only. Hence let's use an
401 if (prot == PROT_EXEC) {
402 pkey = execute_only_pkey(vma->vm_mm);
407 /* Nothing to override. */
408 return vma_pkey(vma);
411 static bool pkey_access_permitted(int pkey, bool write, bool execute)
419 if (!is_pkey_enabled(pkey))
422 pkey_shift = pkeyshift(pkey);
423 if (execute && !(read_iamr() & (IAMR_EX_BIT << pkey_shift)))
426 amr = read_amr(); /* Delay reading amr until absolutely needed */
427 return ((!write && !(amr & (AMR_RD_BIT << pkey_shift))) ||
428 (write && !(amr & (AMR_WR_BIT << pkey_shift))));
431 bool arch_pte_access_permitted(u64 pte, bool write, bool execute)
433 if (static_branch_likely(&pkey_disabled))
436 return pkey_access_permitted(pte_to_pkey_bits(pte), write, execute);
440 * We only want to enforce protection keys on the current thread because we
441 * effectively have no access to AMR/IAMR for other threads or any way to tell
442 * which AMR/IAMR in a threaded process we could use.
444 * So do not enforce things if the VMA is not from the current mm, or if we are
445 * in a kernel thread.
447 static inline bool vma_is_foreign(struct vm_area_struct *vma)
452 /* if it is not our ->mm, it has to be foreign */
453 if (current->mm != vma->vm_mm)
459 bool arch_vma_access_permitted(struct vm_area_struct *vma, bool write,
460 bool execute, bool foreign)
462 if (static_branch_likely(&pkey_disabled))
465 * Do not enforce our key-permissions on a foreign vma.
467 if (foreign || vma_is_foreign(vma))
470 return pkey_access_permitted(vma_pkey(vma), write, execute);