Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp1708814pxj;
        Wed, 19 May 2021 12:02:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxQCMzmEoy7Jph2MpZCE4z7AnvDKTAian/U8P3jPUp8APKZL52ufR1KkTw4aTkSfxq8kzKr
X-Received: by 2002:a17:906:1c8b:: with SMTP id g11mr671694ejh.158.1621450952941;
        Wed, 19 May 2021 12:02:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1621450952; cv=none;
        d=google.com; s=arc-20160816;
        b=m3pKIFRmnMfAw/g2zb4MocZjUkyEFZ2G0pZ4eZdKYai+q+zWV7GS0fxj5hZtJfVBLj
         4NYU02opPUQsLfhGpeFWJK8wPRIhg7iIxibEHta3BwvNlwuU1+YtJfKCAPidWw92nTS+
         O2Sxe2WyoJMH5GNli0/te6EDYEKyyAOVpMstvXc+qEMx4AOaVSh37P2q2mbJWtJLg8xj
         cHBPW0TXLR+0vw/ok6pIKwtcxJX3+rcC5etmE0lJ0y2l3nzQhU6/C/vAvD3zRFw1bJAp
         YS9qealGcpxPfZNAkUCodnLhKXEUCshhd7DnTjAaNA6Ayu3EFN91ca5BBYAbSE2j5EoL
         BrTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=oy9iy31YW42GgULMnDfqqrgoX8PmHZpkik30uv+f1aA=;
        b=Gycu++foWXy8pDL0Dkrw4MH0KL2xF7/J53Hm5beM/1YBFQaHb9ScQ3wAJl/64MV5xa
         5zJbKeOh4ZT/fIq+0oYyF/zylIJlpPwH8MJ6PRw62V6ei7T4INLTY3jr8e3KM9VPgSdw
         PPIfo0v8ODBBq15VZg/M2QaYuvTwG955hzHOxbF6AdCvHVi9j6ruvAgYylFuiiQHUkji
         PaSpXLohaQk6wdwbu/SycBixU487Om76Ia2f1S3PEd/OoGu/YsW6HEALxuhHXIw7p+kX
         9qqKEvWv6rPYuU6jAFBHd5th61vXMHPOhgWvLuoPbkzDR63s8WkDBIJ9gyb5L1lxHOKo
         gOGQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=tvQ2E7Kd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id m11si17393edc.201.2021.05.19.12.02.06;
        Wed, 19 May 2021 12:02:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=tvQ2E7Kd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234162AbhESBvQ (ORCPT <rfc822;lnx4us@gmail.com> + 99 others);
        Tue, 18 May 2021 21:51:16 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38948 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234117AbhESBvP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 May 2021 21:51:15 -0400
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 20870C06175F
        for <linux-kernel@vger.kernel.org>; Tue, 18 May 2021 18:49:56 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id t3so13435125edc.7
        for <linux-kernel@vger.kernel.org>; Tue, 18 May 2021 18:49:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=intel-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=oy9iy31YW42GgULMnDfqqrgoX8PmHZpkik30uv+f1aA=;
        b=tvQ2E7Kd2+Hf+RN1JCJdnQu6RymaGP0zziznDt8ISnI+jG1I9F5rTtPCJWa6PikhKh
         XFhKmAAqHeMsUAOgy6hUDl59IPnHpchWu1cnHTyyjxMolBXIohuKR723SkE7OCNxzAbK
         oygZjSu1ZC0vRf3URWfxhzVNd3YMtTfsohBEjCi0q+/uREUxDQtHtMXYqH6q8d9eUBIB
         218/C9Rmj+pEf1HRmaUjm/IPbnYkBLCQnR3DkYGpm/9v4+VmsDb6lUfsBZ8rq8wjdtNW
         PEFTJvZlWna6c3qGn3K9JEbsQ5ZbIkKlwDebT3ZVImG1L8u/VdgWTl83Y5Z5wVd6ZNag
         17jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=oy9iy31YW42GgULMnDfqqrgoX8PmHZpkik30uv+f1aA=;
        b=QaBqs2hX3Cr+ju2SF+ETOuXFAJShd2M0It1+06Peqj2iYeX9f+Xtog43cSK9ZdYhoA
         Mo5Y0s9Cj1heFA7rduM3s1FBe2OCE2Bl/kH+GSQ+pzlqHlzYFDVx4SYMaiIQ30IolnV1
         3P8ID8OoR7PFcMSEZ1/UuSJoQi/T+FOlY2zWW1lNhyUceoBpoZJmbgKH0pA1o5hUpXtJ
         Vx2qzgeuVrxPGioQK3YERKw6viluCO7io7kyttVq1qbCwKsz12MfHvy16dYwvNvhTQCt
         xcwRcVbxWQerSlTjCoKq54tmVs/EpdU960BFCGOKGaFxD/bLpkl6/Qju6U018YEIiAPZ
         ruog==
X-Gm-Message-State: AOAM530LWWWbGMsZPPx9N3rDpeR29WPTlmGXm1vumvK8e5DiKovS+TzC
        LitjJ2HB3rrqQuf7Qx1doVKNlcUvfthXPe9Z3DH9yQ==
X-Received: by 2002:a50:ff13:: with SMTP id a19mr10495865edu.300.1621388993652;
 Tue, 18 May 2021 18:49:53 -0700 (PDT)
MIME-Version: 1.0
References: <20210513184734.29317-1-rppt@kernel.org> <20210513184734.29317-7-rppt@kernel.org>
 <20210518102424.GD82842@C02TD0UTHF1T.local> <d99864e677cec4ed83e52c4417c58bbe5fd728b1.camel@linux.ibm.com>
In-Reply-To: <d99864e677cec4ed83e52c4417c58bbe5fd728b1.camel@linux.ibm.com>
From:   Dan Williams <dan.j.williams@intel.com>
Date:   Tue, 18 May 2021 18:49:42 -0700
Message-ID: <CAPcyv4hwZ2e-xzsySOjaJXDSXRKctsoGA5zW-enTn2Y9ezWPVw@mail.gmail.com>
Subject: Re: [PATCH v19 6/8] PM: hibernate: disable when there are active
 secretmem users
To:     James Bottomley <jejb@linux.ibm.com>
Cc:     Mark Rutland <mark.rutland@arm.com>,
        Mike Rapoport <rppt@kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Andy Lutomirski <luto@kernel.org>,
        Arnd Bergmann <arnd@arndb.de>, Borislav Petkov <bp@alien8.de>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Christopher Lameter <cl@linux.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        David Hildenbrand <david@redhat.com>,
        Elena Reshetova <elena.reshetova@intel.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Hagen Paul Pfeifer <hagen@jauu.net>,
        Ingo Molnar <mingo@redhat.com>,
        Kees Cook <keescook@chromium.org>,
        "Kirill A. Shutemov" <kirill@shutemov.name>,
        Matthew Wilcox <willy@infradead.org>,
        Matthew Garrett <mjg59@srcf.ucam.org>,
        Michal Hocko <mhocko@suse.com>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Palmer Dabbelt <palmer@dabbelt.com>,
        Palmer Dabbelt <palmerdabbelt@google.com>,
        Paul Walmsley <paul.walmsley@sifive.com>,
        Peter Zijlstra <peterz@infradead.org>,
        "Rafael J. Wysocki" <rjw@rjwysocki.net>,
        Rick Edgecombe <rick.p.edgecombe@intel.com>,
        Roman Gushchin <guro@fb.com>,
        Shakeel Butt <shakeelb@google.com>,
        Shuah Khan <shuah@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Tycho Andersen <tycho@tycho.ws>, Will Deacon <will@kernel.org>,
        Yury Norov <yury.norov@gmail.com>,
        Linux API <linux-api@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        Linux MM <linux-mm@kvack.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        linux-kselftest@vger.kernel.org,
        linux-nvdimm <linux-nvdimm@lists.01.org>,
        linux-riscv@lists.infradead.org, X86 ML <x86@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, May 18, 2021 at 6:33 PM James Bottomley <jejb@linux.ibm.com> wrote:
>
> On Tue, 2021-05-18 at 11:24 +0100, Mark Rutland wrote:
> > On Thu, May 13, 2021 at 09:47:32PM +0300, Mike Rapoport wrote:
> > > From: Mike Rapoport <rppt@linux.ibm.com>
> > >
> > > It is unsafe to allow saving of secretmem areas to the hibernation
> > > snapshot as they would be visible after the resume and this
> > > essentially will defeat the purpose of secret memory mappings.
> > >
> > > Prevent hibernation whenever there are active secret memory users.
> >
> > Have we thought about how this is going to work in practice, e.g. on
> > mobile systems? It seems to me that there are a variety of common
> > applications which might want to use this which people don't expect
> > to inhibit hibernate (e.g. authentication agents, web browsers).
>
> If mobile systems require hibernate, then the choice is to disable this
> functionality or implement a secure hibernation store.   I also thought
> most mobile hibernation was basically equivalent to S3, in which case
> there's no actual writing of ram into storage, in which case there's no
> security barrier and likely the inhibition needs to be made a bit more
> specific to the suspend to disk case?
>
> > Are we happy to say that any userspace application can incidentally
> > inhibit hibernate?
>
> Well, yes, for the laptop use case because we don't want suspend to
> disk to be able to compromise the secret area.  You can disable this
> for mobile if you like, or work out how to implement hibernate securely
> if you're really suspending to disk.

Forgive me if this was already asked and answered. Why not document
that secretmem is ephemeral in the case of hibernate and push the
problem to userspace to disable hibernation? In other words
hibernation causes applications to need to reload their secretmem, it
will be destroyed on the way down and SIGBUS afterwards. That at least
gives a system the flexibility to either sacrifice hibernate for
secretmem (with a userspace controlled policy), or sacrifice secretmem
using processes for hibernate.