Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp265260pxu; Wed, 2 Dec 2020 22:32:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJyF2QL3Xo4a5YBIJU7ejj2xHgp/Kksp0bDfPrO/wjQdVriAibA3BLzFjTYcyiyfbJw41yJh X-Received: by 2002:a17:906:7b8d:: with SMTP id s13mr1152109ejo.169.1606977158624; Wed, 02 Dec 2020 22:32:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606977158; cv=none; d=google.com; s=arc-20160816; b=VKWh00RgZJrhEPGWU1kzwI5FDOl7MfCZ7d/CKOOgS9xlTVqwAzww7fZbdiRf0nCn1V Y5GcpDzNz9EM0tOhVTrfHE457JelDYy1g6FMVkiOaxX8AegoOtTecc7lhr+aSUJ6hfAL NLgAOU6+JmcLOQ34ZNP9EgwJdjHCr8TICm0U8iSzkdzqaq0hay+FVju3hNJvf9y7rCs7 adf9S19KOi4O9o+PLC8TdUr8OQZxMTklpHV31ozneNwBJfnD0rp7pnROAtlc5KfHM4T/ KpYbiVn7Yy37Eb1qTJfP2PJAuWEXHK09t84nhgyCckJ3ND5QAsM+qG/lumjX5EVMB6VO WdYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=90HOXVpt45wG3oikB8hldIMiBm8lp5GacTYTO/5K+0I=; b=k+hQ4442ElxCwHztQiNOWtWQ+G8sxlnmDtTOVxQfsx18Bk4wxzrf0gD3H9RFiHd6fn yqeNQOeSrHZfJanrrziEJ3Edmi7Kr363HpK7PhGt+ra6sZelGsOeuC5fxgHDZWvdmOkD f3TFVw5TUvjUZg7R8IkK3WOTVyY8Lu47hi1FvIPyKmnFD/j4YTmOrWPuiR+GrDqHThHW TFGgmqJgHEuvHgIKIitDRIsNCbTpI697fY+9o6zQQu3e3T0542obTN5EcTeTlBGsgHGJ nCiFxU2SyORAsKZHT5u58U0FDc495jgt9J0W/762FhfKXdkElWBkIt9Isrcm14N5fNvL f5uA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w14si361628edf.108.2020.12.02.22.32.15; Wed, 02 Dec 2020 22:32:38 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729428AbgLCGat (ORCPT + 99 others); Thu, 3 Dec 2020 01:30:49 -0500 Received: from mail.kernel.org ([198.145.29.99]:47436 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726405AbgLCGat (ORCPT ); Thu, 3 Dec 2020 01:30:49 -0500 From: Mike Rapoport Authentication-Results: mail.kernel.org; dkim=permerror (bad message/signature format) To: Andrew Morton Cc: Alexander Viro , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Catalin Marinas , Christopher Lameter , Dan Williams , Dave Hansen , David Hildenbrand , Elena Reshetova , "H. Peter Anvin" , Ingo Molnar , James Bottomley , "Kirill A. Shutemov" , Matthew Wilcox , Mark Rutland , Mike Rapoport , Mike Rapoport , Michael Kerrisk , Palmer Dabbelt , Paul Walmsley , Peter Zijlstra , Rick Edgecombe , Roman Gushchin , Shakeel Butt , Shuah Khan , Thomas Gleixner , Tycho Andersen , Will Deacon , linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org, x86@kernel.org Subject: [PATCH v14 00/10] mm: introduce memfd_secret system call to create "secret" memory areas Date: Thu, 3 Dec 2020 08:29:39 +0200 Message-Id: <20201203062949.5484-1-rppt@kernel.org> X-Mailer: git-send-email 2.28.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mike Rapoport Hi, @Andrew, this is based on v5.10-rc2-mmotm-2020-11-07-21-40, I can rebase on current mmotm if you prefer. This is an implementation of "secret" mappings backed by a file descriptor. The file descriptor backing secret memory mappings is created using a dedicated memfd_secret system call The desired protection mode for the memory is configured using flags parameter of the system call. The mmap() of the file descriptor created with memfd_secret() will create a "secret" memory mapping. The pages in that mapping will be marked as not present in the direct map and will be present only in the page table of the owning mm. Although normally Linux userspace mappings are protected from other users, such secret mappings are useful for environments where a hostile tenant is trying to trick the kernel into giving them access to other tenants mappings. Additionally, in the future the secret mappings may be used as a mean to protect guest memory in a virtual machine host. For demonstration of secret memory usage we've created a userspace library https://git.kernel.org/pub/scm/linux/kernel/git/jejb/secret-memory-preloader.git that does two things: the first is act as a preloader for openssl to redirect all the OPENSSL_malloc calls to secret memory meaning any secret keys get automatically protected this way and the other thing it does is expose the API to the user who needs it. We anticipate that a lot of the use cases would be like the openssl one: many toolkits that deal with secret keys already have special handling for the memory to try to give them greater protection, so this would simply be pluggable into the toolkits without any need for user application modification. Hiding secret memory mappings behind an anonymous file allows (ab)use of the page cache for tracking pages allocated for the "secret" mappings as well as using address_space_operations for e.g. page migration callbacks. The anonymous file may be also used implicitly, like hugetlb files, to implement mmap(MAP_SECRET) and use the secret memory areas with "native" mm ABIs in the future. To limit fragmentation of the direct map to splitting only PUD-size pages, I've added an amortizing cache of PMD-size pages to each file descriptor that is used as an allocation pool for the secret memory areas. As the memory allocated by secretmem becomes unmovable, we use CMA to back large page caches so that page allocator won't be surprised by failing attempt to migrate these pages. v14: * Finally s/mod_node_page_state/mod_lruvec_page_state/ v13: https://lore.kernel.org/lkml/20201201074559.27742-1-rppt@kernel.org * Added Reviewed-by, thanks Catalin and David * s/mod_node_page_state/mod_lruvec_page_state/ as Shakeel suggested v12: https://lore.kernel.org/lkml/20201125092208.12544-1-rppt@kernel.org * Add detection of whether set_direct_map has actual effect on arm64 and bail out of CMA allocation for secretmem and the memfd_secret() syscall if pages would not be removed from the direct map v11: https://lore.kernel.org/lkml/20201124092556.12009-1-rppt@kernel.org * Drop support for uncached mappings v10: https://lore.kernel.org/lkml/20201123095432.5860-1-rppt@kernel.org * Drop changes to arm64 compatibility layer * Add Roman's Ack for memcg accounting Older history: v9: https://lore.kernel.org/lkml/20201117162932.13649-1-rppt@kernel.org v8: https://lore.kernel.org/lkml/20201110151444.20662-1-rppt@kernel.org v7: https://lore.kernel.org/lkml/20201026083752.13267-1-rppt@kernel.org v6: https://lore.kernel.org/lkml/20200924132904.1391-1-rppt@kernel.org v5: https://lore.kernel.org/lkml/20200916073539.3552-1-rppt@kernel.org v4: https://lore.kernel.org/lkml/20200818141554.13945-1-rppt@kernel.org v3: https://lore.kernel.org/lkml/20200804095035.18778-1-rppt@kernel.org v2: https://lore.kernel.org/lkml/20200727162935.31714-1-rppt@kernel.org v1: https://lore.kernel.org/lkml/20200720092435.17469-1-rppt@kernel.org Mike Rapoport (10): mm: add definition of PMD_PAGE_ORDER mmap: make mlock_future_check() global set_memory: allow set_direct_map_*_noflush() for multiple pages set_memory: allow querying whether set_direct_map_*() is actually enabled mm: introduce memfd_secret system call to create "secret" memory areas secretmem: use PMD-size pages to amortize direct map fragmentation secretmem: add memcg accounting PM: hibernate: disable when there are active secretmem users arch, mm: wire up memfd_secret system call were relevant secretmem: test: add basic selftest for memfd_secret(2) arch/arm64/include/asm/Kbuild | 1 - arch/arm64/include/asm/cacheflush.h | 6 - arch/arm64/include/asm/set_memory.h | 17 + arch/arm64/include/uapi/asm/unistd.h | 1 + arch/arm64/kernel/machine_kexec.c | 1 + arch/arm64/mm/mmu.c | 6 +- arch/arm64/mm/pageattr.c | 23 +- arch/riscv/include/asm/set_memory.h | 4 +- arch/riscv/include/asm/unistd.h | 1 + arch/riscv/mm/pageattr.c | 8 +- arch/x86/Kconfig | 2 +- arch/x86/entry/syscalls/syscall_32.tbl | 1 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/x86/include/asm/set_memory.h | 4 +- arch/x86/mm/pat/set_memory.c | 8 +- fs/dax.c | 11 +- include/linux/pgtable.h | 3 + include/linux/secretmem.h | 30 ++ include/linux/set_memory.h | 16 +- include/linux/syscalls.h | 1 + include/uapi/asm-generic/unistd.h | 6 +- include/uapi/linux/magic.h | 1 + kernel/power/hibernate.c | 5 +- kernel/power/snapshot.c | 4 +- kernel/sys_ni.c | 2 + mm/Kconfig | 5 + mm/Makefile | 1 + mm/filemap.c | 3 +- mm/gup.c | 10 + mm/internal.h | 3 + mm/mmap.c | 5 +- mm/secretmem.c | 439 ++++++++++++++++++++++ mm/vmalloc.c | 5 +- scripts/checksyscalls.sh | 4 + tools/testing/selftests/vm/.gitignore | 1 + tools/testing/selftests/vm/Makefile | 3 +- tools/testing/selftests/vm/memfd_secret.c | 298 +++++++++++++++ tools/testing/selftests/vm/run_vmtests | 17 + 38 files changed, 906 insertions(+), 51 deletions(-) create mode 100644 arch/arm64/include/asm/set_memory.h create mode 100644 include/linux/secretmem.h create mode 100644 mm/secretmem.c create mode 100644 tools/testing/selftests/vm/memfd_secret.c base-commit: 9f8ce377d420db12b19d6a4f636fecbd88a725a5 -- 2.28.0