From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.1 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76BD6C43460 for ; Fri, 14 May 2021 08:51:06 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id E5837613DF for ; Fri, 14 May 2021 08:51:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E5837613DF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 4F8706B0036; Fri, 14 May 2021 04:51:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4A8DD6B006E; Fri, 14 May 2021 04:51:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2D6BD6B0070; Fri, 14 May 2021 04:51:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0249.hostedemail.com [216.40.44.249]) by kanga.kvack.org (Postfix) with ESMTP id F12B86B0036 for ; Fri, 14 May 2021 04:51:04 -0400 (EDT) Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 79DBB180629FB for ; Fri, 14 May 2021 08:51:04 +0000 (UTC) X-FDA: 78139216848.14.F904CC4 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by imf13.hostedemail.com (Postfix) with ESMTP id 96E28E00010C for ; Fri, 14 May 2021 08:51:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620982263; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=A6IAZwI0xwEgxZkIPkaUDpjaSLTjanXMP6EohDn10+Y=; b=Xv+lWXvkm9VVnT/h9b7j31O0ACc6iIGPBceKV8ZI4vqeVmNi+otiI+JFk2DQvV1Sq0xGT1 A24kmoH9EbD5bwrnU/kf35gwtr/t+kO4AYWmNnLIh8jxvJhJfJ+lYMqYiXjfAbmgTJmaY/ p6dspY58kMQhu3gFc9gYsiXWt3s0BsU= Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-221-VRztkhwXPB6g65Na3Kz9HA-1; Fri, 14 May 2021 04:50:59 -0400 X-MC-Unique: VRztkhwXPB6g65Na3Kz9HA-1 Received: by mail-ej1-f72.google.com with SMTP id bi3-20020a170906a243b02903933c4d9132so9390722ejb.11 for ; Fri, 14 May 2021 01:50:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:references:from:organization:subject :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=A6IAZwI0xwEgxZkIPkaUDpjaSLTjanXMP6EohDn10+Y=; b=bTdHs5M/3W0w2ecm0GvLw/wRIcCgUTsCQz+cDKeFe6i31VwB34p/2qiWOulWSgsJZe XqGun2FBRLVOIvO2ANBz9ehqfIQz/bc/PmbZXseNzy9l+4iYMSRnU4643dW+HLhTkG6M kWBqzhKVDdcjZM1y3I8m1V1Gusj3zc5LDJZ4LfHyt10X96VYW3PPgPqzfiOYfavidm/N 5blzE9SgcDrdk6bP3sqyztQ+eusSBNue5bfi2SCIU6/XtzxI2PUbLDLj/9L6T1CJ51Rw YoS/j4Sab3HXMDLzdj+ocnCiWFk9//Kty2pPXBtgOOqYijrjQuj8aql7u0QRT14y4/k0 ftaw== X-Gm-Message-State: AOAM530XaJ8+NITmW87d7BwX+6lbVoAzzth8N92jfvceoFIv6kGf9Du1 hLJlfB+Q7fwcl5bVYbWctQtQJM3U/i7c/o4XuL23jfy+o12RIBjNIKedqIPNFNxIhmmBAQ2Osuq CE7RhW3aUp70= X-Received: by 2002:aa7:de02:: with SMTP id h2mr54907500edv.61.1620982258508; Fri, 14 May 2021 01:50:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwbFV5SCx4C1Oa2Pq/TZ05TRM0enPIT1usIgqsxFBagAMreWK04a8ZIkxs0DNaI7qx1TZ7bmg== X-Received: by 2002:aa7:de02:: with SMTP id h2mr54907444edv.61.1620982258235; Fri, 14 May 2021 01:50:58 -0700 (PDT) Received: from [192.168.3.132] (p5b0c6501.dip0.t-ipconnect.de. [91.12.101.1]) by smtp.gmail.com with ESMTPSA id yw9sm3241097ejb.91.2021.05.14.01.50.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 14 May 2021 01:50:57 -0700 (PDT) To: Mike Rapoport , Andrew Morton Cc: Alexander Viro , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Catalin Marinas , Christopher Lameter , Dan Williams , Dave Hansen , Elena Reshetova , "H. Peter Anvin" , Hagen Paul Pfeifer , Ingo Molnar , James Bottomley , Kees Cook , "Kirill A. Shutemov" , Matthew Wilcox , Matthew Garrett , Mark Rutland , Michal Hocko , Mike Rapoport , Michael Kerrisk , Palmer Dabbelt , Palmer Dabbelt , Paul Walmsley , Peter Zijlstra , "Rafael J. Wysocki" , Rick Edgecombe , Roman Gushchin , Shakeel Butt , Shuah Khan , Thomas Gleixner , Tycho Andersen , Will Deacon , Yury Norov , linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org, x86@kernel.org References: <20210513184734.29317-1-rppt@kernel.org> <20210513184734.29317-6-rppt@kernel.org> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH v19 5/8] mm: introduce memfd_secret system call to create "secret" memory areas Message-ID: Date: Fri, 14 May 2021 10:50:55 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: <20210513184734.29317-6-rppt@kernel.org> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=Xv+lWXvk; dmarc=pass (policy=none) header.from=redhat.com; spf=none (imf13.hostedemail.com: domain of david@redhat.com has no SPF policy when checking 216.205.24.124) smtp.mailfrom=david@redhat.com X-Stat-Signature: kp3gqbxddb1xexihb9w9kt6qu1f4k3es X-Rspamd-Queue-Id: 96E28E00010C X-Rspamd-Server: rspam02 X-HE-Tag: 1620982262-875401 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 13.05.21 20:47, Mike Rapoport wrote: > From: Mike Rapoport >=20 > Introduce "memfd_secret" system call with the ability to create > memory areas visible only in the context of the owning process and > not mapped not only to other processes but in the kernel page tables > as well. >=20 > The secretmem feature is off by default and the user must explicitly > enable it at the boot time. >=20 > Once secretmem is enabled, the user will be able to create a file=20 > descriptor using the memfd_secret() system call. The memory areas > created by mmap() calls from this file descriptor will be unmapped > from the kernel direct map and they will be only mapped in the page > table of the processes that have access to the file descriptor. >=20 > The file descriptor based memory has several advantages over the=20 > "traditional" mm interfaces, such as mlock(), mprotect(), madvise(). > File descriptor approach allows explict and controlled sharing of the > memory s/explict/explicit/ > areas, it allows to seal the operations. Besides, file descriptor > based memory paves the way for VMMs to remove the secret memory range > from the userpace hipervisor process, for instance QEMU. Andy > Lutomirski says: s/userpace hipervisor/userspace hypervisor/ >=20 > "Getting fd-backed memory into a guest will take some possibly major > work in the kernel, but getting vma-backed memory into a guest > without mapping it in the host user address space seems much, much > worse." >=20 > memfd_secret() is made a dedicated system call rather than an > extention to s/extention/extension/ > memfd_create() because it's purpose is to allow the user to create > more secure memory mappings rather than to simply allow file based > access to the memory. Nowadays a new system call cost is negligible > while it is way simpler for userspace to deal with a clear-cut system > calls than with a multiplexer or an overloaded syscall. Moreover, the > initial implementation of memfd_secret() is completely distinct from > memfd_create() so there is no much sense in overloading > memfd_create() to begin with. If there will be a need for code > sharing between these implementation it can be easily achieved > without a need to adjust user visible APIs. >=20 > The secret memory remains accessible in the process context using > uaccess primitives, but it is not exposed to the kernel otherwise; > secret memory areas are removed from the direct map and functions in > the follow_page()/get_user_page() family will refuse to return a page > that belongs to the secret memory area. >=20 > Once there will be a use case that will require exposing secretmem to > the kernel it will be an opt-in request in the system call flags so > that user would have to decide what data can be exposed to the > kernel. Maybe spell out an example: like page migration. >=20 > Removing of the pages from the direct map may cause its fragmentation > on architectures that use large pages to map the physical memory > which affects the system performance. However, the original Kconfig > text for CONFIG_DIRECT_GBPAGES said that gigabyte pages in the direct > map "... can improve the kernel's performance a tiny bit ..." (commit > 00d1c5e05736 ("x86: add gbpages switches")) and the recent report [1] > showed that "... although 1G mappings are a good default choice, > there is no compelling evidence that it must be the only choice". > Hence, it is sufficient to have secretmem disabled by default with > the ability of a system administrator to enable it at boot time. Maybe add a link to the Intel performance evaluation. >=20 > Pages in the secretmem regions are unevictable and unmovable to > avoid accidental exposure of the sensitive data via swap or during > page migration. >=20 > Since the secretmem mappings are locked in memory they cannot exceed=20 > RLIMIT_MEMLOCK. Since these mappings are already locked independently > from mlock(), an attempt to mlock()/munlock() secretmem range would > fail and mlockall()/munlockall() will ignore secretmem mappings. Maybe add something like "similar to pages pinned by VFIO". >=20 > However, unlike mlock()ed memory, secretmem currently behaves more > like long-term GUP: secretmem mappings are unmovable mappings > directly consumed by user space. With default limits, there is no > excessive use of secretmem and it poses no real problem in > combination with ZONE_MOVABLE/CMA, but in the future this should be > addressed to allow balanced use of large amounts of secretmem along > with ZONE_MOVABLE/CMA. >=20 > A page that was a part of the secret memory area is cleared when it > is freed to ensure the data is not exposed to the next user of that > page. You could skip that with init_on_free (and eventually also with=20 init_on_alloc) set to avoid double clearing. >=20 > The following example demonstrates creation of a secret mapping > (error handling is omitted): >=20 > fd =3D memfd_secret(0); ftruncate(fd, MAP_SIZE); ptr =3D mmap(NULL, > MAP_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); >=20 > [1] > https://lore.kernel.org/linux-mm/213b4567-46ce-f116-9cdf-bbd0c884eb3c@l= inux.intel.com/ [my mail client messed up the remainder of the mail for whatever reason,=20 will comment in a separate mail if there is anything to comment :) ] --=20 Thanks, David / dhildenb