[PATCH 6/6] Documentation for Pmalloc
igor.stoppa at huawei.com
Tue Mar 27 01:55:24 UTC 2018
Detailed documentation about the protectable memory allocator.
Signed-off-by: Igor Stoppa <igor.stoppa at huawei.com>
Documentation/core-api/index.rst | 1 +
Documentation/core-api/pmalloc.rst | 101 +++++++++++++++++++++++++++++++++++++
2 files changed, 102 insertions(+)
create mode 100644 Documentation/core-api/pmalloc.rst
diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst
index c670a8031786..8f5de42d6571 100644
@@ -25,6 +25,7 @@ Core utilities
Interfaces for kernel debugging
diff --git a/Documentation/core-api/pmalloc.rst b/Documentation/core-api/pmalloc.rst
new file mode 100644
@@ -0,0 +1,101 @@
+.. SPDX-License-Identifier: GPL-2.0
+Protectable memory allocator
+The pmalloc library is meant to provide read-only status to data that,
+for some reason, could neither be declared as constant, nor could it take
+advantage of the qualifier __ro_after_init, but is write-once and
+read-only in spirit.
+It protects data from both accidental and malicious overwrites.
+Example: A policy that is loaded from userspace.
+The MMU available in the system can be used to write protect memory pages.
+Unfortunately this feature cannot be used as-it-is, to protect sensitive
+data, because it is typically interleaved with data that must stay
+pmalloc introduces the concept of protectable memory pools.
+Each pool contains a list of areas of virtually contiguous pages of
+memory. An area is the minimum amount of memory that pmalloc allows to
+protect, because the data it contains can be larger than a single page.
+When an allocation is performed, if there is not enough memory already
+available in the pool, a new area of suitable size is allocated.
+The size chosen is the largest between the roundup (to PAGE_SIZE) of
+the request from pmalloc and friends and the refill parameter specified
+when creating the pool.
+When a pool is created, it is possible to specify two parameters:
+- refill size: the minimum size of the memory area to allocate when needed
+- align_order: the default alignment to use when returning to pmalloc
+- To facilitate the conversion of existing code to pmalloc pools, several
+ helper functions are provided, mirroring their k/vmalloc counterparts.
+ In particular, pfree(), which is mostly meant for error paths, when one
+ or more previous allocations must be rolled back.
+- Whatever memory was still available in the previous area (where
+ applicable) is relinquished.
+- Freeing of memory is not supported. Pages will be returned to the
+ system upon destruction of the memory pool.
+- Considering that not much data is supposed to be dynamically allocated
+ and then marked as read-only, it shouldn't be an issue that the address
+ range for pmalloc is limited, on 32-bit systems.
+- Regarding SMP systems, the allocations are expected to happen mostly
+ during an initial transient, after which there should be no more need to
+ perform cross-processor synchronizations of page tables.
+The typical sequence, when using pmalloc, is:
+#. create a pool
+#. [optional] pre-allocate some memory in the pool
+#. issue one or more allocation requests to the pool with locking as needed
+#. initialize the memory obtained with desired values
+#. write-protect the memory so far allocated
+#. iterate over the last 3 points as needed
+#. [optional] destroy the pool
+.. kernel-doc:: include/linux/pmalloc.h
+.. kernel-doc:: mm/pmalloc.c
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive