Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1471877pxb; Mon, 22 Feb 2021 02:53:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJztih+rdY+XtLC74tUt7VHXcy1F0naesoejcfkt+nh2EsyoMqnH3QTfcXTmLybKj7gUEGwh X-Received: by 2002:a05:6402:1914:: with SMTP id e20mr21637792edz.89.1613991236711; Mon, 22 Feb 2021 02:53:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1613991236; cv=none; d=google.com; s=arc-20160816; b=Mq8r3zkJqJEH0nPBwilTUBnILXR9d2g9syGLo8Ap+0kJ7VadKIyqBeu2oSJ9wH2WyB o7abCk+GIV6OOmAp8XyPk5MMJTAmsIpNPL8eZDH38Ui1Nay5SLknF2qzLmixi7r1pxIm VoCTdFtf0RjivGZBFNXpWDCHlgybhqDpJ7FGpQHFtPJe9gQsYUXZCjFI91UFQ3DFY26M CC/zWTIbUbJJYybCybx2ixeP7a37NZMHnUluCgUSxp1g3UkKUnNjvtJuK89RLHBfqQ1j SDDLnJ5UtL6JoU2jauk1Dmt4SybohV0rozCrCHwlsvNU5kh4T1dWZ94u/5sRTg2Wer22 UZkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:subject :organization:references:cc:to:from:dkim-signature; bh=B5Wwlru6GdzCo3Pp8y35Np82fHYLWpJqEicYWng65cw=; b=KLErIYtkxKIszjhFx4EEadaiSZcRfTR2rONkLGsTc17RcRb16jYKq18+ihUnt2LSq+ c0YWFuLTd4xcKNx78EvJy7nVC2Hs39FdNn0cnRvfk4InFtZRY1Zl/wD1NegCNY+XvJck 2stOlRJOyOwPJUjEC1U06ykNm1LPSL/n9Ar1eos7KJbXeg5SnMNC1k288DLp9eL8sHDE PcHk1znGi3BqGEYm7USd7c0ZXND1v39jm1wtr22kc5aAI3eQeDWnO26iBAXTMtwXqy4l DlOQ5m1OI1nLEHbmaTbrVEW240G2dSug0R3/pS8CduTyr5hPnk4naBWm/dU99LPztVv9 l1Mw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=FdvkyOBm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z22si10354180eje.542.2021.02.22.02.53.34; Mon, 22 Feb 2021 02:53:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=FdvkyOBm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230345AbhBVKvu (ORCPT + 99 others); Mon, 22 Feb 2021 05:51:50 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:57242 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230338AbhBVKvs (ORCPT ); Mon, 22 Feb 2021 05:51:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1613991021; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=B5Wwlru6GdzCo3Pp8y35Np82fHYLWpJqEicYWng65cw=; b=FdvkyOBmZeei7QJsFpH+WCZmLFOVd6LoIZY5GUKnc7ZOnIDanPNF3bPJksp96A3LTnZhMG 2Hr4YYlFDYQwwVyaDkONmEVs/rafO0bXPnvJ5OHitZBTzHzssHgORvDTaQnJ4rAuqSwBOV LzZUT7Jlq24YnYg2C4AlWC3WN3VeuGQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-367-FssqEYNDO-izvW_G71aw3w-1; Mon, 22 Feb 2021 05:50:17 -0500 X-MC-Unique: FssqEYNDO-izvW_G71aw3w-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 37EEA100CC88; Mon, 22 Feb 2021 10:50:12 +0000 (UTC) Received: from [10.36.115.16] (ovpn-115-16.ams2.redhat.com [10.36.115.16]) by smtp.corp.redhat.com (Postfix) with ESMTP id 61DED7771A; Mon, 22 Feb 2021 10:50:03 +0000 (UTC) From: David Hildenbrand To: jejb@linux.ibm.com, Michal Hocko Cc: Mike Rapoport , Mike Rapoport , Andrew Morton , Alexander Viro , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Catalin Marinas , Christopher Lameter , Dan Williams , Dave Hansen , Elena Reshetova , "H. Peter Anvin" , Ingo Molnar , "Kirill A. Shutemov" , Matthew Wilcox , Mark Rutland , Michael Kerrisk , Palmer Dabbelt , Paul Walmsley , Peter Zijlstra , Rick Edgecombe , Roman Gushchin , Shakeel Butt , Shuah Khan , Thomas Gleixner , Tycho Andersen , Will Deacon , linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org, x86@kernel.org, Hagen Paul Pfeifer , Palmer Dabbelt References: <20210214091954.GM242749@kernel.org> <052DACE9-986B-424C-AF8E-D6A4277DE635@redhat.com> <244f86cba227fa49ca30cd595c4e5538fe2f7c2b.camel@linux.ibm.com> <12c3890b233c8ec8e3967352001a7b72a8e0bfd0.camel@linux.ibm.com> <000cfaa0a9a09f07c5e50e573393cda301d650c9.camel@linux.ibm.com> <5a8567a9-6940-c23f-0927-e4b5c5db0d5e@redhat.com> <304e4c9d-81aa-20ac-cfbe-245ed0de9a86@redhat.com> Organization: Red Hat GmbH Subject: Re: [PATCH v17 07/10] mm: introduce memfd_secret system call to create "secret" memory areas Message-ID: <878ca057-3262-179d-eb9b-a26829307d09@redhat.com> Date: Mon, 22 Feb 2021 11:50:02 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: <304e4c9d-81aa-20ac-cfbe-245ed0de9a86@redhat.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22.02.21 10:38, David Hildenbrand wrote: > On 17.02.21 17:19, James Bottomley wrote: >> On Tue, 2021-02-16 at 18:16 +0100, David Hildenbrand wrote: >> [...] >>>>> The discussion regarding migratability only really popped up >>>>> because this is a user-visible thing and not being able to >>>>> migrate can be a real problem (fragmentation, ZONE_MOVABLE, ...). >>>> >>>> I think the biggest use will potentially come from hardware >>>> acceleration. If it becomes simple to add say encryption to a >>>> secret page with no cost, then no flag needed. However, if we only >>>> have a limited number of keys so once we run out no more encrypted >>>> memory then it becomes a costly resource and users might want a >>>> choice of being backed by encryption or not. >>> >>> Right. But wouldn't HW support with configurable keys etc. need more >>> syscall parameters (meaning, even memefd_secret() as it is would not >>> be sufficient?). I suspect the simplistic flag approach might not >>> be sufficient. I might be wrong because I have no clue about MKTME >>> and friends. >> >> The theory I was operating under is key management is automatic and >> hidden, but key scarcity can't be, so if you flag requesting hardware >> backing then you either get success (the kernel found a key) or failure >> (the kernel is out of keys). If we actually want to specify the key >> then we need an extra argument and we *must* have a new system call. >> >>> Anyhow, I still think extending memfd_create() might just be good >>> enough - at least for now. >> >> I really think this is the wrong approach for a user space ABI. If we >> think we'll ever need to move to a separate syscall, we should begin >> with one. The pain of trying to shift userspace from memfd_create to a >> new syscall would be enormous. It's not impossible (see clone3) but >> it's a pain we should avoid if we know it's coming. > > Sorry for the late reply, there is just too much going on :) > > *If* we ever realize we need to pass more parameters we can easily have > a new syscall for that purpose. *Then*, we know how that syscall will > look like. Right now, it's just pure speculation. > > Until then, going with memfd_create() works just fine IMHO. > > The worst think that could happen is that we might not be able to create > all fancy sectremem flavors in the future via memfd_create() but only > via different, highly specialized syscall. I don't see a real problem > with that. > Adding to that, I'll give up arguing now as I have more important things to do. It has been questioned by various people why we need a dedicate syscall and at least for me, without a satisfying answer. Worst thing is that we end up with a syscall that could have been avoided, for example, because 1. We add existing/future memfd_create() flags to memfd_secret() as well when we need them (sealing, hugetlb., ..). 2. We decide in the future to still add MFD_SECRET support to memfd_secret(). So be it. -- Thanks, David / dhildenb