Comment 0 for bug 1591804

Memory Protection Keys for Userspace (PKU aka PKEYs) is a Skylake-SP server feature that provides a mechanism for enforcing page-based protections, but without requiring modification of the page tables when an application changes protection domains. It works by dedicating 4 previously ignored bits in each page table entry to a "protection key", giving 16 possible keys.
There is also a new user-accessible register (PKRU) with two separate bits (Access Disable and Write Disable) for each key.Being a CPU register, PKRU is inherently thread-local,potentially giving each thread a different set of protectionsfrom every other thread.
There are two new instructions (RDPKRU/WRPKRU) for reading and writing to the new register. The feature is only available in 64-bit mode, even though there is theoretically space in the PAE PTEs. These permissions are enforced on data access only and have no effect on instruction fetches.

HW: Purley

Upstream status:
v4.6 kernel implement basic and execute-only support
v4.8 kernel will have new interface