Documentation: x86: convert intel_mpx.txt to reST

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This converts the plain text documentation to reStructuredText format and
add it to Sphinx TOC tree. No essential content change.

Signed-off-by: Changbin Du <changbin.du@gmail.com>
Reviewed-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>

authored by

Changbin Du and committed by

Jonathan Corbet 7 years ago f10b07a0 28e21eac

+62 -53

2 changed files

expand all

Documentation

x86

index.rst

intel_mpx.rst

Documentation/x86/index.rst

··· 19 19 mtrr 20 20 pat 21 21 protection-keys 22 + intel_mpx

+61 -53

Documentation/x86/intel_mpx.txt Documentation/x86/intel_mpx.rst

··· 1 - 1. Intel(R) MPX Overview 2 - ======================== 1 + .. SPDX-License-Identifier: GPL-2.0 2 + 3 + =========================================== 4 + Intel(R) Memory Protection Extensions (MPX) 5 + =========================================== 6 + 7 + Intel(R) MPX Overview 8 + ===================== 3 9 4 10 Intel(R) Memory Protection Extensions (Intel(R) MPX) is a new capability 5 11 introduced into Intel Architecture. Intel MPX provides hardware features ··· 13 7 references, for those references whose compile-time normal intentions are 14 8 usurped at runtime due to buffer overflow or underflow. 15 9 16 - You can tell if your CPU supports MPX by looking in /proc/cpuinfo: 10 + You can tell if your CPU supports MPX by looking in /proc/cpuinfo:: 17 11 18 12 cat /proc/cpuinfo | grep ' mpx ' 19 13 ··· 27 21 http://software.intel.com/en-us/articles/intel-software-development-emulator 28 22 29 23 30 - 2. How to get the advantage of MPX 31 - ================================== 24 + How to get the advantage of MPX 25 + =============================== 32 26 33 27 For MPX to work, changes are required in the kernel, binutils and compiler. 34 28 No source changes are required for applications, just a recompile. ··· 90 84 is unmapped. 91 85 92 86 93 - 3. How does MPX kernel code work 94 - ================================ 87 + How does MPX kernel code work 88 + ============================= 95 89 96 90 Handling #BR faults caused by MPX 97 91 --------------------------------- 98 92 99 93 When MPX is enabled, there are 2 new situations that can generate 100 94 #BR faults. 95 + 101 96 * new bounds tables (BT) need to be allocated to save bounds. 102 97 * bounds violation caused by MPX instructions. 103 98 ··· 131 124 are a few ways this could be done. We don't think any of them are practical 132 125 in the real-world, but here they are. 133 126 134 - Q: Can virtual space simply be reserved for the bounds tables so that we 135 - never have to allocate them? 136 - A: MPX-enabled application will possibly create a lot of bounds tables in 137 - process address space to save bounds information. These tables can take 138 - up huge swaths of memory (as much as 80% of the memory on the system) 139 - even if we clean them up aggressively. In the worst-case scenario, the 140 - tables can be 4x the size of the data structure being tracked. IOW, a 141 - 1-page structure can require 4 bounds-table pages. An X-GB virtual 142 - area needs 4*X GB of virtual space, plus 2GB for the bounds directory. 143 - If we were to preallocate them for the 128TB of user virtual address 144 - space, we would need to reserve 512TB+2GB, which is larger than the 145 - entire virtual address space today. This means they can not be reserved 146 - ahead of time. Also, a single process's pre-populated bounds directory 147 - consumes 2GB of virtual *AND* physical memory. IOW, it's completely 148 - infeasible to prepopulate bounds directories. 127 + :Q: Can virtual space simply be reserved for the bounds tables so that we 128 + never have to allocate them? 129 + :A: MPX-enabled application will possibly create a lot of bounds tables in 130 + process address space to save bounds information. These tables can take 131 + up huge swaths of memory (as much as 80% of the memory on the system) 132 + even if we clean them up aggressively. In the worst-case scenario, the 133 + tables can be 4x the size of the data structure being tracked. IOW, a 134 + 1-page structure can require 4 bounds-table pages. An X-GB virtual 135 + area needs 4*X GB of virtual space, plus 2GB for the bounds directory. 136 + If we were to preallocate them for the 128TB of user virtual address 137 + space, we would need to reserve 512TB+2GB, which is larger than the 138 + entire virtual address space today. This means they can not be reserved 139 + ahead of time. Also, a single process's pre-populated bounds directory 140 + consumes 2GB of virtual *AND* physical memory. IOW, it's completely 141 + infeasible to prepopulate bounds directories. 149 142 150 - Q: Can we preallocate bounds table space at the same time memory is 151 - allocated which might contain pointers that might eventually need 152 - bounds tables? 153 - A: This would work if we could hook the site of each and every memory 154 - allocation syscall. This can be done for small, constrained applications. 155 - But, it isn't practical at a larger scale since a given app has no 156 - way of controlling how all the parts of the app might allocate memory 157 - (think libraries). The kernel is really the only place to intercept 158 - these calls. 143 + :Q: Can we preallocate bounds table space at the same time memory is 144 + allocated which might contain pointers that might eventually need 145 + bounds tables? 146 + :A: This would work if we could hook the site of each and every memory 147 + allocation syscall. This can be done for small, constrained applications. 148 + But, it isn't practical at a larger scale since a given app has no 149 + way of controlling how all the parts of the app might allocate memory 150 + (think libraries). The kernel is really the only place to intercept 151 + these calls. 159 152 160 - Q: Could a bounds fault be handed to userspace and the tables allocated 161 - there in a signal handler instead of in the kernel? 162 - A: mmap() is not on the list of safe async handler functions and even 163 - if mmap() would work it still requires locking or nasty tricks to 164 - keep track of the allocation state there. 153 + :Q: Could a bounds fault be handed to userspace and the tables allocated 154 + there in a signal handler instead of in the kernel? 155 + :A: mmap() is not on the list of safe async handler functions and even 156 + if mmap() would work it still requires locking or nasty tricks to 157 + keep track of the allocation state there. 165 158 166 159 Having ruled out all of the userspace-only approaches for managing 167 160 bounds tables that we could think of, we create them on demand in ··· 174 167 We need to decode MPX instructions to get violation address and 175 168 set this address into extended struct siginfo. 176 169 177 - The _sigfault field of struct siginfo is extended as follow: 170 + The _sigfault field of struct siginfo is extended as follow:: 178 171 179 - 87 /* SIGILL, SIGFPE, SIGSEGV, SIGBUS */ 180 - 88 struct { 181 - 89 void __user *_addr; /* faulting insn/memory ref. */ 182 - 90 #ifdef __ARCH_SI_TRAPNO 183 - 91 int _trapno; /* TRAP # which caused the signal */ 184 - 92 #endif 185 - 93 short _addr_lsb; /* LSB of the reported address */ 186 - 94 struct { 187 - 95 void __user *_lower; 188 - 96 void __user *_upper; 189 - 97 } _addr_bnd; 190 - 98 } _sigfault; 172 + 87 /* SIGILL, SIGFPE, SIGSEGV, SIGBUS */ 173 + 88 struct { 174 + 89 void __user *_addr; /* faulting insn/memory ref. */ 175 + 90 #ifdef __ARCH_SI_TRAPNO 176 + 91 int _trapno; /* TRAP # which caused the signal */ 177 + 92 #endif 178 + 93 short _addr_lsb; /* LSB of the reported address */ 179 + 94 struct { 180 + 95 void __user *_lower; 181 + 96 void __user *_upper; 182 + 97 } _addr_bnd; 183 + 98 } _sigfault; 191 184 192 185 The '_addr' field refers to violation address, and new '_addr_and' 193 186 field refers to the upper/lower bounds when a #BR is caused. ··· 216 209 217 210 Two new prctl commands are added to enable and disable MPX bounds tables 218 211 management in kernel. 212 + :: 219 213 220 - 155 #define PR_MPX_ENABLE_MANAGEMENT 43 221 - 156 #define PR_MPX_DISABLE_MANAGEMENT 44 214 + 155 #define PR_MPX_ENABLE_MANAGEMENT 43 215 + 156 #define PR_MPX_DISABLE_MANAGEMENT 44 222 216 223 217 Runtime library in userspace is responsible for allocation of bounds 224 218 directory. So kernel have to use XSAVE instruction to get the base ··· 231 223 command execution. 232 224 233 225 234 - 4. Special rules 235 - ================ 226 + Special rules 227 + ============= 236 228 237 229 1) If userspace is requesting help from the kernel to do the management 238 230 of bounds tables, it may not create or modify entries in the bounds directory.