On Tue, Oct 30, 2018 at 02:02:12PM -0700, Andy Lutomirski wrote:

But I dislike allowing regular writes in the protected region. We
really only need four write primitives:

1. Just write one value.  Call at any time (except NMI).

2. Just copy some bytes. Same as (1) but any number of bytes.

Given the !preempt/!IRQ contraints I'd certainly put an upper limit on
the number of bytes there.

3,4: Same as 1 and 2 but must be called inside a special rare write
region. This is purely an optimization.

Actually getting a modifiable pointer should be disallowed for two
reasons:

1. Some architectures may want to use a special
write-different-address-space operation.

You're thinking of s390 ? :-)

Heck, x86 could, too: make
the actual offset be a secret and shove the offset into FSBASE or
similar. Then %fs-prefixed writes would do the rare writes.

2. Alternatively, x86 could set the U bit. Then the actual writes
would use the uaccess helpers, giving extra protection via SMAP.

Cute, and yes, something like that would be nice.

We don’t really want a situation where an unchecked pointer in the
rare write region completely defeats the mechanism.

Agreed.