• Michael Ellerman's avatar
    powerpc/64s: Implement KUAP for Radix MMU · 890274c2
    Michael Ellerman authored
    Kernel Userspace Access Prevention utilises a feature of the Radix MMU
    which disallows read and write access to userspace addresses. By
    utilising this, the kernel is prevented from accessing user data from
    outside of trusted paths that perform proper safety checks, such as
    copy_{to/from}_user() and friends.
    
    Userspace access is disabled from early boot and is only enabled when
    performing an operation like copy_{to/from}_user(). The register that
    controls this (AMR) does not prevent userspace from accessing itself,
    so there is no need to save and restore when entering and exiting
    userspace.
    
    When entering the kernel from the kernel we save AMR and if it is not
    blocking user access (because eg. we faulted doing a user access) we
    reblock user access for the duration of the exception (ie. the page
    fault) and then restore the AMR when returning back to the kernel.
    
    This feature can be tested by using the lkdtm driver (CONFIG_LKDTM=y)
    and performing the following:
    
      # (echo ACCESS_USERSPACE) > [debugfs]/provoke-crash/DIRECT
    
    If enabled, this should send SIGSEGV to the thread.
    
    We also add paranoid checking of AMR in switch and syscall return
    under CONFIG_PPC_KUAP_DEBUG.
    Co-authored-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: default avatarRussell Currey <ruscur@russell.cc>
    Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
    890274c2
feature-fixups.h 8.38 KB