Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1234400pxb; Wed, 4 Nov 2020 03:41:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJwNCHoW7kSoIm16pcIIDKyQmOe57d8arfqRz+QtNnGNyf4jpMKAA2//xnvzBKvgVicxxvU3 X-Received: by 2002:a17:906:f148:: with SMTP id gw8mr24214249ejb.192.1604490100450; Wed, 04 Nov 2020 03:41:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604490100; cv=none; d=google.com; s=arc-20160816; b=SyDIqjT3dIM5sKirC+2T0lbiHQzGZ55LdKJUGg/w6nv1vC97ZF4SHrv+GzSacpCFhR QpjhcaOTYwTigb1VMMhIPQd8FajXyoGV4lO59+OGLZBum5+Rikdf/7azAHVMYaXswa13 UaHfQxfaVcR9Emzbv8lhUGADdM2gTWWzLKqs2wuIeZGFa42dHtSQIb+HBDfOjXbhQ1/5 OHhfvz8dHkObgdLf1H7HB18mQ3zzR6BND4iutcCUGdOtDhZe7c4iKddx9mvIEjlaKw2/ FdfMhmYoKFg3Bxd5LgsJdZB+hlTZ7VVe01ptVFO5QJngjyep4znyQvf/Mlq3kiUrVPAp +Pzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:importance:content-transfer-encoding :mime-version:subject:references:in-reply-to:message-id:cc:to:from :date; bh=fk5zZ4R2IVIOLtX0cAhnd9BCstExlAfq+kcvPWLMbKM=; b=sEYa1r27aN8jV3MG8RYpTVlP/sFPJa1BWXuuNDF1ESBFOUytGuJlSGZXDe8SyRh8oq ybwxzZeVwp0X0fwVnwRI58TKfXsu+sfzffigexjDKP9PDwzP8iWlPZBlaxi24e08D1Vz /RCJGQ4q32TUPQd2x18SY0CRHjm1glpu2XULTIvZ2bhZ6CriqjYoLJWaLChzoLyIAcwR GGg4g5lx+FWbLBRqNUtQglrAZkX4w9VvG7izySMdiWeM0cci00lO4+cc0B3Emto3eSS+ uyaEwZW8ZxrioxvYK5954OzficOBejxh+E4RJk4E5Hwx3ECq0jmv4zTNWKNB8QpYY4sp tXKA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o16si1252045eju.68.2020.11.04.03.41.18; Wed, 04 Nov 2020 03:41:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729589AbgKDLj1 (ORCPT + 99 others); Wed, 4 Nov 2020 06:39:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46542 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729263AbgKDLj0 (ORCPT ); Wed, 4 Nov 2020 06:39:26 -0500 Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [IPv6:2001:67c:2050::465:202]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52422C0613D3; Wed, 4 Nov 2020 03:39:26 -0800 (PST) Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4CR4SB2rQLzQlRc; Wed, 4 Nov 2020 12:39:22 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id F5663DCtL8CE; Wed, 4 Nov 2020 12:39:18 +0100 (CET) Date: Wed, 4 Nov 2020 12:39:13 +0100 (CET) From: Hagen Paul Pfeifer To: Mike Rapoport Cc: Andrew Morton , Alexander Viro , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Catalin Marinas , Christopher Lameter , Dan Williams , Dave Hansen , David Hildenbrand , Elena Reshetova , "H. Peter Anvin" , Idan Yaniv , Ingo Molnar , James Bottomley , "Kirill A. Shutemov" , Matthew Wilcox , Mark Rutland , Mike Rapoport , Michael Kerrisk , Palmer Dabbelt , Paul Walmsley , Peter Zijlstra , Thomas Gleixner , Shuah Khan , Tycho Andersen , Will Deacon , linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org, x86@kernel.org Message-ID: <1988407921.138656.1604489953944@office.mailbox.org> In-Reply-To: <20201103163002.GK4879@kernel.org> References: <20200924132904.1391-1-rppt@kernel.org> <20201101110935.GA4105325@laniakea> <20201102154028.GD4879@kernel.org> <1547601988.128687.1604411534845@office.mailbox.org> <20201103163002.GK4879@kernel.org> Subject: Re: [PATCH v6 0/6] mm: introduce memfd_secret system call to create "secret" memory areas MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Priority: 3 Importance: Normal X-MBO-SPAM-Probability: ** X-Rspamd-Score: 1.58 / 15.00 / 15.00 X-Rspamd-Queue-Id: B8AE3182D X-Rspamd-UID: 15b699 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On 11/03/2020 5:30 PM Mike Rapoport wrote: > > > > As long as the task share the file descriptor, they can share the > > > secretmem pages, pretty much like normal memfd. > > > > Including process_vm_readv() and process_vm_writev()? Let's take a hypothetical > > "dbus-daemon-secure" service that receives data from process A and wants to > > copy/distribute it to data areas of N other processes. Much like dbus but without > > SOCK_DGRAM rather direct copy into secretmem/mmap pages (ring-buffer). Should be > > possible, right? > > I'm not sure I follow you here. > For process_vm_readv() and process_vm_writev() secremem will be only > accessible on the local part, but not on the remote. > So copying data to secretmem pages using process_vm_writev wouldn't > work. A hypothetical "dbus-daemon-secure" service will not be *process related* with communication peers. E.g. a password-input process (reading a password into secured-memory page) will transfer the password to dbus-daemon-secure and this service will hand-over the password to two additional applications: a IPsec process on CPU0 und CPU1 (which itself use a secured-memory page). So four applications IPC chain: password-input -> dbus-daemon-secure -> {IPsec0, IPsec1} - password-input: uses a secured page to read/save the password locally after reading from TTY - dbus-daemon-secure: uses a secured page for IPC (legitimate user can write and read into the secured page) - IPSecN has secured page to save the password locally (and probably other data as well), IPC memory is memset'ed after copy Goal: the whole password is never saved/touched on non secured pages during IPC transfer. Question: maybe a *file-descriptor passing* mechanism can do the trick? I.e. dbus-daemon-secure allocates via memfd_secret/mmap secure pages and permitted processes will get the descriptor/mmaped-page passed so they can use the pages directly? Hagen