IEE: cred: Enhance credential cache initialization with SLAB_NO_MERGE

Improve the credential subsystem initialization in cred_init() by
adding dedicated cache allocation flags and enhancing code structure.

Key changes:
 *Add SLAB_NO_MERGE flag to all credential cache allocations to
prevent cache merging and ensure dedicated memory pools.
 *Restructure conditional logic for better code readability and
maintainability.
 *Enhance RCU jar cache creation with improved formatting and
documentation.
 *Update informational log message to reflect the use of dedicated
caches.
 *Add comprehensive comments explaining the purpose of independent
cache creation.

This change ensures that credential-related memory allocations use
dedicated SLAB caches, which can improve security isolation and
debugging capabilities while maintaining backward compatibility with
existing configurations.

The SLAB_NO_MERGE flag prevents the kernel from merging these caches
with others, providing better memory layout control and potentially
improved security characteristics for credential handling.

Tested-by: Jun Zhan <[email protected]>
Co-developed-by: Jun Zhan <[email protected]>
Signed-off-by: Jun Zhan <[email protected]>
Signed-off-by: WangYuli <[email protected]>

Author: WangYuli

kernel/cred.c

@@ -733,21 +733,31 @@ void __init cred_init(void)
 {
 	#ifdef CONFIG_CREDP
 	if (haoc_enabled){
+		// 为IEE配置创建独立的缓存，使用SLAB_NO_MERGE确保不会合并
 		cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
-				SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT|SLAB_RED_ZONE, NULL);
+				SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT|SLAB_RED_ZONE|SLAB_NO_MERGE,
+				NULL);
 
-		rcu_jar = kmem_cache_create("rcu_jar", sizeof(struct rcu_head) + sizeof(struct cred *), 0,
-				SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
-		// Map init_cred
+		// RCU缓存也创建为独立缓存
+		rcu_jar = kmem_cache_create("rcu_jar",
+				sizeof(struct rcu_head) + sizeof(struct cred *), 0,
+				SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT|SLAB_NO_MERGE,
+				NULL);
+
+		// 初始化init_cred的RCU部分
 		iee_set_cred_rcu(&init_cred, kmem_cache_zalloc(rcu_jar, GFP_KERNEL));
 		*(struct cred **)(((struct rcu_head *)(init_cred.rcu.func)) + 1) = &init_cred;
-		pr_info("HAOC: CONFIG_CREDP enabled.");
-	} else 
+
+		pr_info("HAOC: CONFIG_CREDP enabled with dedicated caches.");
+	} else {
 		cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
-			SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
+			SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT|SLAB_NO_MERGE,
+			NULL);
+	}
 	#else
 	cred_jar = kmem_cache_create("cred_jar", sizeof(struct cred), 0,
-			SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
+			SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT|SLAB_NO_MERGE,
+			NULL);
 	#endif
 }