Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2639928ybi;
        Mon, 17 Jun 2019 08:09:34 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxQAeW043aQCAuPjNRtt+zwlk+38LcqMc1UFlPWpqanID9wTk3H7gy3YKF5OFaUM3gcEpD6
X-Received: by 2002:a62:d44d:: with SMTP id u13mr13824719pfl.251.1560784174371;
        Mon, 17 Jun 2019 08:09:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560784174; cv=none;
        d=google.com; s=arc-20160816;
        b=WLeAcJgZUWcWrPvDijjFOjQx9Fbg56jhe8RlmLREYG7Soe4Asee3Yew0u+nbNp5WhK
         kv53d7PdQ1asrYq3w2JsaaAN287c/jf3h20BeigHqL+DdyOv2YFuKSoqkpfh6lSl5x4k
         uCfSqmtAhC2OSub73cdLKZh+ZuSzgizmQkLCEpZfe7quofvBfLrxzaRLXXphRiuERYQu
         tCPMLFVcmJ3jHbf46Oy3zqVfgHnDGOuoeZ6tZzxlgwe1roJcyVXFiKUbyY9eXjXlYVoB
         m+fGG7u5486JfmhXsKs46goOhHVHWQEDZCj9756pZiPc26m57pumGXho/0nMe+8jwW8K
         JDmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=APZnbT8xfzibFZO4quG3uKS1bevo3QXYzsqYmxbMAb0=;
        b=lt0RkiTjNbbxlcPwTycEoxur3eW90WhnbOhzzSdPr3xkiOFDPNq4olmbj8iVGjp7to
         l9zXOR1NDy6nV7QGHbJmGYAAmVO/pgHfVXYXnYcwbMGus8C8IpdfHsg2MUcbBC0vsVWP
         fal+fu8mgSojf3JV8C6nEnaJ90D+HIOIAy1MBvDscg3CFKjxezB2ivzok2vbYXvLwtFR
         ev2CeGuXmcNk6RtQUdELEa3/Vgfe4lFooUR/x+ak8JZlJmCtOAwvQUl2ti5INMxp7fVq
         4Liebt1/v6ccRkNGokC1/ES8FplnwblgfU5D0E9+wth51UPeu/Ih63ecimPLtK5grUiT
         LRow==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=kijmrsYE;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v16si821559pfe.39.2019.06.17.08.09.17;
        Mon, 17 Jun 2019 08:09:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=kijmrsYE;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728423AbfFQPHn (ORCPT <rfc822;xc.haze2010@gmail.com>
        + 99 others); Mon, 17 Jun 2019 11:07:43 -0400
Received: from mail.kernel.org ([198.145.29.99]:43024 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727999AbfFQPHm (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 Jun 2019 11:07:42 -0400
Received: from mail-wr1-f43.google.com (mail-wr1-f43.google.com [209.85.221.43])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id D4C5421855
        for <linux-kernel@vger.kernel.org>; Mon, 17 Jun 2019 15:07:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1560784062;
        bh=Gxoxo21Lfkn/K7A7njUdmGutlMuh89H9AmOUNy6D3vQ=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=kijmrsYEnMsus0trgL5AcnNyXRdSURSsYmJ/F2iZvEm/37ek4Kg+AF9JdVMI9bh9W
         JCFvsRZC0mD8yQbWZY9v8HJWBAPk96z9+JoD4uRu7MAO4S0KFeAtbR+55mQnDUe/5Z
         nWYb6rdWQnZWVQMEPmADVTmw4jGsElcvfYdVki2M=
Received: by mail-wr1-f43.google.com with SMTP id p11so10369207wre.7
        for <linux-kernel@vger.kernel.org>; Mon, 17 Jun 2019 08:07:41 -0700 (PDT)
X-Gm-Message-State: APjAAAUSswx6hyQjPmiwFkRENdweNUiBHK1o4qjDg0DkzhbYtBjnBrgK
        Qam+eGtbEJKTHCBNe/74/Q4/A+KSsF8bXHtmdNd6Mw==
X-Received: by 2002:a5d:6a42:: with SMTP id t2mr12131692wrw.352.1560784060277;
 Mon, 17 Jun 2019 08:07:40 -0700 (PDT)
MIME-Version: 1.0
References: <20190508144422.13171-1-kirill.shutemov@linux.intel.com> <20190508144422.13171-46-kirill.shutemov@linux.intel.com>
In-Reply-To: <20190508144422.13171-46-kirill.shutemov@linux.intel.com>
From:   Andy Lutomirski <luto@kernel.org>
Date:   Mon, 17 Jun 2019 08:07:29 -0700
X-Gmail-Original-Message-ID: <CALCETrVCdp4LyCasvGkc0+S6fvS+dna=_ytLdDPuD2xeAr5c-w@mail.gmail.com>
Message-ID: <CALCETrVCdp4LyCasvGkc0+S6fvS+dna=_ytLdDPuD2xeAr5c-w@mail.gmail.com>
Subject: Re: [PATCH, RFC 45/62] mm: Add the encrypt_mprotect() system call for MKTME
To:     "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc:     Andrew Morton <akpm@linux-foundation.org>, X86 ML <x86@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, Borislav Petkov <bp@alien8.de>,
        Peter Zijlstra <peterz@infradead.org>,
        David Howells <dhowells@redhat.com>,
        Kees Cook <keescook@chromium.org>,
        Dave Hansen <dave.hansen@intel.com>,
        Kai Huang <kai.huang@linux.intel.com>,
        Jacob Pan <jacob.jun.pan@linux.intel.com>,
        Alison Schofield <alison.schofield@intel.com>,
        Linux-MM <linux-mm@kvack.org>, kvm list <kvm@vger.kernel.org>,
        keyrings@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 8, 2019 at 7:44 AM Kirill A. Shutemov
<kirill.shutemov@linux.intel.com> wrote:
>
> From: Alison Schofield <alison.schofield@intel.com>
>
> Implement memory encryption for MKTME (Multi-Key Total Memory
> Encryption) with a new system call that is an extension of the
> legacy mprotect() system call.
>
> In encrypt_mprotect the caller must pass a handle to a previously
> allocated and programmed MKTME encryption key. The key can be
> obtained through the kernel key service type "mktme". The caller
> must have KEY_NEED_VIEW permission on the key.
>
> MKTME places an additional restriction on the protected data:
> The length of the data must be page aligned. This is in addition
> to the existing mprotect restriction that the addr must be page
> aligned.

I still find it bizarre that this is conflated with mprotect().

I also remain entirely unconvinced that MKTME on anonymous memory is
useful in the long run.  There will inevitably be all kinds of fancy
new CPU features that make the underlying MKTME mechanisms much more
useful.  For example, some way to bind a key to a VM, or a way to
*sanely* encrypt persistent memory.  By making this thing a syscall
that does more than just MKTME, you're adding combinatorial complexity
(you forget pkey!) and you're tying other functionality (change of
protection) to this likely-to-be-deprecated interface.

This is part of why I much prefer the idea of making this style of
MKTME a driver or some other non-intrusive interface.  Then, once
everyone gets tired of it, the driver can just get turned off with no
side effects.

--Andy