Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp5169544pxb; Mon, 15 Feb 2021 11:23:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJzB+02jTmHYvIrvnmyLMgNCdv4zTMVL48vsTHUWq4XhtAuhPZYk/8HjkMNm3+iynPWHwAtS X-Received: by 2002:a17:906:2bd7:: with SMTP id n23mr17438428ejg.502.1613417036705; Mon, 15 Feb 2021 11:23:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613417036; cv=none; d=google.com; s=arc-20160816; b=aiFTaPwRPF5Q962XxRvj4ccH/zemh4Uox8Ij0tmsILw2HiGbwO+bhx9gQTbrzQ4MFG LkBCmPjH0DjE0qEuaQEtQ67TLqjJ2EoyStBntRooguWb5g6/wakKyPfnrqV5owsoxm7j ihmnY11pDgQtckUT4lykTn17CL0w4TGdRTG26As+adsDQjc4PoYxiNPZJ+Zwcr9id1zC 79mP6YC5w3CLt/B11UP5N2I5f/VTXOtrCtw6LoepPjNML02wWH+cJHLAOV9ozTnVOz5I Liz984qDJyXktjv07gVN3sBQl/nATTyTuib1yh7OlSjg8IzgLBiwiKReUg+u1oROJlGW KzDw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=35iSk0+5UfxNhbQoMoqK8Z0u+AvwuK5VeLDZ0BFtGgc=; b=awEcmPhULen1RZHQN8Nc6YQ7VlAQAYjxL7o7HtdYXyGjoLPFU7BzLhYBp2NUbYDA30 P3ZGKp/MqATzWCgyUh3Bt+3lZzBzXgF/63ONiYkmdAZgj3LUwERUmQBzXTQmI99fIDeB QluWix+mKPWxdj2NbA9mmkXynxeui3diHI9NaJv11fw8bvtJ211CaZETrEpCyv/u8aWx z9PoTVPhTycyO9SK+6YL1JYQwOFkzrlVUdUG5A68JZgKL4evDxkhwey6ne6m6ggsbdkY NjNv0HqU2VXZMLlZJxN+YmDMDWSswXJ1odRlyEZYddbkkgxYDtV6GYzI97rJJX2g332w T29w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=LxudusPD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k9si12816713edx.173.2021.02.15.11.23.33; Mon, 15 Feb 2021 11:23:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.com header.s=susede1 header.b=LxudusPD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230427AbhBOTVl (ORCPT + 99 others); Mon, 15 Feb 2021 14:21:41 -0500 Received: from mx2.suse.de ([195.135.220.15]:49872 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229991AbhBOTVf (ORCPT ); Mon, 15 Feb 2021 14:21:35 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1613416848; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=35iSk0+5UfxNhbQoMoqK8Z0u+AvwuK5VeLDZ0BFtGgc=; b=LxudusPDnEIzx32bpsNd8eGk9aEHEp8nORbgbhfo9m/WaYQJNvskWIV49SwUk+3e+wUm6W bvkuJfdiurilR7t9l+AqCl48/0xWlWnh1jxDaWj32SfJk9fDbkh0PhlICshQRWBYaiM9H0 Cssa+KhpPwQxypJN/O8+L/ThpHbYF+4= Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id C9B2BAC32; Mon, 15 Feb 2021 19:20:47 +0000 (UTC) Date: Mon, 15 Feb 2021 20:20:45 +0100 From: Michal Hocko To: James Bottomley Cc: David Hildenbrand , Mike Rapoport , Mike Rapoport , Andrew Morton , Alexander Viro , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Catalin Marinas , Christopher Lameter , Dan Williams , Dave Hansen , Elena Reshetova , "H. Peter Anvin" , Ingo Molnar , "Kirill A. Shutemov" , Matthew Wilcox , Mark Rutland , Michael Kerrisk , Palmer Dabbelt , Paul Walmsley , Peter Zijlstra , Rick Edgecombe , Roman Gushchin , Shakeel Butt , Shuah Khan , Thomas Gleixner , Tycho Andersen , Will Deacon , linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org, x86@kernel.org, Hagen Paul Pfeifer , Palmer Dabbelt Subject: Re: [PATCH v17 07/10] mm: introduce memfd_secret system call to create "secret" memory areas Message-ID: References: <20210214091954.GM242749@kernel.org> <052DACE9-986B-424C-AF8E-D6A4277DE635@redhat.com> <244f86cba227fa49ca30cd595c4e5538fe2f7c2b.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon 15-02-21 10:14:43, James Bottomley wrote: > On Mon, 2021-02-15 at 10:13 +0100, Michal Hocko wrote: > > On Sun 14-02-21 11:21:02, James Bottomley wrote: > > > On Sun, 2021-02-14 at 10:58 +0100, David Hildenbrand wrote: > > > [...] > > > > > And here we come to the question "what are the differences that > > > > > justify a new system call?" and the answer to this is very > > > > > subjective. And as such we can continue bikeshedding forever. > > > > > > > > I think this fits into the existing memfd_create() syscall just > > > > fine, and I heard no compelling argument why it shouldn‘t. That‘s > > > > all I can say. > > > > > > OK, so let's review history. In the first two incarnations of the > > > patch, it was an extension of memfd_create(). The specific > > > objection by Kirill Shutemov was that it doesn't share any code in > > > common with memfd and so should be a separate system call: > > > > > > https://lore.kernel.org/linux-api/20200713105812.dnwtdhsuyj3xbh4f@box/ > > > > Thanks for the pointer. But this argument hasn't been challenged at > > all. It hasn't been brought up that the overlap would be considerable > > higher by the hugetlb/sealing support. And so far nobody has claimed > > those combinations as unviable. > > Kirill is actually interested in the sealing path for his KVM code so > we took a look. There might be a two line overlap in memfd_create for > the seal case, but there's no real overlap in memfd_add_seals which is > the bulk of the code. So the best way would seem to lift the inode ... > -> seals helpers to be non-static so they can be reused and roll our > own add_seals. These are implementation details which are not really relevant to the API IMHO. > I can't see a use case at all for hugetlb support, so it seems to be a > bit of an angels on pin head discussion. However, if one were to come > along handling it in the same way seems reasonable. Those angels have made their way to mmap, System V shm, memfd_create and other MM interfaces which have never envisioned when introduced. Hugetlb pages to back guest memory is quite a common usecase so why do you think those guests wouldn't like to see their memory be "secret"? As I've said in my last response (YCZEGuLK94szKZDf@dhcp22.suse.cz), I am not going to argue all these again. I have made my point and you are free to take it or leave it. > > > The other objection raised offlist is that if we do use > > > memfd_create, then we have to add all the secret memory flags as an > > > additional ioctl, whereas they can be specified on open if we do a > > > separate system call. The container people violently objected to > > > the ioctl because it can't be properly analysed by seccomp and much > > > preferred the syscall version. > > > > > > Since we're dumping the uncached variant, the ioctl problem > > > disappears but so does the possibility of ever adding it back if we > > > take on the container peoples' objection. This argues for a > > > separate syscall because we can add additional features and extend > > > the API with flags without causing anti-ioctl riots. > > > > I am sorry but I do not understand this argument. > > You don't understand why container guarding technology doesn't like > ioctls? No, I did not see where the ioctl argument came from. [...] > > What kind of flags are we talking about and why would that be a > > problem with memfd_create interface? Could you be more specific > > please? > > You mean what were the ioctl flags in the patch series linked above? > They were SECRETMEM_EXCLUSIVE and SECRETMEM_UNCACHED in patch 3/5. OK I see. How many potential modes are we talking about? A few or potentially many? > They were eventually dropped after v10, because of problems with > architectural semantics, with the idea that it could be added back > again if a compelling need arose: > > https://lore.kernel.org/linux-api/20201123095432.5860-1-rppt@kernel.org/ > > In theory the extra flags could be multiplexed into the memfd_create > flags like hugetlbfs is but with 32 flags and a lot already taken it > gets messy for expansion. When we run out of flags the first question > people will ask is "why didn't you do separate system calls?". OK, I do not necessarily see a lack of flag space a problem. I can be wrong here but I do not see how that would be solved by a separate syscall when it sounds rather forseeable that many modes supported by memfd_create will eventually find their way to a secret memory as well. If for no other reason, secret memory is nothing really special. It is just a memory which is not mapped to the kernel via 1:1 mapping. That's it. And that can be applied to any memory provided to the userspace. But I am repeating myself again here so I better stop. -- Michal Hocko SUSE Labs