Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3189784ybi; Mon, 17 Jun 2019 18:44:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqxuACMblwcONV+2yXoGBhJWH3V7zDujTvH9+zAONLxFujPIbSenTFReHptOmNof+awqf750 X-Received: by 2002:a63:fc61:: with SMTP id r33mr278772pgk.294.1560822275793; Mon, 17 Jun 2019 18:44:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560822275; cv=none; d=google.com; s=arc-20160816; b=mmHvZO0P5EIX9S/eBZ6oHeSilFMrFzZjFh8mRLvEjaPbXLawd7igtruJ1Q9AN1BADS 8lTZ26mG/eyYOrlyurqgM+FMqcs8q5C8zukOuSOh6axIh3R30JF+nbJoOaY61nsCRZMy wV8nhn+GKOWwMtOtr5SW+6fKpEN6Ec9H0MYHSrtmwF0kyRY0l5GVf9vADHWORSFrSIZa iZW7uLFXIFyI3IGyrnQhTeInocBCOT4mEN+TvncizXmCX4t0r5Bd39FPzUEw2MzfSKf4 iHO8s9EjhmheDRxCwbTclSKd0pQwF4hKw2HF1ZPyUSfbT7YMDszcFXCGcBaiHBNnanZS NssQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=7SHNy+lxlm3oQh4ZyrOb9wCOH400EZULabKwn72n9yU=; b=YH1NGh+UZSl71iTFrDLgmRYHKNEon4E1sE3VHbaAdD5NXb0dzTUS19u1qrh9FuqfIE txJ7FJ0VVvxCF1QxVKnCvvvDc9kRcyEtE/YzT37507yHU49HovSeUkcjagHdpv0b4gYU i99o4dIkw2ud0Tj69Jl7/TYMybheIQe01cTisWiGaU8sblZKsKhFE9QuB5oB1MFX+q2D KMRP+WzgvHdzlOMLUHRhrBuzlkclJj5Vt6s4HJDBR1I6UntkSifeQaXO4tid3Q9NZ/Mf uRdd0nzHfRcphjAhktHqE2WZMxhgXWDC8PgsI8qdjnc6+xuG7AM+nTNgpsH3OKFpNt8g /z8g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Bzbrz8Oz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w21si12194421pff.263.2019.06.17.18.44.20; Mon, 17 Jun 2019 18:44:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Bzbrz8Oz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727523AbfFRBnx (ORCPT + 99 others); Mon, 17 Jun 2019 21:43:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:56324 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726023AbfFRBnx (ORCPT ); Mon, 17 Jun 2019 21:43:53 -0400 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7000E20B1F for ; Tue, 18 Jun 2019 01:43:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560822232; bh=UeYxzLzSuHkMsOuXwbF2xE8bLo2DE9Ww1ky5l8uVDBU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Bzbrz8OzybZx3nRD8sszmrux5YYYBpI0S2wK2zb8PyRZ4zcxsLG3dVRc64HvmE3Ui M7Sl4fczjevhlcuk02zlNt8Ymdmk+E4IgnWBm+yXVqstWxyO3bf3QA3M9Q1RivuPh1 NnIRmdDmIbcCeiljctgQl+Clg5Pl3NWlQ2WIF1XA= Received: by mail-wr1-f49.google.com with SMTP id r16so12016236wrl.11 for ; Mon, 17 Jun 2019 18:43:52 -0700 (PDT) X-Gm-Message-State: APjAAAUXZYlMRFIqmbmyQOtheXcIHvP/JUw9UpXF7m3AVAShDHHuVP/j xt6jkQhZpehyaV3bb3e8St9E0omEOQXGT4+6hUpaMw== X-Received: by 2002:adf:a443:: with SMTP id e3mr25678448wra.221.1560822231037; Mon, 17 Jun 2019 18:43:51 -0700 (PDT) MIME-Version: 1.0 References: <20190508144422.13171-1-kirill.shutemov@linux.intel.com> <20190508144422.13171-46-kirill.shutemov@linux.intel.com> <3c658cce-7b7e-7d45-59a0-e17dae986713@intel.com> <5cbfa2da-ba2e-ed91-d0e8-add67753fc12@intel.com> <1560816342.5187.63.camel@linux.intel.com> <1560821746.5187.82.camel@linux.intel.com> In-Reply-To: <1560821746.5187.82.camel@linux.intel.com> From: Andy Lutomirski Date: Mon, 17 Jun 2019 18:43:40 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH, RFC 45/62] mm: Add the encrypt_mprotect() system call for MKTME To: Kai Huang Cc: Andy Lutomirski , Dave Hansen , "Kirill A. Shutemov" , Andrew Morton , X86 ML , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Borislav Petkov , Peter Zijlstra , David Howells , Kees Cook , Jacob Pan , Alison Schofield , Linux-MM , kvm list , keyrings@vger.kernel.org, LKML , Tom Lendacky Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 17, 2019 at 6:35 PM Kai Huang wrote: > > > > > > > > > > I'm having a hard time imagining that ever working -- wouldn't it blow > > > > up if someone did: > > > > > > > > fd = open("/dev/anything987"); > > > > ptr1 = mmap(fd); > > > > ptr2 = mmap(fd); > > > > sys_encrypt(ptr1); > > > > > > > > So I think it really has to be: > > > > fd = open("/dev/anything987"); > > > > ioctl(fd, ENCRYPT_ME); > > > > mmap(fd); > > > > > > This requires "/dev/anything987" to support ENCRYPT_ME ioctl, right? > > > > > > So to support NVDIMM (DAX), we need to add ENCRYPT_ME ioctl to DAX? > > > > Yes and yes, or we do it with layers -- see below. > > > > I don't see how we can credibly avoid this. If we try to do MKTME > > behind the DAX driver's back, aren't we going to end up with cache > > coherence problems? > > I am not sure whether I understand correctly but how is cache coherence problem related to putting > MKTME concept to different layers? To make MKTME work with DAX/NVDIMM, I think no matter which layer > MKTME concept resides, eventually we need to put keyID into PTE which maps to NVDIMM, and kernel > needs to manage cache coherence for NVDIMM just like for normal memory showed in this series? > I mean is that, to avoid cache coherence problems, something has to prevent user code from mapping the same page with two different key ids. If the entire MKTME mechanism purely layers on top of DAX, something needs to prevent the underlying DAX device from being mapped at the same time as the MKTME-decrypted view. This is obviously doable, but it's not automatic.