Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3981195ybi; Tue, 18 Jun 2019 09:37:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqwxdrlU/WAJhQjcRzafhYDlPnnx4wlB3aBBaS/s0fktoVLuVDJlzjkF8br2ByjjqruIVB7Z X-Received: by 2002:a17:902:6947:: with SMTP id k7mr41438795plt.253.1560875826896; Tue, 18 Jun 2019 09:37:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560875826; cv=none; d=google.com; s=arc-20160816; b=AjcAPT4wcBXckwfF6Cgzp4GOYcACKWDLAcFZGvnQjSfpJblLikeemOPaJeMPBer4qj N5F2KcHRtksDpTrNy+e19fD48VNpRaQmB+8t4It3zUkQdbkNMZ8sAzzbNtB0laGLCV69 pmciTbW04tgn9umEND9U00bTeFwyRl+AfLbwYBCAdHa7OYWDntH5HRimRFEcATfscNGo l20pEm1zx6PvGmi0DgqH5xZM/Z5+1jTwwsorxLLf6juXcuNqVuXVMK4hZsHWBHd5Y4o3 EV1YB4elAd3Uj8gnL0ylVwcqmLOM6O4o376UQV21AmOFa/UDKjFfjZ+vns2bNYe60Eg4 +nfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=IL1nW/+YbqMLhSW1samVerTY8Tv4aXFIAsLDfQFzMZQ=; b=qIpK7fAaAzX93pMghueDPYl2qM+7DCnJSGRwP0RXiHm+Axh+w5GW/Zy8jKyeDPaqhs uWQdGqPeP1WaRSORvPB3cHkgoWtY251kriYRVO0ssz8FLjtSAeHSKo+wA/6UcnjNm3rA dUHvA9Bo2xkotupk533mEXiB9SuJukLPvByyNPIh1BwfHMzrkW4A8IxWDESuThEsM9zL yozIcP5PyK0+IpgprEhree7my/v1mY1R3v7va+7Rr39FT9PZ7fGAsZdgqamkqsGapEKE DCKgF4dZSkzsHH1fKXev7tWX9xG0yAqO7qm4PTEvFNWw3XpPZaUNTWsAUZWqxoErZyCP 9wMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=u2mLIPKk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x21si2768894pjt.37.2019.06.18.09.36.51; Tue, 18 Jun 2019 09:37:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=u2mLIPKk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729414AbfFRQgl (ORCPT + 99 others); Tue, 18 Jun 2019 12:36:41 -0400 Received: from mail-pf1-f196.google.com ([209.85.210.196]:35285 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729319AbfFRQgk (ORCPT ); Tue, 18 Jun 2019 12:36:40 -0400 Received: by mail-pf1-f196.google.com with SMTP id d126so7977513pfd.2 for ; Tue, 18 Jun 2019 09:36:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IL1nW/+YbqMLhSW1samVerTY8Tv4aXFIAsLDfQFzMZQ=; b=u2mLIPKkGGTJlfOT8DyPvMbOrxkjRX35AmG/PHGn9N+8BTe14RT9Ij8iitPKyQLmFR wZSmx3Q4Z9agCYgcsZyxUI0L5UKzlAYSUUPFQBAyKt/WmYKvh2YXGAq6+/D85SQ39+d+ b/vhEUVskV/SrzyR9tNTIBItPUHr4JjZT6lXrKC21zp8O1TD4sSwYFBlPVp1egY2xfk0 5plXjFKxbsPmkNVUWhPTRXmWfqoQ8amD1yrULENsg1t2ngtBwwQjLekR8neR1u4UDu/L KWv71tTl1AC0zcA7z5Ig7Z5zxzE1/SP5ItTSUZ7V2PiHekbW+drpfBPQblCLwn+tIAjn ENZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IL1nW/+YbqMLhSW1samVerTY8Tv4aXFIAsLDfQFzMZQ=; b=DkHJ4DKpPoA1sFe7GyizR0JhCZnAng2JiBYvsYDR9iHllFvz+aSMGMjIh71dr5Zl8y 3Jrp7xEXmUKUNoJoy8qua+SQLCG8PwWBXXe/vXdVh4Go6xVdAT4yrL0PCAMXnM5wTX6h PVtROrlWD75ESJagUcPvwQb4uEHSHbFU7/azjPIvrJFTA+/aI9YCRwB91bJxnqwnK1LK J6K964JvalE24L6DBqENQzjkB/U4tGaLWylLkPeaHT8pxDGuhOlOcnbblZ9tZOU9jWVI 7GI5LkzjqpXP7AW1kNdP0DVEl6AJ20WwOnk3YmshR6PrwBotM+lgZtFSf9g2oqvhCSQJ eOBA== X-Gm-Message-State: APjAAAXJXES+z5oLcUjbW/J4CHoxLNe5q6JmQcBN7sjuhVysKPM8OxW6 VX1YgR2AF6eeTfAVKKftbG3SsQ== X-Received: by 2002:a63:e652:: with SMTP id p18mr3451756pgj.188.1560875800003; Tue, 18 Jun 2019 09:36:40 -0700 (PDT) Received: from ?IPv6:2601:646:c200:1ef2:14b5:e5b0:c670:df13? ([2601:646:c200:1ef2:14b5:e5b0:c670:df13]) by smtp.gmail.com with ESMTPSA id k4sm6458646pfk.42.2019.06.18.09.36.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jun 2019 09:36:39 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH, RFC 45/62] mm: Add the encrypt_mprotect() system call for MKTME From: Andy Lutomirski X-Mailer: iPhone Mail (16F203) In-Reply-To: Date: Tue, 18 Jun 2019 09:36:38 -0700 Cc: "Kirill A. Shutemov" , Peter Zijlstra , Kai Huang , Andy Lutomirski , "Kirill A. Shutemov" , Andrew Morton , X86 ML , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Borislav Petkov , David Howells , Kees Cook , Jacob Pan , Alison Schofield , Linux-MM , kvm list , keyrings@vger.kernel.org, LKML , Tom Lendacky Content-Transfer-Encoding: quoted-printable Message-Id: <8FDB1E33-21BC-400D-9051-7BE61400ACD2@amacapital.net> References: <5cbfa2da-ba2e-ed91-d0e8-add67753fc12@intel.com> <1560816342.5187.63.camel@linux.intel.com> <1560821746.5187.82.camel@linux.intel.com> <1560824611.5187.100.camel@linux.intel.com> <20190618091246.GM3436@hirez.programming.kicks-ass.net> <2ec26c05-7c57-d0e0-a628-94d581b96b63@intel.com> <20190618161502.jiuqhvs3wvnac5ow@box.shutemov.name> To: Dave Hansen Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Jun 18, 2019, at 9:22 AM, Dave Hansen wrote: >=20 > On 6/18/19 9:15 AM, Kirill A. Shutemov wrote: >>> We'd need two rules: >>> 1. A page must not be faulted into a VMA if the page's page_keyid() >>> is not consistent with the VMA's >>> 2. Upon changing the VMA's KeyID, all underlying PTEs must either be >>> checked or zapped. >>>=20 >>> If the rules are broken, we SIGBUS. Andy's suggestion has the same >>> basic requirements. But, with his scheme, the error can be to the >>> ioctl() instead of in the form of a SIGBUS. I guess that makes the >>> fuzzers' lives a bit easier. >> I see a problem with the scheme: if we don't have a way to decide if the >> key is right for the file, user without access to the right key is able t= o >> prevent legitimate user from accessing the file. Attacker just need read >> access to the encrypted file to prevent any legitimate use to access it. >=20 > I think you're bringing up a separate issue. >=20 > We were talking about how you resolve a conflict when someone attempts > to use two *different* keyids to decrypt the data in the API and what > the resulting API interaction looks like. >=20 > You're describing the situation where one of those is the wrong *key* > (not keyid). That's a subtly different scenario and requires different > handling (or no handling IMNHO). I think we=E2=80=99re quibbling over details before we look at the big quest= ions: Should MKTME+DAX encrypt the entire volume or should it encrypt individual f= iles? Or both? If it encrypts individual files, should the fs be involved at all? Should t= here be metadata that can check whether a given key is the correct key? If it encrypts individual files, is it even conceptually possible to avoid c= orruption if the fs is not involved? After all, many filesystems think that= they can move data blocks, compute checksums, journal data, etc. I think Dave is right that there should at least be a somewhat credible prop= osal for how this could fit together.