Re: [PATCHv5 02/19] mm: Do not use zero page in encrypted pages

[Dave Hansen]

On 07/19/2018 12:16 AM, Kirill A. Shutemov wrote:
> On Wed, Jul 18, 2018 at 10:36:24AM -0700, Dave Hansen wrote:
>> On 07/17/2018 04:20 AM, Kirill A. Shutemov wrote:
>>> Zero page is not encrypted and putting it into encrypted VMA produces
>>> garbage.
>>>
>>> We can map zero page with KeyID-0 into an encrypted VMA, but this would
>>> be violation security boundary between encryption domains.
>> Why?  How is it a violation?
>>
>> It only matters if they write secrets.  They can't write secrets to the
>> zero page.
> I believe usage of zero page is wrong here. It would indirectly reveal
> content of supposedly encrypted memory region.
> 
> I can see argument why it should be okay and I don't have very strong
> opinion on this.

I think we should make the zero page work.  If folks are
security-sensitive, they need to write to guarantee it isn't being
shared.  That's a pretty low bar.

I'm struggling to think of a case where an attacker has access to the
encrypted data, the virt->phys mapping, *and* can glean something
valuable from the presence of the zero page.

Please spend some time and focus on your patch descriptions.  Use facts
that are backed up and are *precise* or tell the story of how your patch
was developed.  In this case, citing the "security boundary" is not
precise enough without explaining what the boundary is and how it is
violated.