From: Pavel Machek <pavel@ucw.cz>
To: Jann Horn <jannh@google.com>
Cc: "Catangiu, Adrian Costin" <acatan@amazon.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-pm@vger.kernel.org" <linux-pm@vger.kernel.org>,
"virtualization@lists.linux-foundation.org"
<virtualization@lists.linux-foundation.org>,
"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"rjw@rjwysocki.net" <rjw@rjwysocki.net>,
"len.brown@intel.com" <len.brown@intel.com>,
"mhocko@kernel.org" <mhocko@kernel.org>,
"fweimer@redhat.com" <fweimer@redhat.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"luto@amacapital.net" <luto@amacapital.net>,
"wad@chromium.org" <wad@chromium.org>,
"mingo@kernel.org" <mingo@kernel.org>,
"bonzini@gnu.org" <bonzini@gnu.org>, "Graf (AWS),
Alexander" <graf@amazon.de>,
"MacCarthaigh, Colm" <colmmacc@amazon.com>,
"Singh, Balbir" <sblbir@amazon.com>,
"Sandu, Andrei" <sandreim@amazon.com>,
"Brooker, Marc" <mbrooker@amazon.com>,
"Weiss, Radu" <raduweis@amazon.com>,
"Manwaring, Derek" <derekmn@amazon.com>
Subject: Re: [RFC]: mm,power: introduce MADV_WIPEONSUSPEND
Date: Sat, 4 Jul 2020 13:48:20 +0200 [thread overview]
Message-ID: <20200704114820.GA16083@amd> (raw)
In-Reply-To: <CAG48ez0oWQd42a-H-Dzw1Wq7HgB5PpFRGCZeYxP8ohxaoZHmvQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1297 bytes --]
Hi!
> > > Cryptographic libraries carry pseudo random number generators to
> > > quickly provide randomness when needed. If such a random pool gets
> > > cloned, secrets may get revealed, as the same random number may get
> > > used multiple times. For fork, this was fixed using the WIPEONFORK
> > > madvise flag [1].
> >
> > > Unfortunately, the same problem surfaces when a virtual machine gets
> > > cloned. The existing flag does not help there. This patch introduces a
> > > new flag to automatically clear memory contents on VM suspend/resume,
> > > which will allow random number generators to reseed when virtual
> > > machines get cloned.
> >
> > Umm. If this is real problem, should kernel provide such rng in the
> > vsdo page using vsyscalls? Kernel can have special interface to its
> > vsyscalls, but we may not want to offer this functionality to rest of
> > userland...
>
> And then the kernel would just need to maintain a sequence
> number in the vDSO data page that gets bumped on suspen
Yes, something like that would work. Plus, we'd be free to change the
mechanism in future.
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Pavel Machek <pavel-+ZI9xUNit7I@public.gmane.org>
To: Jann Horn <jannh-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Cc: "Catangiu,
Adrian Costin" <acatan-vV1OtcyAfmbQT0dZR+AlfA@public.gmane.org>,
"linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org"
<linux-mm-Bw31MaZKKs3YtjvyW6yDsg@public.gmane.org>,
"linux-pm-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-pm-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"virtualization-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org"
<virtualization-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
"linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org"
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
"rjw-LthD3rsA81gm4RdzfppkhA@public.gmane.org"
<rjw-LthD3rsA81gm4RdzfppkhA@public.gmane.org>,
"len.brown-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org"
<len.brown-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>,
"mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org"
<mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"fweimer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org"
<fweimer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org"
<keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
"luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org"
<luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
"wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org"
<wad-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>,
"mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org"
<mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"bonzini-mXXj517/zsQ@public.gmane.org"
<bonzini-mXXj517/zsQ@public.gmane.org>, "Graf (AWS),
Alexander" <graf-ebkRAfMGSJGzQB+pC5nmwQ@public.gmane.org>
Subject: Re: [RFC]: mm,power: introduce MADV_WIPEONSUSPEND
Date: Sat, 4 Jul 2020 13:48:20 +0200 [thread overview]
Message-ID: <20200704114820.GA16083@amd> (raw)
In-Reply-To: <CAG48ez0oWQd42a-H-Dzw1Wq7HgB5PpFRGCZeYxP8ohxaoZHmvQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 1297 bytes --]
Hi!
> > > Cryptographic libraries carry pseudo random number generators to
> > > quickly provide randomness when needed. If such a random pool gets
> > > cloned, secrets may get revealed, as the same random number may get
> > > used multiple times. For fork, this was fixed using the WIPEONFORK
> > > madvise flag [1].
> >
> > > Unfortunately, the same problem surfaces when a virtual machine gets
> > > cloned. The existing flag does not help there. This patch introduces a
> > > new flag to automatically clear memory contents on VM suspend/resume,
> > > which will allow random number generators to reseed when virtual
> > > machines get cloned.
> >
> > Umm. If this is real problem, should kernel provide such rng in the
> > vsdo page using vsyscalls? Kernel can have special interface to its
> > vsyscalls, but we may not want to offer this functionality to rest of
> > userland...
>
> And then the kernel would just need to maintain a sequence
> number in the vDSO data page that gets bumped on suspen
Yes, something like that would work. Plus, we'd be free to change the
mechanism in future.
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2020-07-04 11:48 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-03 10:34 [RFC]: mm,power: introduce MADV_WIPEONSUSPEND Catangiu, Adrian Costin
2020-07-03 10:34 ` Catangiu, Adrian Costin
2020-07-03 11:04 ` Jann Horn
2020-07-03 11:04 ` Jann Horn
2020-07-04 1:33 ` Colm MacCárthaigh
2020-07-04 1:33 ` Colm MacCárthaigh
2020-07-06 12:09 ` Alexander Graf
2020-07-06 12:09 ` Alexander Graf
2020-07-03 11:30 ` Michal Hocko
2020-07-03 11:30 ` Michal Hocko
2020-07-03 12:17 ` Rafael J. Wysocki
2020-07-03 12:17 ` Rafael J. Wysocki
2020-07-03 22:39 ` Pavel Machek
2020-07-03 22:39 ` Pavel Machek
2020-07-03 13:29 ` Jann Horn
2020-07-03 13:29 ` Jann Horn
2020-07-03 22:34 ` Pavel Machek
2020-07-03 22:34 ` Pavel Machek
2020-07-03 22:53 ` Jann Horn
2020-07-03 22:53 ` Jann Horn
2020-07-07 7:38 ` Michal Hocko
2020-07-07 7:38 ` Michal Hocko
2020-07-07 8:07 ` Pavel Machek
2020-07-07 8:07 ` Pavel Machek
2020-07-07 8:58 ` Michal Hocko
2020-07-07 8:58 ` Michal Hocko
2020-07-07 16:37 ` Pavel Machek
2020-07-07 16:37 ` Pavel Machek
2020-07-07 19:00 ` Colm MacCarthaigh
2020-07-12 7:22 ` Pavel Machek
2020-07-12 7:22 ` Pavel Machek
2020-07-13 8:02 ` Michal Hocko
2020-07-13 8:02 ` Michal Hocko
2020-07-04 1:45 ` Colm MacCárthaigh
2020-07-04 1:45 ` Colm MacCárthaigh
2020-07-07 7:40 ` Michal Hocko
2020-07-07 7:40 ` Michal Hocko
2020-07-03 22:44 ` Pavel Machek
2020-07-03 22:44 ` Pavel Machek
2020-07-03 22:56 ` Jann Horn
2020-07-03 22:56 ` Jann Horn
2020-07-04 11:48 ` Pavel Machek [this message]
2020-07-04 11:48 ` Pavel Machek
2020-07-06 12:26 ` Alexander Graf
2020-07-06 12:26 ` Alexander Graf
2020-07-06 12:52 ` Jann Horn
2020-07-06 12:52 ` Jann Horn
2020-07-06 13:14 ` Alexander Graf
2020-07-06 13:14 ` Alexander Graf
2020-07-07 7:44 ` Michal Hocko
2020-07-07 7:44 ` Michal Hocko
2020-07-07 8:01 ` Alexander Graf
2020-07-07 8:01 ` Alexander Graf
2020-07-07 9:14 ` Michal Hocko
2020-07-07 9:14 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200704114820.GA16083@amd \
--to=pavel@ucw.cz \
--cc=acatan@amazon.com \
--cc=akpm@linux-foundation.org \
--cc=bonzini@gnu.org \
--cc=colmmacc@amazon.com \
--cc=derekmn@amazon.com \
--cc=fweimer@redhat.com \
--cc=graf@amazon.de \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=len.brown@intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-pm@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mbrooker@amazon.com \
--cc=mhocko@kernel.org \
--cc=mingo@kernel.org \
--cc=raduweis@amazon.com \
--cc=rjw@rjwysocki.net \
--cc=sandreim@amazon.com \
--cc=sblbir@amazon.com \
--cc=virtualization@lists.linux-foundation.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.