Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2526218pxb; Thu, 11 Feb 2021 15:02:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJzXO4P2HprY7a+20JQkycq0xt3I/ZXcXSFEr3UChc3uVIi264jiRmSVStY20blz6pXjPnnY X-Received: by 2002:a50:ef0f:: with SMTP id m15mr431180eds.175.1613084551358; Thu, 11 Feb 2021 15:02:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613084551; cv=none; d=google.com; s=arc-20160816; b=t+FOh3LumNkmawq6/Zwya25tKLYEqESgqVbdfuj7ISoai/S8QXLGo/4fOx3DNHIOHq uLow19el/esfWBrXAJlLwOt6n9fIfCOvtiT/E8mkTr39nSonNJOzlh2IMzkzk/0tY5Ah foWTs6QI8JJKMLCqJtMVZXRrr08G/taRPpjnbdCXrr14k+bNa0mtdzwCroivAmi3U+WI 3EJW1FIZcYGKC4DmtJ60nJ1VeD6g/Rp3ED2aSLOHRHZ8nWXZJCgFv3w38ioFqApQwFOw a05kwZJaHUXgV/uydZv1rXA5vSTsoeEl2581ezKnx3IO12vhCMov3toh/Id71j3V40EC 5gxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=eetEvCl84wk64Mt8auRrtZtUQRQez5Gl/qsBqCDQuwE=; b=01obgCLHxzOaXmYoklpyE/fodkX1fSRyhkZF1rypBYP5fMZQJiOa/Nxjn2EKR9F/GB 5HwrVsY458Z3pOBqdi2ljKUqmkbiiVjzL4+IDJD3+QxL5JYd8eis7Ab0cqEUZR+lzrga P29kIp3bKNUBxP2bhWa8vCPVnV3yJHuYqos8txdyFOdBvAd5iIff5SdKWvoEVW6hQNkq SUsolFEND2yL6MhW+/IiLBFvu6/XmC6JSvNucIhLrhi8LPQOIuFyf3uS4XLHF+Uur0hH Qvdl4rrQi/WNJhtzb9V2SKLx5WwZxN8Apg1O9q2z5QX+vfVeduusUIOj4rwzgIbzbh+5 u1kQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JdTTKx4a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jg20si5096522ejc.125.2021.02.11.15.02.06; Thu, 11 Feb 2021 15:02:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JdTTKx4a; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230131AbhBKXAe (ORCPT + 99 others); Thu, 11 Feb 2021 18:00:34 -0500 Received: from mail.kernel.org ([198.145.29.99]:46170 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229960AbhBKXAa (ORCPT ); Thu, 11 Feb 2021 18:00:30 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9786060201; Thu, 11 Feb 2021 22:59:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1613084387; bh=nwfYRIB3XPlsF/osjlzU/dWbZib+rLZZQ1WRBOk4t7A=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=JdTTKx4aSQ8hkEPYzAOR1T3elAMsY1CYPCHGk93b9t2QtZeB+UpZbCQ03b67p01io 0CPfT25fR779DcxgF9uIUTbjBbmoENZYCKOgteFMgvosv7pjW8MGdn6LH4gBSFgHUj C+GlOtsFxDaZddY+gooLTQRqYN+gXU6P63ZLyimnf5sV79XHXrhf3OPikJO5K+WqVz aFti4o9fRlC17Dt/5lLws2NpSmnDTkBYt8SfmbE5H+3Z3VRlSLutY3g5cUNrQHCicG r70nCETUN3ChfKxxOHlvQhMKLRsiVdYThDq3/QJpacz+OX3DjQCWEhTrnn+5V3ktfc vVYfnIhIRPWBw== Date: Fri, 12 Feb 2021 00:59:29 +0200 From: Mike Rapoport To: Michal Hocko Cc: Mike Rapoport , Andrew Morton , Alexander Viro , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Catalin Marinas , Christopher Lameter , Dan Williams , Dave Hansen , David Hildenbrand , Elena Reshetova , "H. Peter Anvin" , Ingo Molnar , James Bottomley , "Kirill A. Shutemov" , Matthew Wilcox , Mark Rutland , Michael Kerrisk , Palmer Dabbelt , Paul Walmsley , Peter Zijlstra , Rick Edgecombe , Roman Gushchin , Shakeel Butt , Shuah Khan , Thomas Gleixner , Tycho Andersen , Will Deacon , linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org, x86@kernel.org, Hagen Paul Pfeifer , Palmer Dabbelt Subject: Re: [PATCH v17 07/10] mm: introduce memfd_secret system call to create "secret" memory areas Message-ID: <20210211225929.GK242749@kernel.org> References: <20210208084920.2884-8-rppt@kernel.org> <20210208212605.GX242749@kernel.org> <20210209090938.GP299309@linux.ibm.com> <20210211071319.GF242749@kernel.org> <20210211112008.GH242749@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 11, 2021 at 01:30:42PM +0100, Michal Hocko wrote: > On Thu 11-02-21 13:20:08, Mike Rapoport wrote: > [...] > > Sealing is anyway controlled via fcntl() and I don't think > > MFD_ALLOW_SEALING makes much sense for the secretmem because it is there to > > prevent rogue file sealing in tmpfs/hugetlbfs. > > This doesn't really match my understanding. The primary usecase for the > sealing is to safely and predictably coordinate over shared memory. I > absolutely do not see why this would be incompatible with an additional > requirement to unmap the memory from the kernel to prevent additional > interference from the kernel side. Quite contrary it looks like a very > nice extension to this model. I didn't mean that secretmem should not support sealing. I meant that MFD_ALLOW_SEALING flag does not make sense. Unlike tmpfs, the secretmem fd does not need protection from somebody unexpectedly sealing it. > > As for the huge pages, I'm not sure at all that supporting huge pages in > > secretmem will involve hugetlbfs. > > Have a look how hugetlb proliferates through our MM APIs. I strongly > suspect this is strong signal that this won't be any different. > > > And even if yes, adding SECRETMEM_HUGE > > flag seems to me less confusing than saying "from kernel x.y you can use > > MFD_CREATE | MFD_SECRET | MFD_HUGE" etc for all possible combinations. > > I really fail to see your point. This is a standard model we have. It is > quite natural that flags are added. Moreover adding a new syscall will > not make it any less of a problem. Nowadays adding a new syscall is not as costly as it used to be. And I think it'll provide better extensibility when new features would be added to secretmem. For instance, for creating a secretmem fd backed with sealing we'd have memfd_secretm(SECRETMEM_HUGE); rather than memfd_create(MFD_ALLOW_SEALING | MFD_HUGETLB | MFD_SECRET); Besides, if we overload memfd_secret we add complexity to flags validation of allowable flag combinations even with the simplest initial implementation. And what it will become when more features are added to secretmem? > > > I by no means do not insist one way or the other but from what I have > > > seen so far I have a feeling that the interface hasn't been thought > > > through enough. > > > > It has been, but we have different thoughts about it ;-) > > Then you must be carrying a lot of implicit knowledge which I want you > to document. I don't have any implicit knowledge, we just have a different perspective. -- Sincerely yours, Mike.