[Feature] Purley: Memory Protection Keys

Bug #1591804 reported by XiongZhang on 2016-06-13
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
intel
Undecided
Unassigned
linux (Ubuntu)
Undecided
Tim Gardner
Yakkety
Undecided
Tim Gardner
Zesty
Undecided
Tim Gardner

Bug Description

Memory Protection Keys for Userspace (PKU aka PKEYs) is a Skylake-SP server feature that provides a mechanism for enforcing page-based protections, but without requiring modification of the page tables when an application changes protection domains. It works by dedicating 4 previously ignored bits in each page table entry to a "protection key", giving 16 possible keys.
There is also a new user-accessible register (PKRU) with two separate bits (Access Disable and Write Disable) for each key.Being a CPU register, PKRU is inherently thread-local,potentially giving each thread a different set of protectionsfrom every other thread.
There are two new instructions (RDPKRU/WRPKRU) for reading and writing to the new register. The feature is only available in 64-bit mode, even though there is theoretically space in the PAE PTEs. These permissions are enforced on data access only and have no effect on instruction fetches.

HW: Purley

Upstream status:
v4.6 kernel implement basic and execute-only support
v4.9 kernel will have new interface

CVE References

The v4.8 based kernel has been uploaded to the Yakkety 16.10 archive. I'm setting this to Fix Released.

information type: Proprietary → Public
Changed in linux (Ubuntu):
status: New → Fix Released
Changed in intel:
status: New → Fix Released
XiongZhang (xiong-y-zhang) wrote :

We should defer it to 17.04 as new interface is queued in linux-next as part of v4.9

description: updated
Changed in linux (Ubuntu):
status: Fix Released → New
Changed in intel:
status: Fix Released → New

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1591804

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
XiongZhang (xiong-y-zhang) wrote :

The new interface is queued for v4.9 in linux-next, please evaluate whether it could be backported into 16.10.
7d06d9c9bd813fc956b9c7bffc1b9724009983eb
e8c6226d483cb28f55cab718065ea1b7226d40e8
f9afc6197e9bba1e2e62e262704f661810cc8bba
a8502b67d739c1d7a4542c1da0a5d98a6a58c177
a60f7b69d92c0142c80a30d669a76b617b7f6879
e8c24d3a23a469f1f40d4de24d872ca7023ced0a
c74fe3940848c6afea83bfbda64a9baf9da547c8
acd547b29880800d29222c4632d2c145e401988c
76de993727d22eb29c716abacfae9d9444bb7897
5f23f6d082a95237387f18d3fde8d472aae9659a

XiongZhang (xiong-y-zhang) wrote :

The new interface is in v4.9:
5f23f6d x86/pkeys: Add self-tests
76de993 x86/pkeys: Allow configuration of init_pkru
acd547b x86/pkeys: Default to a restrictive init PKRU
c74fe39 pkeys: Add details of system call use to Documentation/
a60f7b6 generic syscalls: Wire up memory protection keys syscalls
f9afc61 x86: Wire up protection keys system calls
e8c24d3 x86/pkeys: Allocation/free syscalls
a8502b6 x86/pkeys: Make mprotect_key() mask off additional vm_flags
7d06d9c mm: Implement new pkey_mprotect() system call
e8c6226 x86/pkeys: Add fault handling for PF_PK page fault bit

Tim Gardner (timg-tpi) on 2016-10-19
Changed in linux (Ubuntu):
assignee: nobody → Tim Gardner (timg-tpi)
status: Incomplete → In Progress
Changed in linux (Ubuntu Zesty):
status: In Progress → Fix Released
Changed in linux (Ubuntu Yakkety):
assignee: nobody → Tim Gardner (timg-tpi)
status: New → In Progress
Tim Gardner (timg-tpi) on 2016-11-03
Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-yakkety
Launchpad Janitor (janitor) wrote :
Download full text (26.6 KiB)

This bug was fixed in the package linux - 4.8.0-28.30

---------------
linux (4.8.0-28.30) yakkety; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1641083

  * lxc-attach to malicious container allows access to host (LP: #1639345)
    - Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires
      mapped uids/gids"
    - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission
      checks

  * [Feature] AVX-512 new instruction sets (avx512_4vnniw, avx512_4fmaps)
    (LP: #1637526)
    - x86/cpufeature: Add AVX512_4VNNIW and AVX512_4FMAPS features

  * zfs: importing zpool with vdev on zvol hangs kernel (LP: #1636517)
    - SAUCE: (noup) Update zfs to 0.6.5.8-0ubuntu4.1

  * Move some device drivers build from kernel built-in to modules
    (LP: #1637303)
    - [Config] CONFIG_TIGON3=m for all arches
    - [Config] CONFIG_VIRTIO_BLK=m, CONFIG_VIRTIO_NET=m

  * I2C touchpad does not work on AMD platform (LP: #1612006)
    - pinctrl/amd: Configure GPIO register using BIOS settings

  * guest experiencing Transmit Timeouts on CX4 (LP: #1636330)
    - powerpc/64: Re-fix race condition between going idle and entering guest
    - powerpc/64: Fix race condition in setting lock bit in idle/wakeup code

  * QEMU throws failure msg while booting guest with SRIOV VF (LP: #1630554)
    - KVM: PPC: Always select KVM_VFIO, plus Makefile cleanup

  * [Feature] KBL - New device ID for Kabypoint(KbP) (LP: #1591618)
    - SAUCE: mfd: lpss: Fix Intel Kaby Lake PCH-H properties

  * hio: SSD data corruption under stress test (LP: #1638700)
    - SAUCE: hio: set bi_error field to signal an I/O error on a BIO
    - SAUCE: hio: splitting bio in the entry of .make_request_fn

  * cleanup primary tree for linux-hwe layering issues (LP: #1637473)
    - [Config] switch Vcs-Git: to yakkety repository
    - [Packaging] handle both linux-lts* and linux-hwe* as backports
    - [Config] linux-tools-common and linux-cloud-tools-common are one per series
    - [Config] linux-source-* is in the primary linux namespace
    - [Config] linux-tools -- always suggest the base package

  * SRU: sync zfsutils-linux and spl-linux changes to linux (LP: #1635656)
    - SAUCE: (noup) Update spl to 0.6.5.8-2, zfs to 0.6.5.8-0ubuntu4 (LP:
      #1635656)

  * [Feature] SKX: perf uncore PMU support (LP: #1591810)
    - perf/x86/intel/uncore: Add Skylake server uncore support
    - perf/x86/intel/uncore: Remove hard-coded implementation for Node ID mapping
      location
    - perf/x86/intel/uncore: Handle non-standard counter offset

  * [Feature] Purley: Memory Protection Keys (LP: #1591804)
    - x86/pkeys: Add fault handling for PF_PK page fault bit
    - mm: Implement new pkey_mprotect() system call
    - x86/pkeys: Make mprotect_key() mask off additional vm_flags
    - x86/pkeys: Allocation/free syscalls
    - x86: Wire up protection keys system calls
    - generic syscalls: Wire up memory protection keys syscalls
    - pkeys: Add details of system call use to Documentation/
    - x86/pkeys: Default to a restrictive init PKRU
    - x86/pkeys: Allow configuration of init_pkru
    - x86/pkeys: Add self-tests

  * kernel invalid ...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for linux has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Changed in intel:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers