Re: [PATCH v17 07/10] mm: introduce memfd_secret system call to create "secret" memory areas

From: David Hildenbrand
Date: Tue Feb 16 2021 - 11:36:18 EST


On 16.02.21 17:25, James Bottomley wrote:
On Mon, 2021-02-15 at 20:20 +0100, Michal Hocko wrote:
[...]
What kind of flags are we talking about and why would that be a
problem with memfd_create interface? Could you be more specific
please?

You mean what were the ioctl flags in the patch series linked
above? They were SECRETMEM_EXCLUSIVE and SECRETMEM_UNCACHED in
patch 3/5.

OK I see. How many potential modes are we talking about? A few or
potentially many?
Well I initially thought there were two (uncached or not) until you
came up with the migratable or non-migratable, which affects the
security properties. But now there's also potential for hardware
backing, like mktme, described by flags as well. I suppose you could
also use RDT to restrict which cache the data goes into: say L1 but not
L2 on to lessen the impact of fully uncached (although the big thrust
of uncached was to blunt hyperthread side channels). So there is
potential for quite a large expansion even though I'd be willing to bet
that a lot of the modes people have thought about turn out not to be
very effective in the field.

Thanks for the insight. I remember that even the "uncached" parts was effectively nacked by x86 maintainers (I might be wrong). For the other parts, the question is what we actually want to let user space configure.

Being able to specify "Very secure" "maximum secure" "average secure" all doesn't really make sense to me. The discussion regarding migratability only really popped up because this is a user-visible thing and not being able to migrate can be a real problem (fragmentation, ZONE_MOVABLE, ...).

--
Thanks,

David / dhildenb