From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C740C04EB9 for ; Wed, 5 Dec 2018 19:20:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C3CF12081B for ; Wed, 5 Dec 2018 19:20:24 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C3CF12081B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-security-module-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728189AbeLETUY (ORCPT ); Wed, 5 Dec 2018 14:20:24 -0500 Received: from mga01.intel.com ([192.55.52.88]:23240 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727402AbeLETUX (ORCPT ); Wed, 5 Dec 2018 14:20:23 -0500 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Dec 2018 11:20:22 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,319,1539673200"; d="scan'208";a="281222372" Received: from alison-desk.jf.intel.com ([10.54.74.53]) by orsmga005.jf.intel.com with ESMTP; 05 Dec 2018 11:20:22 -0800 Date: Wed, 5 Dec 2018 11:22:55 -0800 From: Alison Schofield To: Andy Lutomirski Cc: dhowells@redhat.com, tglx@linutronix.de, jmorris@namei.org, mingo@redhat.com, hpa@zytor.com, bp@alien8.de, luto@kernel.org, peterz@infradead.org, kirill.shutemov@linux.intel.com, dave.hansen@intel.com, kai.huang@intel.com, jun.nakajima@intel.com, dan.j.williams@intel.com, jarkko.sakkinen@intel.com, keyrings@vger.kernel.org, linux-security-module@vger.kernel.org, linux-mm@kvack.org, x86@kernel.org Subject: Re: [RFC v2 01/13] x86/mktme: Document the MKTME APIs Message-ID: <20181205192255.GA988@alison-desk.jf.intel.com> References: <4ED70A75-9A88-41B4-B595-87FB748772F9@amacapital.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <4ED70A75-9A88-41B4-B595-87FB748772F9@amacapital.net> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: On Wed, Dec 05, 2018 at 10:11:18AM -0800, Andy Lutomirski wrote: > > > > On Dec 3, 2018, at 11:39 PM, Alison Schofield wrote: > > I realize you’re writing code to expose hardware behavior, but I’m not sure this > really makes sense in this context. Your observation is accurate. The Usage defined here is very closely aligned to the Intel MKTME Architecture spec. That's a starting point, but not the ending point. We need to implement the feature set that makes sense. More below... > > + > > + type= > > + *user* User will supply the encryption key data. Use this > > + type to directly program a hardware encryption key. > > + > > I think that “user” probably sense as a “key service” key, but I don’t think it is at all useful for non-persistent memory. Even if we take for granted that MKTME for anonymous memory is useful at all, “cpu” seems to be better in all respects. > > > Perhaps support for “user” should be tabled until there’s a design for how to use this for pmem? I imagine it would look quite a bit like dm-crypt. Advanced pmem filesystems could plausibly use different keys for different files, I suppose. > > If “user” is dropped, I think a lot of the complexity goes away. Hotplug becomes automatic, right? Dropping 'user' type removes a great deal of complexity. Let me follow up in 2 ways: 1) Find out when MKTME support for pmem is required. 2) Go back to the the requirements and get the justification for user type. > > > + *cpu* User requests a CPU generated encryption key. > > Okay, maybe, but it’s still unclear to me exactly what the intended benefit is, though. *cpu* is the RANDOM key generated by the cpu. If there were no other options, then this would be default, and go away. > > + *clear* User requests that a hardware encryption key be > > + cleared. This will clear the encryption key from > > + the hardware. On execution this hardware key gets > > + TME behavior. > > + > > Why is this a key type? Shouldn’t the API to select a key just have an option to ask for no key to be used? The *clear* key has been requested in order to clear/erase the users key data that has been programmed into a hardware slot. User does not want to leave a slot programmed with their encryption data when they are done with it. > > + *no-encrypt* > > + User requests that hardware does not encrypt > > + memory when this key is in use. > > Same as above. If there’s a performance benefit, then there could be a way to ask for cleartext memory. Similarly, some pmem users may want a way to keep their pmem unencrypted. So, this is the way to ask for cleartext memory. The entire system will be encrypted with the system wide TME Key. A subset of that will be protected with MKTME Keys. If user wants, no encrypt, this *no-encrypt* is the way to do it. Alison > > —Andy