Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp4810338ybg;
        Tue, 29 Oct 2019 12:44:23 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzhv1/Q+63CkDMPhAQvJAnUFR11iZhVV9O1jfNyb54tIuHlipjaydigWYvt5Gk8EW9Txvwe
X-Received: by 2002:a17:906:4488:: with SMTP id y8mr5041675ejo.322.1572378263767;
        Tue, 29 Oct 2019 12:44:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1572378263; cv=none;
        d=google.com; s=arc-20160816;
        b=waR7TB0kX6Np9J3TczCuayqgh7L8uhkcx2/CNSgPENtX0kodDtoEC8vzOcielT7/5Y
         4X7HKlMJOg2PHiSejk7zzOtiePyEDJROX6DHUWbFBShdlTyp7B/GXtY7ODWmF/1x8lDL
         QsRJ6Geqvs2tYUfzjie1zFBEryb5pn5L4bFpB7LHZgNxFMaUeqA1tGgmYKLtcvyeA5s1
         SZcd4rkE44wtoh09+z3PCx9smkZJBe3SdvKSfuV/SvKY9UvOWZcJfpxapGMHPubznfS8
         GXXjGYG55UPsJDuUXyTU9hhnBwIpAGFQqResK/hnDhylhAOyd13uTjO+Rw91bKVF4kgp
         xrXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=11HABgG4cgofeXKrR7yB4qVxOwjvZW+qOCi2NPimHbk=;
        b=Q3Pex1kcFLlGMAKZLKowFWtZ2MQrTeIEOhnaYnBgco4VtUIeRjczFgy4/67ZJGsDJm
         aEeA/hMUi999kQ1OZ2HyO3YhkkBmr07+f1mhnYcb/mQd97fb6ouytWi0MY+LvO8JDq0s
         zSXNoyc6kEqw07xB+vkyNSI0LqAMuXAaoEI3BKF08bKDosxtijRCIQQpPQPglthishdN
         CloOMjQzxPdes95eBFr1SssVuArsKhR2N54cZwOcqdBeTF7X8Wri/L5lx3E6RA5wsoWG
         VCsbnU/dgcB3gqO4bMR5+DkVKZSa6HOn8+5WYoQBg5pRMsXOkCTYonmzSLGpnmwhL8XX
         zcPA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=eSOY5l0E;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i9si4794281ejz.368.2019.10.29.12.43.59;
        Tue, 29 Oct 2019 12:44:23 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=eSOY5l0E;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389915AbfJ2PNs (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Tue, 29 Oct 2019 11:13:48 -0400
Received: from mail-io1-f65.google.com ([209.85.166.65]:36597 "EHLO
        mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2389904AbfJ2PNr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 29 Oct 2019 11:13:47 -0400
Received: by mail-io1-f65.google.com with SMTP id c16so15190314ioc.3
        for <linux-kernel@vger.kernel.org>; Tue, 29 Oct 2019 08:13:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=tycho-ws.20150623.gappssmtp.com; s=20150623;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=11HABgG4cgofeXKrR7yB4qVxOwjvZW+qOCi2NPimHbk=;
        b=eSOY5l0EBsO+rrEeDHKewSn+1rtEbKi8WrMI2sePTVXC/Ok+C0a/fr77IQmSqDLll/
         CYzbuzmDm2+OHZbCu51GGzTwtcJlmdGqZBoB3k2WEu3E7ZfLHWuUtCNJffCM3vd4kytD
         h75APcWTq5GfIYQdcBd+ORv7euX6JU53veJR73OudYgqb1zpmyY7HT+CEEa8lHvky3JK
         fJexNvnmunr/Z6HMFnmRDDOSv28P2Z2y2MpCADz3aefkrY8AfuK+Xs1BHEI32rrYY59w
         h8W0yxvIVrBz8iW81xL7o3SRufT6ZPfs4ucen2GYWR3JpJayBC5s5tF1Gtm9L0tqOZTk
         Q9kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=11HABgG4cgofeXKrR7yB4qVxOwjvZW+qOCi2NPimHbk=;
        b=ooFENRTEJbkCJQ3x/ODcW1ImHp7BS0v8EJcAoAvIdnGTdZrkaVQmMjIkvRqsK/4Yl7
         va7bOlG2AaJ+CTyzetk0rn5q6yNkon2vJq8SSDIXiGNZXGDjm1yf19SL5ZbeYjCMqTXw
         yvYfPa0PTvijnefRaPU+3dCbm/t2t8n+wvYdrzJV3x4+4qinDyg9UIWRVdgnrGzgJFTy
         FFZr5yddyUqg02voMnIocFuc0/Tnv9ByTUgPyEutB+OYW12WMW7vIrlMMK/EGeHULLzb
         l/fePdcYl5fnLduyw/9TqMxe0HGc2Pi00eOxFEhQofWSw8c/yxOZDX0WhBA4Mgbe1r85
         8htw==
X-Gm-Message-State: APjAAAV21UTcCXZDNMr1TpddxO/RadCTRGcClO6EHT8TYhb64nHkm3U6
        RRHx7ZURMH+gI4hN+AugdXYpyA==
X-Received: by 2002:a5d:81c3:: with SMTP id t3mr4392281iol.300.1572362026220;
        Tue, 29 Oct 2019 08:13:46 -0700 (PDT)
Received: from cisco ([2601:282:902:b340:7405:279a:1dff:4689])
        by smtp.gmail.com with ESMTPSA id t16sm1473529iol.12.2019.10.29.08.13.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 29 Oct 2019 08:13:45 -0700 (PDT)
Date:   Tue, 29 Oct 2019 09:13:43 -0600
From:   Tycho Andersen <tycho@tycho.ws>
To:     "Reshetova, Elena" <elena.reshetova@intel.com>
Cc:     Mike Rapoport <rppt@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Alexey Dobriyan <adobriyan@gmail.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Andy Lutomirski <luto@kernel.org>,
        Arnd Bergmann <arnd@arndb.de>, Borislav Petkov <bp@alien8.de>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        James Bottomley <jejb@linux.ibm.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Steven Rostedt <rostedt@goodmis.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        "linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
        "linux-mm@kvack.org" <linux-mm@kvack.org>,
        "x86@kernel.org" <x86@kernel.org>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Alan Cox <alan@linux.intel.com>
Subject: Re: [PATCH RFC] mm: add MAP_EXCLUSIVE to create exclusive user
 mappings
Message-ID: <20191029151343.GE32132@cisco>
References: <1572171452-7958-1-git-send-email-rppt@kernel.org>
 <2236FBA76BA1254E88B949DDB74E612BA4EEC0CE@IRSMSX102.ger.corp.intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2236FBA76BA1254E88B949DDB74E612BA4EEC0CE@IRSMSX102.ger.corp.intel.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Elena, Mike,

On Tue, Oct 29, 2019 at 11:25:12AM +0000, Reshetova, Elena wrote:
> > The patch below aims to allow applications to create mappins that have
> > pages visible only to the owning process. Such mappings could be used to
> > store secrets so that these secrets are not visible neither to other
> > processes nor to the kernel.
> 
> Hi Mike, 
> 
> I have actually been looking into the closely related problem for the past 
> couple of weeks (on and off). What is common here is the need for userspace
> to indicate to kernel that some pages contain secrets. And then there are
> actually a number of things that kernel can do to try to protect these secrets
> better. Unmap from direct map is one of them. Another thing is to map such
> pages as non-cached, which can help us to prevent or considerably restrict
> speculation on such pages. The initial proof of concept for marking pages as
> "UNCACHED" that I got from Dave Hansen was actually based on mlock2() 
> and a new flag for it for this purpose. Since then I have been thinking on what
> interface suits the use case better and actually selected going with new madvise() 
> flag instead because of all possible implications for fragmentation and performance. 
> My logic was that we better allocate the secret data explicitly (using mmap()) 
> to make sure that no other process data accidentally gets to suffer.
> Imagine I would allocate a buffer to hold a secret key, signal with mlock
>  to protect it and suddenly my other high throughput non-secret buffer 
> (which happened to live on the same page by chance) became very slow
>  and I don't even have an easy way (apart from mmap()ing it!) to guarantee
>  that it won't be affected.
> 
> So, I ended up towards smth like:
> 
>   secret_buffer =  mmap(NULL, PAGE_SIZE, ...)
>    madvise(secret_buffer, size, MADV_SECRET)
> 
> I have work in progress code here:
>  https://github.com/ereshetova/linux/commits/madvise
> 
> I haven't sent it for review, because it is not ready yet and I am now working
> on trying to add the page wiping functionality. Otherwise it would be useless
> to protect the page during the time it is used in userspace, but then allow it
> to get reused by a different process later after it has been released back and
> userspace was stupid enough not to wipe the contents (or was crashed on 
> purpose before it was able to wipe anything out). 

I was looking at this and thinking that wiping during do_exit() might
be a nice place, but I haven't tried anything yet.

> We have also had some discussions with Tycho that XPFO can be also
> applied selectively for such "SECRET" marked pages and I know that he has also
> did some initial prototyping on this, so I think it would be great to decide
> on userspace interface first and then see how we can assemble together all
> these features. 

Yep! Here's my tree with the direct un-mapping bits ported from XPFO:
https://github.com/tych0/linux/commits/madvise

As noted in one of the commit messages I think the bit math for page
prot flags needs a bit of work, but the test passes, so :)

In any case, I'll try to look at Mike's patches later today.

Cheers,

Tycho