From: Vlastimil Babka <vbabka@suse.cz>
To: Matthew Garrett <matthewgarrett@google.com>, linux-mm@kvack.org
Cc: linux-kernel@vger.kernel.org, linux-api@vger.kernel.org,
Matthew Garrett <mjg59@google.com>
Subject: Re: [PATCH V3] mm: Allow userland to request that the kernel clear memory on release
Date: Fri, 26 Apr 2019 09:45:11 +0200 [thread overview]
Message-ID: <d058d1ef-994f-ea6b-b6b4-bcd838a9fe2f@suse.cz> (raw)
In-Reply-To: <20190425225828.212472-1-matthewgarrett@google.com>
On 4/26/19 12:58 AM, Matthew Garrett wrote:
> From: Matthew Garrett <mjg59@google.com>
>
> Applications that hold secrets and wish to avoid them leaking can use
> mlock() to prevent the page from being pushed out to swap and
> MADV_DONTDUMP to prevent it from being included in core dumps. Applications
> can also use atexit() handlers to overwrite secrets on application exit.
> However, if an attacker can reboot the system into another OS, they can
> dump the contents of RAM and extract secrets. We can avoid this by setting
> CONFIG_RESET_ATTACK_MITIGATION on UEFI systems in order to request that the
> firmware wipe the contents of RAM before booting another OS, but this means
> rebooting takes a *long* time - the expected behaviour is for a clean
> shutdown to remove the request after scrubbing secrets from RAM in order to
> avoid this.
>
> Unfortunately, if an application exits uncleanly, its secrets may still be
> present in RAM. This can't be easily fixed in userland (eg, if the OOM
> killer decides to kill a process holding secrets, we're not going to be able
> to avoid that), so this patch adds a new flag to madvise() to allow userland
> to request that the kernel clear the covered pages whenever the page
> map count hits zero. Since vm_flags is already full on 32-bit, it
> will only work on 64-bit systems. This is currently only permitted on
> private mappings that have not yet been populated in order to simplify
> implementation, which should suffice for the envisaged use cases. We can
> extend the behaviour later if we come up with a robust set of semantics.
>
> Signed-off-by: Matthew Garrett <mjg59@google.com>
> ---
>
> Updated based on feedback from Jann - for now let's just prevent setting
> the flag on anything that has already mapped some pages, which avoids
> child processes being able to interfere with the parent. In addition,
That makes the API quite tricky and different from existing madvise()
modes that don't care. One would for example have to call
madvise(MADV_WIPEONRELEASE) before mlock(), otherwise mlock() would
fault the pages in (unless MLOCK_ONFAULT). As such it really looks like
a mmap() flag, but that's less flexible.
How bout just doing the CoW on any such pre-existing pages as part of
the madvise(MADV_WIPEONRELEASE) call?
next prev parent reply other threads:[~2019-04-26 7:45 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CACdnJuup-y1xAO93wr+nr6ARacxJ9YXgaceQK9TLktE7shab1w@mail.gmail.com>
[not found] ` <20190424211038.204001-1-matthewgarrett@google.com>
2019-04-25 12:14 ` [PATCH V2] mm: Allow userland to request that the kernel clear memory on release Michal Hocko
2019-04-25 12:37 ` Michal Hocko
2019-04-25 20:39 ` Matthew Garrett
2019-04-26 5:25 ` Michal Hocko
2019-04-26 18:08 ` Matthew Garrett
2019-04-29 21:44 ` Michal Hocko
2019-04-25 12:40 ` Vlastimil Babka
2019-04-25 20:45 ` Matthew Garrett
2019-04-25 12:42 ` Jann Horn
2019-04-25 20:43 ` Matthew Garrett
2019-04-26 5:31 ` Michal Hocko
2019-04-26 13:33 ` Jann Horn
2019-04-26 13:47 ` Michal Hocko
2019-04-26 14:03 ` Jann Horn
2019-04-26 14:08 ` Michal Hocko
2019-04-25 22:58 ` [PATCH V3] " Matthew Garrett
2019-04-26 7:45 ` Vlastimil Babka [this message]
2019-04-26 18:10 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d058d1ef-994f-ea6b-b6b4-bcd838a9fe2f@suse.cz \
--to=vbabka@suse.cz \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=matthewgarrett@google.com \
--cc=mjg59@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).