Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3467467ybv; Mon, 10 Feb 2020 00:07:38 -0800 (PST) X-Google-Smtp-Source: APXvYqy+DYP6NmFyldyWcZlb9e2yyCzN9ApDIXEXBbZnFScS2tyTghS7pEyEvbqlG+lSa+rVkne4 X-Received: by 2002:a05:6808:9b4:: with SMTP id e20mr106324oig.37.1581322057991; Mon, 10 Feb 2020 00:07:37 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1581322057; cv=pass; d=google.com; s=arc-20160816; b=NMZcM9rJMPaBPcCaxU7IxQZN8VVRbEvuwOgxllEgofPi8g7iKP/kf20Joq95pfhC77 xhypNVzMO0g9eefCenfqj9QAW5MJT0vtz8mAWFUpffB641dfKNasATfxOes0TFNGVJR+ jX1/uVWTFNEBao2MkrNF5l/R+iTXDDv+VltTi3SHixzPASG6elMDbAfgf3aBAMclMO14 BTsaDqfLtH9F/6qY0Zmc4fVR69TSq9gXa1dKwqyjPQPR0PUmJrlOisszd3tEU/GxM83V h43S89nL8DxxURfTRDppJRzOi5jE55Hw7Io7xKn7QOW2Fyaf1ue6HDZMR2h0E5jTH59e 5Aiw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-product:dlp-version:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature; bh=fnUyLd5ZpEf9JULjrjDReyskdwB47v/MMUHP3QXh/iE=; b=QYo3IsE+wjswg5UQBoF8jCUCmgvBqTT1dgzfC3DdAB7Z8Zt40L0JOSbXm78srJ51Kp MZr6zt3Py8JKcjkLFbVbNaUTS19tIcN8PRUlYitRnRundhD/5jHW5/kLz8BI9TrOICyS 7PSWupPGxVOlGUyAMtsZ4pLA9VMcvTkkV6joZ6ay9ZVdwofKEdgaLQZ5jfCvFQH05IAp ib17BsGWxbwVeDPSSRQxxDwrgEI2EnYb1jJqeePaaEp/0mX8rbgocfvUZYkusEdSdMvi fGFILCHJWKKJP8mbSNnW+45wAOS13pGeuggRamtIJZD5KofuAAnqF8rijkI2r4G6YYzK KVzQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=qfr2sqkQ; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m67si7633908oib.117.2020.02.10.00.07.25; Mon, 10 Feb 2020 00:07:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=qfr2sqkQ; arc=pass (i=1 spf=pass spfdomain=intel.com dkim=pass dkdomain=intel.com dmarc=pass fromdomain=intel.com); spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727420AbgBJIGy (ORCPT + 99 others); Mon, 10 Feb 2020 03:06:54 -0500 Received: from mga01.intel.com ([192.55.52.88]:55918 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725468AbgBJIGy (ORCPT ); Mon, 10 Feb 2020 03:06:54 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Feb 2020 00:06:53 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,424,1574150400"; d="scan'208";a="227112515" Received: from orsmsx107.amr.corp.intel.com ([10.22.240.5]) by fmsmga008.fm.intel.com with ESMTP; 10 Feb 2020 00:06:53 -0800 Received: from orsmsx609.amr.corp.intel.com (10.22.229.22) by ORSMSX107.amr.corp.intel.com (10.22.240.5) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 10 Feb 2020 00:06:52 -0800 Received: from orsmsx609.amr.corp.intel.com (10.22.229.22) by ORSMSX609.amr.corp.intel.com (10.22.229.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Mon, 10 Feb 2020 00:06:52 -0800 Received: from ORSEDG001.ED.cps.intel.com (10.7.248.4) by orsmsx609.amr.corp.intel.com (10.22.229.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Mon, 10 Feb 2020 00:06:52 -0800 Received: from NAM12-BN8-obe.outbound.protection.outlook.com (104.47.55.175) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 10 Feb 2020 00:06:51 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FeNfcfcfji2ysPWBqeHU/clJ+t9PNwQoEMx3afkPdZDWpDQOh58wx5t2OIpdXdrvm/REmd5NXLPAm5HGUPp2X3hLl5RTZAhStak+ZfWgs7bhaqb4AhZL6x32o134iEjtJLtvyeE6IalYT+TTpxcrqHCsSVZQb4L4EMmtAghnO+BJ5gwNHsKZeFtO9gN2neW8TtYUonkXlwo6CZ6uMMsAnEDDwpOE8i4Fb+O04JOI7igRmtR+CMhruaJlE3/J5ImV7YfXBTX9PNDfn02eeuy3hICHxP4bRLNn4tRuBemjIQXWyCuvKKfjwr7ZQY22/74+ef/gd/XS1Sjj/S1f8av+rQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fnUyLd5ZpEf9JULjrjDReyskdwB47v/MMUHP3QXh/iE=; b=AcCAq6TtXD+L1h5+9T/vsmRT8SZpRNYjKKgxYEGCAF0k5nDy0H+tFxPpfiDQ0pMVy3t4RvCuw9xg3ar6QogutqGDa/wfMXYNcE2Jy2tb/RrZ+RKDF6QL50vlWToxg8e0u/k0Q0jCJkYoP1pkKsvdRJAj7NvQnkriIQ0cnf2ms0cJ406ODYsJBd0jOLTdyB3QHQK3VzoL0DGS7fwQEXs1hOb0bzOqQK3XARd1e6sOTuBuUPiHyoCR02PbCjQB9rbYLbHZr13FjH7xBiI7jlThuV85xr1nHnZfqMiFdb2vgjeKWvoUbJ4qVs8qDYQuTGBuZINpj5h9BcCP0Q0o7zohJw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fnUyLd5ZpEf9JULjrjDReyskdwB47v/MMUHP3QXh/iE=; b=qfr2sqkQjxDYdF/8ygJVE9iOcJ9NRc/3ERO172fXIdLVUAkJ5Tmypx2pUlKtKQ6FRQaDMDMxcAJW5MjxbyPHDV7C13BQb+ZbBFhnXV9CEl4YOmzZOu4dWb0ErcNfy0ttR0sJGPWmVg15m1cLK6VwXrCugNenl9MPP1AyL4/LTOc= Received: from BL0PR11MB3281.namprd11.prod.outlook.com (10.167.234.225) by BL0PR11MB3300.namprd11.prod.outlook.com (10.167.182.219) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.24; Mon, 10 Feb 2020 08:06:49 +0000 Received: from BL0PR11MB3281.namprd11.prod.outlook.com ([fe80::6922:6eaf:ef86:a691]) by BL0PR11MB3281.namprd11.prod.outlook.com ([fe80::6922:6eaf:ef86:a691%7]) with mapi id 15.20.2707.030; Mon, 10 Feb 2020 08:06:49 +0000 From: "Reshetova, Elena" To: Mike Rapoport , "Hansen, Dave" CC: "linux-kernel@vger.kernel.org" , Alan Cox , Andrew Morton , "Andy Lutomirski" , Christopher Lameter , "Dave Hansen" , James Bottomley , "Kirill A. Shutemov" , Matthew Wilcox , Peter Zijlstra , Thomas Gleixner , Tycho Andersen , "linux-api@vger.kernel.org" , "linux-mm@kvack.org" Subject: RE: [RFC PATCH] mm: extend memfd with ability to create "secret" memory areas Thread-Topic: [RFC PATCH] mm: extend memfd with ability to create "secret" memory areas Thread-Index: AQHV14m+Mmd68cx3eUajc6Oqc5ecjqgOjbuAgAMQlgCAAoLcYA== Date: Mon, 10 Feb 2020 08:06:49 +0000 Message-ID: References: <20200130162340.GA14232@rapoport-lnx> <20200208173922.GA15879@hump> In-Reply-To: <20200208173922.GA15879@hump> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.2.0.6 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: spf=none (sender IP is ) smtp.mailfrom=elena.reshetova@intel.com; x-originating-ip: [192.198.151.191] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: a3457665-bbf5-4e02-57df-08d7ae002e41 x-ms-traffictypediagnostic: BL0PR11MB3300: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-forefront-prvs: 03094A4065 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(346002)(376002)(39860400002)(396003)(366004)(136003)(189003)(199004)(5660300002)(4326008)(71200400001)(76116006)(52536014)(9686003)(86362001)(66476007)(64756008)(66446008)(66946007)(6506007)(7416002)(26005)(53546011)(33656002)(66556008)(6636002)(186003)(54906003)(110136005)(7696005)(2906002)(55016002)(478600001)(316002)(81166006)(81156014)(8936002)(8676002)(966005)(219293001);DIR:OUT;SFP:1102;SCL:1;SRVR:BL0PR11MB3300;H:BL0PR11MB3281.namprd11.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: AYOm80V+xsR/gJL3pBxbfzRPsN69r0bAsm+Khnu+pKyl40liE4fWzr7OvQ6m+4b9cbNOaM3gC81KvortTAHqq1VE2Bhzgtf4Bo0FOefidgCSNWZViz3DRtsg+fOcz2DQxPRZJar0dE7vu87nI2ZqTxq6tpG8YKO/UjT0ofxVVTdWYoEWHv5Vu6oTitgsUfcpAO8yNndnmL84ohaIJwieJmT+BHvIND6HcGO38IAewYKYhNC1jtN9YrxJcGP32K/RFDE70isURBHlupyoGpBZRGj61uOEaI19Rr8QJxCV045uBzgd7Em5irImPZCA5XeGHO7GSr7i/LPEeFXdHJsOS17ykbUuc+vgNt1iTA0qUcZczxOEYp3sm5Tda+RCXq8b3HpOcFLiczXI5il+mH7zXUay43akOKDfY32DRPMJGqWnidGdNRexRVi0F2p+AajmOSwF5+i6qV3i8+YDWkvgmJsUDAXNyZtgN5nGSGCYVJB+yEWcvqsvtG+51vQrrs5Qk+tKLw7IpV+kUTWKSyiPXKJoIEu/esnIMpWmx80ak0eZb/7y84SSwf0pxEBWTc33 x-ms-exchange-antispam-messagedata: WiSnMA+TB9aKpWj9Y1OPKMl7icmF5P0boLLCaQIuxrhgGGoAb7xTuIX07Vx5++UyyehoSUEPyzRmN6vLkq0lhgHtBaY2qI985+kfhuan3n2GQLNp4ocRB2FxMgz5ay4nraVEl0R3d5l0z0T9WkGjrw== Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: a3457665-bbf5-4e02-57df-08d7ae002e41 X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2020 08:06:49.4232 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: x/J3zDVxQn9KBYz6VlZAvHSBRh48BOZukAUlqHPY1+4SKInZ2Vt27r8aeIsW2YX8IGhTxnwpk3bwqCR2Wsy5asZkcLzH9z5m7yuRyXrU/tQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3300 X-OriginatorOrg: intel.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Thu, Feb 06, 2020 at 10:51:13AM -0800, Dave Hansen wrote: > > On 1/30/20 8:23 AM, Mike Rapoport wrote: > > > include/linux/memfd.h | 9 ++ > > > include/uapi/linux/magic.h | 1 + > > > include/uapi/linux/memfd.h | 6 + > > > mm/Kconfig | 4 + > > > mm/Makefile | 1 + > > > mm/memfd.c | 10 +- > > > mm/secretmem.c | 244 +++++++++++++++++++++++++++++++++++= ++ > > > 7 files changed, 273 insertions(+), 2 deletions(-) > > > > It seems pretty self-contained and relatively harmless. > > > > But, how much work is it going to be to tell the rest of the kernel tha= t > > page_to_virt() doesn't work any more? >=20 > Why page_to_virt() won't work anymore? Or you refer to that the kernel co= de > won't be able to access the page contents? >=20 > > Do we need to make kmap() work on these? >=20 > I don't think we need to make kmap() work on these. The idea is to preven= t > kernel from accessing such memory areas. >=20 > > I guess fixing vm_normal_page() would fix a lot of that. > > > > In general, my concern about creating little self-contained memory type= s > > is that they will get popular and folks will start wanting more feature= s > > from them. For instance, what if I want NUMA affinity, migration, or > > large page mappings that are secret? >=20 > Sure, why not :) > Well, this is true for any feature: it may become popular, people will > start using it and it will add more complexity. >=20 > My goal is to design this thing keeping in mind that all the above (and > probably more) will be requested sooner or later. >=20 > > Can these pages work as guest memory? >=20 > Actually, this is one of the driving usecases. I believe that people that > use mem=3DX to limit kernel control of the memory and the manage the > remaining memory for the guests can switch to fd-based approach. >=20 > > Who would the first users of this thing be? >=20 > We were thinking about using such areas to store small secrets, e.g. with > openssl_malloc(). >=20 To elaborate more on this - openssl has "secure heap" feature [1], which=20 is basically a mmap area with MLOCK_ONFAULT and MADV_DONTDUMP. It is optional feature and can be used for storing things like RSA private = keys in a bit more secure memory area (vs. just normal allocation). It is fully= =20 transparent for userspace applications (hidden behind openssl API), but=20 provides additional security when enabled. So, it seems like a natural cand= idate for smth like securememory, which in addition to MLOCK_ONFAULT and=20 MADV_DONTDUMP can provide further security guarantees like exclusive=20 memory and no-caching.=20 [1] https://www.openssl.org/docs/manmaster/man3/OPENSSL_secure_malloc.html Best Regards, Elena.