powerpc: Add KUAP support for BOOKE and 40x

On booke/40x we don't have segments like book3s/32.
On booke/40x we don't have access protection groups like 8xx.

Use the PID register to provide user access protection.
Kernel address space can be accessed with any PID.
User address space has to be accessed with the PID of the user.
User PID is always not null.

Everytime the kernel is entered, set PID register to 0 and
restore PID register when returning to user.

Everytime kernel needs to access user data, PID is restored
for the access.

In TLB miss handlers, check the PID and bail out to data storage
exception when PID is 0 and accessed address is in user space.

Note that also forbids execution of user text by kernel except
when user access is unlocked. But this shouldn't be a problem
as the kernel is not supposed to ever run user text.

This patch prepares the infrastructure but the real activation of KUAP
is done by following patches for each processor type one by one.

Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/5d65576a8e31e9480415785a180c92dd4e72306d.1634627931.git.christophe.leroy@csgroup.eu

diff --git a/arch/powerpc/include/asm/kup.h b/arch/powerpc/include/asm/kup.h
index 656e6f1d6b6f1931d6f5a81b8c857c2c75ed4a93..fb2237809d63b46bf4040c7032cf41a0190c0787 100644 (file)
--- a/arch/powerpc/include/asm/kup.h
+++ b/arch/powerpc/include/asm/kup.h
@@ -14,6 +14,10 @@
 #include <asm/nohash/32/kup-8xx.h>
 #endif
 
+#ifdef CONFIG_BOOKE_OR_40x
+#include <asm/nohash/kup-booke.h>
+#endif
+
 #ifdef CONFIG_PPC_BOOK3S_32
 #include <asm/book3s/32/kup.h>
 #endif

diff --git a/arch/powerpc/include/asm/nohash/kup-booke.h b/arch/powerpc/include/asm/nohash/kup-booke.h
new file mode 100644 (file)
index 0000000..49bb41e
--- /dev/null
+++ b/arch/powerpc/include/asm/nohash/kup-booke.h
@@ -0,0 +1,110 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_POWERPC_KUP_BOOKE_H_
+#define _ASM_POWERPC_KUP_BOOKE_H_
+
+#include <asm/bug.h>
+
+#ifdef CONFIG_PPC_KUAP
+
+#ifdef __ASSEMBLY__
+
+.macro kuap_check_amr  gpr1, gpr2
+.endm
+
+#else
+
+#include <linux/jump_label.h>
+#include <linux/sched.h>
+
+#include <asm/reg.h>
+
+extern struct static_key_false disable_kuap_key;
+
+static __always_inline bool kuap_is_disabled(void)
+{
+       return static_branch_unlikely(&disable_kuap_key);
+}
+
+static inline void __kuap_lock(void)
+{
+       mtspr(SPRN_PID, 0);
+       isync();
+}
+
+static inline void __kuap_save_and_lock(struct pt_regs *regs)
+{
+       regs->kuap = mfspr(SPRN_PID);
+       mtspr(SPRN_PID, 0);
+       isync();
+}
+
+static inline void kuap_user_restore(struct pt_regs *regs)
+{
+       if (kuap_is_disabled())
+               return;
+
+       mtspr(SPRN_PID, current->thread.pid);
+
+       /* Context synchronisation is performed by rfi */
+}
+
+static inline void __kuap_kernel_restore(struct pt_regs *regs, unsigned long kuap)
+{
+       if (regs->kuap)
+               mtspr(SPRN_PID, current->thread.pid);
+
+       /* Context synchronisation is performed by rfi */
+}
+
+static inline unsigned long __kuap_get_and_assert_locked(void)
+{
+       unsigned long kuap = mfspr(SPRN_PID);
+
+       if (IS_ENABLED(CONFIG_PPC_KUAP_DEBUG))
+               WARN_ON_ONCE(kuap);
+
+       return kuap;
+}
+
+static inline void __allow_user_access(void __user *to, const void __user *from,
+                                      unsigned long size, unsigned long dir)
+{
+       mtspr(SPRN_PID, current->thread.pid);
+       isync();
+}
+
+static inline void __prevent_user_access(unsigned long dir)
+{
+       mtspr(SPRN_PID, 0);
+       isync();
+}
+
+static inline unsigned long __prevent_user_access_return(void)
+{
+       unsigned long flags = mfspr(SPRN_PID);
+
+       mtspr(SPRN_PID, 0);
+       isync();
+
+       return flags;
+}
+
+static inline void __restore_user_access(unsigned long flags)
+{
+       if (flags) {
+               mtspr(SPRN_PID, current->thread.pid);
+               isync();
+       }
+}
+
+static inline bool
+__bad_kuap_fault(struct pt_regs *regs, unsigned long address, bool is_write)
+{
+       return !regs->kuap;
+}
+
+#endif /* !__ASSEMBLY__ */
+
+#endif /* CONFIG_PPC_KUAP */
+
+#endif /* _ASM_POWERPC_KUP_BOOKE_H_ */

diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h
index fe1ef1d7523bb7bdb8623a14f6e1e82446c3c9bb..2c8686d9e964ff7a0c70ed53a2df9a299f4a0f6a 100644 (file)
--- a/arch/powerpc/include/asm/processor.h
+++ b/arch/powerpc/include/asm/processor.h
@@ -160,6 +160,9 @@ struct thread_struct {
        unsigned long   sr0;
 #endif
 #endif /* CONFIG_PPC32 */
+#if defined(CONFIG_BOOKE_OR_40x) && defined(CONFIG_PPC_KUAP)
+       unsigned long   pid;    /* value written in PID reg. at interrupt exit */
+#endif
        /* Debug Registers */
        struct debug_reg debug;
 #ifdef CONFIG_PPC_FPU_REGS

diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
index afdcc2d3d470d1540308ac946a0861ec7d206394..790790dfb390fdcc69ad77a3aea40ab07e37cf51 100644 (file)
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1803,6 +1803,9 @@ int copy_thread(unsigned long clone_flags, unsigned long usp,
 #if defined(CONFIG_PPC_BOOK3S_32) && defined(CONFIG_PPC_KUAP)
        p->thread.kuap = KUAP_NONE;
 #endif
+#if defined(CONFIG_BOOKE_OR_40x) && defined(CONFIG_PPC_KUAP)
+       p->thread.pid = MMU_NO_CONTEXT;
+#endif
 
        setup_ksp_vsid(p, sp);
 

diff --git a/arch/powerpc/mm/mmu_context.c b/arch/powerpc/mm/mmu_context.c
index e618d5442a28ee07493abda193d73067e110db49..735c36f263882c5184965a9620695b084ca510e2 100644 (file)
--- a/arch/powerpc/mm/mmu_context.c
+++ b/arch/powerpc/mm/mmu_context.c
@@ -21,6 +21,9 @@ static inline void switch_mm_pgdir(struct task_struct *tsk,
 #ifdef CONFIG_PPC_BOOK3S_32
        tsk->thread.sr0 = mm->context.sr0;
 #endif
+#if defined(CONFIG_BOOKE_OR_40x) && defined(CONFIG_PPC_KUAP)
+       tsk->thread.pid = mm->context.id;
+#endif
 }
 #elif defined(CONFIG_PPC_BOOK3E_64)
 static inline void switch_mm_pgdir(struct task_struct *tsk,
@@ -28,6 +31,9 @@ static inline void switch_mm_pgdir(struct task_struct *tsk,
 {
        /* 64-bit Book3E keeps track of current PGD in the PACA */
        get_paca()->pgd = mm->pgd;
+#ifdef CONFIG_PPC_KUAP
+       tsk->thread.pid = mm->context.id;
+#endif
 }
 #else
 static inline void switch_mm_pgdir(struct task_struct *tsk,

diff --git a/arch/powerpc/mm/nohash/mmu_context.c b/arch/powerpc/mm/nohash/mmu_context.c
index 44b2b5e7cabe94eb84c559e36a7010237b6aa96b..85b048f04c5623c24c02f79ab6e3e37710183dd9 100644 (file)
--- a/arch/powerpc/mm/nohash/mmu_context.c
+++ b/arch/powerpc/mm/nohash/mmu_context.c
@@ -33,6 +33,7 @@
 #include <asm/mmu_context.h>
 #include <asm/tlbflush.h>
 #include <asm/smp.h>
+#include <asm/kup.h>
 
 #include <mm/mmu_decl.h>
 
@@ -217,7 +218,7 @@ static void set_context(unsigned long id, pgd_t *pgd)
 
                /* sync */
                mb();
-       } else {
+       } else if (kuap_is_disabled()) {
                if (IS_ENABLED(CONFIG_40x))
                        mb();   /* sync */
 
@@ -305,6 +306,9 @@ void switch_mmu_context(struct mm_struct *prev, struct mm_struct *next,
        if (IS_ENABLED(CONFIG_BDI_SWITCH))
                abatron_pteptrs[1] = next->pgd;
        set_context(id, next->pgd);
+#if defined(CONFIG_BOOKE_OR_40x) && defined(CONFIG_PPC_KUAP)
+       tsk->thread.pid = id;
+#endif
        raw_spin_unlock(&context_lock);
 }