From: Andrew Morton <akpm@linux-foundation.org>
To: York Jasper Niebuhr <yjnworkstation@gmail.com>
Cc: linux-kernel@vger.kernel.org, rppt@kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] mm: init_mlocked_on_free
Date: Mon, 4 Dec 2023 11:54:34 -0800 [thread overview]
Message-ID: <20231204115434.65f04d1de5041038ab5e2b8d@linux-foundation.org> (raw)
In-Reply-To: <20231202134218.151074-1-yjnworkstation@gmail.com>
On Sat, 2 Dec 2023 14:42:18 +0100 York Jasper Niebuhr <yjnworkstation@gmail.com> wrote:
> Adds the "PG_ofinit" page flag to specify if a page should be zeroed on
> free.
That's a problem - unused page flags are few, and are a treasured
resource. Matthew Wilcox is a suitable reviewer, but you didn't cc the
linux-mm mailing list.
Please address this concern in future changelogs.
> Implements the "init_mlocked_on_free" boot option. When this boot option
> is set, any mlock'ed pages are zeroed on munmap, exit or exec. If the
> pages are munlock'ed beforehand, no initialization will take place. This
> boot option is meant to combat the performance hit of "init_on_free" as
> reported in commit 6471384af2a6 ("mm: security: introduce
> init_on_alloc=1 and init_on_free=1 boot options"). With
> "init_mlocked_on_free", only relevant data will be freed while
> everything else is left untouched by the kernel.
It would be helpful to provide a full description of the performance
benefits right here in the changelog, please. Including example
quantitative testing results. See if you can persuade us to consume
another page flag.
Also, can we avoid using a page flag? Can this be done on a per-vma
basis rather than per-page?
> Optimally, userspace programs will clear any key material or other
> confidential memory before exit and munlock the according memory
> regions. If a program crashes, however, userspace key managers will not
> be able to zero this data. If this happens, the memory will not be
> explicitly munlock'ed before exit either, so the kernel will zero the
> data and prevent data leaks. If the program finishes properly, no pages
> will be initialized again, as they were already munlock'ed.
>
> In general, leaving memory mlock'ed until unmap, exit or exec can be used
> to specify exactly what memory should be initialized on free.
>
> CONFIG_INIT_MLOCKED_ON_FREE_DEFAULT_ON can be set to enable
> "init_mlocked_on_free" by default.
>
Please address the above and send us a v2?
next prev parent reply other threads:[~2023-12-04 19:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-02 13:42 [PATCH] mm: init_mlocked_on_free York Jasper Niebuhr
2023-12-04 19:54 ` Andrew Morton [this message]
2023-12-05 17:22 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231204115434.65f04d1de5041038ab5e2b8d@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=rppt@kernel.org \
--cc=yjnworkstation@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).