Linux Documentation
 help / color / mirror / Atom feed
From: Lukas Gerlach <lukas.gerlach@cispa.de>
To: <akpm@linux-foundation.org>, <david@kernel.org>, <corbet@lwn.net>,
	<linux-mm@kvack.org>, <linux-doc@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>
Cc: <xu.xin16@zte.com.cn>, <chengming.zhou@linux.dev>,
	<skhan@linuxfoundation.org>,
	Lukas Gerlach <lukas.gerlach@cispa.de>,
	Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>,
	Tristan Hornetz <tristan.hornetz@cispa.de>,
	Michael Schwarz <michael.schwarz@cispa.de>,
	Shukai Ni <shukai.ni@kuleuven.be>
Subject: [PATCH] mm/ksm: document side-channel security considerations
Date: Wed, 1 Jul 2026 14:34:30 +0200	[thread overview]
Message-ID: <20260701123430.20699-1-lukas.gerlach@cispa.de> (raw)
In-Reply-To: <f75d286c-4d9e-4b64-8a9e-03e1afcb509f@kernel.org>

KSM is known to enable side channels, but the admin guide does not
currently spell out the security implications of enabling page merging.
Because KSM merges pages by content across all processes with mergeable
memory, it forms a side channel that can be used to infer the contents
of that memory across security domains, regardless of the user,
container, or virtual machine the pages belong to.

Add a "Security considerations" section making this explicit, so that
operators can make an informed decision: KSM should only be enabled for
mutually trusting workloads, and any memory marked mergeable should be
assumed readable by every other process using KSM.

Co-developed-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
Signed-off-by: Jo Van Bulck <jo.vanbulck@cs.kuleuven.be>
Signed-off-by: Lukas Gerlach <lukas.gerlach@cispa.de>
Cc: Tristan Hornetz <tristan.hornetz@cispa.de>
Cc: Michael Schwarz <michael.schwarz@cispa.de>
Cc: Shukai Ni <shukai.ni@kuleuven.be>
---
Hi David,

Thanks for the quick response.

I generally agree. The issue I see is that the current documentation
understates the risk. The RHEL documentation ("could be potentially
used to leak information across guests") does not read like enabling
KSM is an arbitrary read across VMs, which the side channel we
disclosed (in contrast to previous works) is. So the documentation
should really state that KSM is only an option for mutually trusted
workloads. A clean model for this would be to assume that memory
marked as mergeable is readable by everyone else using KSM.

Patch below to clarify this in the admin guide. We would, in the
future, publish a paper on this to further raise awareness of the
risks involved with KSM.

Greetings,
Lukas

 Documentation/admin-guide/mm/ksm.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/Documentation/admin-guide/mm/ksm.rst b/Documentation/admin-guide/mm/ksm.rst
index ad8e7a41f3b5..cbd5f2fdcfcb 100644
--- a/Documentation/admin-guide/mm/ksm.rst
+++ b/Documentation/admin-guide/mm/ksm.rst
@@ -27,6 +27,23 @@ KSM's merged pages were originally locked into kernel memory, but can now
 be swapped out just like other user pages (but sharing is broken when they
 are swapped back in: ksmd must rediscover their identity and merge again).

+Security considerations
+=======================
+
+Because KSM merges pages based on their content, across all processes
+with mergeable memory regardless of which user, container, or virtual
+machine they belong to, it exposes a side channel that can be used to
+infer the contents of mergeable memory across security domains.  Users
+should assume that any memory marked mergeable is readable by every
+other process using KSM.
+
+KSM should therefore only be enabled for mutually trusted workloads, or
+where the merged data is not sensitive; in particular, merging pages
+across mutually untrusted virtual machines or tenants is not secure.
+KSM is disabled by default (``run`` is 0).  Applications and VMMs that
+use ``MADV_MERGEABLE`` should limit it to regions that do not hold
+secrets.
+
 Controlling KSM with madvise
 ============================

--
2.51.0

       reply	other threads:[~2026-07-01 13:02 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <f75d286c-4d9e-4b64-8a9e-03e1afcb509f@kernel.org>
2026-07-01 12:34 ` Lukas Gerlach [this message]
2026-07-01 14:18   ` [PATCH] mm/ksm: document side-channel security considerations xu.xin16
2026-07-01 15:27   ` David Hildenbrand (Arm)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260701123430.20699-1-lukas.gerlach@cispa.de \
    --to=lukas.gerlach@cispa.de \
    --cc=akpm@linux-foundation.org \
    --cc=chengming.zhou@linux.dev \
    --cc=corbet@lwn.net \
    --cc=david@kernel.org \
    --cc=jo.vanbulck@cs.kuleuven.be \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=michael.schwarz@cispa.de \
    --cc=shukai.ni@kuleuven.be \
    --cc=skhan@linuxfoundation.org \
    --cc=tristan.hornetz@cispa.de \
    --cc=xu.xin16@zte.com.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox