Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2639928ybi; Mon, 17 Jun 2019 08:09:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqxQAeW043aQCAuPjNRtt+zwlk+38LcqMc1UFlPWpqanID9wTk3H7gy3YKF5OFaUM3gcEpD6 X-Received: by 2002:a62:d44d:: with SMTP id u13mr13824719pfl.251.1560784174371; Mon, 17 Jun 2019 08:09:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560784174; cv=none; d=google.com; s=arc-20160816; b=WLeAcJgZUWcWrPvDijjFOjQx9Fbg56jhe8RlmLREYG7Soe4Asee3Yew0u+nbNp5WhK kv53d7PdQ1asrYq3w2JsaaAN287c/jf3h20BeigHqL+DdyOv2YFuKSoqkpfh6lSl5x4k uCfSqmtAhC2OSub73cdLKZh+ZuSzgizmQkLCEpZfe7quofvBfLrxzaRLXXphRiuERYQu tCPMLFVcmJ3jHbf46Oy3zqVfgHnDGOuoeZ6tZzxlgwe1roJcyVXFiKUbyY9eXjXlYVoB m+fGG7u5486JfmhXsKs46goOhHVHWQEDZCj9756pZiPc26m57pumGXho/0nMe+8jwW8K JDmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=APZnbT8xfzibFZO4quG3uKS1bevo3QXYzsqYmxbMAb0=; b=lt0RkiTjNbbxlcPwTycEoxur3eW90WhnbOhzzSdPr3xkiOFDPNq4olmbj8iVGjp7to l9zXOR1NDy6nV7QGHbJmGYAAmVO/pgHfVXYXnYcwbMGus8C8IpdfHsg2MUcbBC0vsVWP fal+fu8mgSojf3JV8C6nEnaJ90D+HIOIAy1MBvDscg3CFKjxezB2ivzok2vbYXvLwtFR ev2CeGuXmcNk6RtQUdELEa3/Vgfe4lFooUR/x+ak8JZlJmCtOAwvQUl2ti5INMxp7fVq 4Liebt1/v6ccRkNGokC1/ES8FplnwblgfU5D0E9+wth51UPeu/Ih63ecimPLtK5grUiT LRow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kijmrsYE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v16si821559pfe.39.2019.06.17.08.09.17; Mon, 17 Jun 2019 08:09:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kijmrsYE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728423AbfFQPHn (ORCPT + 99 others); Mon, 17 Jun 2019 11:07:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:43024 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727999AbfFQPHm (ORCPT ); Mon, 17 Jun 2019 11:07:42 -0400 Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D4C5421855 for ; Mon, 17 Jun 2019 15:07:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560784062; bh=Gxoxo21Lfkn/K7A7njUdmGutlMuh89H9AmOUNy6D3vQ=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=kijmrsYEnMsus0trgL5AcnNyXRdSURSsYmJ/F2iZvEm/37ek4Kg+AF9JdVMI9bh9W JCFvsRZC0mD8yQbWZY9v8HJWBAPk96z9+JoD4uRu7MAO4S0KFeAtbR+55mQnDUe/5Z nWYb6rdWQnZWVQMEPmADVTmw4jGsElcvfYdVki2M= Received: by mail-wr1-f43.google.com with SMTP id p11so10369207wre.7 for ; Mon, 17 Jun 2019 08:07:41 -0700 (PDT) X-Gm-Message-State: APjAAAUSswx6hyQjPmiwFkRENdweNUiBHK1o4qjDg0DkzhbYtBjnBrgK Qam+eGtbEJKTHCBNe/74/Q4/A+KSsF8bXHtmdNd6Mw== X-Received: by 2002:a5d:6a42:: with SMTP id t2mr12131692wrw.352.1560784060277; Mon, 17 Jun 2019 08:07:40 -0700 (PDT) MIME-Version: 1.0 References: <20190508144422.13171-1-kirill.shutemov@linux.intel.com> <20190508144422.13171-46-kirill.shutemov@linux.intel.com> In-Reply-To: <20190508144422.13171-46-kirill.shutemov@linux.intel.com> From: Andy Lutomirski Date: Mon, 17 Jun 2019 08:07:29 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH, RFC 45/62] mm: Add the encrypt_mprotect() system call for MKTME To: "Kirill A. Shutemov" Cc: Andrew Morton , X86 ML , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Borislav Petkov , Peter Zijlstra , David Howells , Kees Cook , Dave Hansen , Kai Huang , Jacob Pan , Alison Schofield , Linux-MM , kvm list , keyrings@vger.kernel.org, LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 8, 2019 at 7:44 AM Kirill A. Shutemov wrote: > > From: Alison Schofield > > Implement memory encryption for MKTME (Multi-Key Total Memory > Encryption) with a new system call that is an extension of the > legacy mprotect() system call. > > In encrypt_mprotect the caller must pass a handle to a previously > allocated and programmed MKTME encryption key. The key can be > obtained through the kernel key service type "mktme". The caller > must have KEY_NEED_VIEW permission on the key. > > MKTME places an additional restriction on the protected data: > The length of the data must be page aligned. This is in addition > to the existing mprotect restriction that the addr must be page > aligned. I still find it bizarre that this is conflated with mprotect(). I also remain entirely unconvinced that MKTME on anonymous memory is useful in the long run. There will inevitably be all kinds of fancy new CPU features that make the underlying MKTME mechanisms much more useful. For example, some way to bind a key to a VM, or a way to *sanely* encrypt persistent memory. By making this thing a syscall that does more than just MKTME, you're adding combinatorial complexity (you forget pkey!) and you're tying other functionality (change of protection) to this likely-to-be-deprecated interface. This is part of why I much prefer the idea of making this style of MKTME a driver or some other non-intrusive interface. Then, once everyone gets tired of it, the driver can just get turned off with no side effects. --Andy