Re: [PATCH v19 6/8] PM: hibernate: disable when there are active secretmem users

From: Dan Williams
Date: Tue May 18 2021 - 21:50:00 EST

Next message: Kefeng Wang: "Re: [PATCH 3/3] arm: extend pfn_valid to take into accound freed memory map alignment"
Previous message: Liuxiangdong: "Re: [PATCH v6 00/16] KVM: x86/pmu: Add *basic* support to enable guest PEBS via DS"
In reply to: James Bottomley: "Re: [PATCH v19 6/8] PM: hibernate: disable when there are active secretmem users"
Next in thread: James Bottomley: "Re: [PATCH v19 6/8] PM: hibernate: disable when there are active secretmem users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, May 18, 2021 at 6:33 PM James Bottomley <jejb@xxxxxxxxxxxxx> wrote:
>
> On Tue, 2021-05-18 at 11:24 +0100, Mark Rutland wrote:
> > On Thu, May 13, 2021 at 09:47:32PM +0300, Mike Rapoport wrote:
> > > From: Mike Rapoport <rppt@xxxxxxxxxxxxx>
> > >
> > > It is unsafe to allow saving of secretmem areas to the hibernation
> > > snapshot as they would be visible after the resume and this
> > > essentially will defeat the purpose of secret memory mappings.
> > >
> > > Prevent hibernation whenever there are active secret memory users.
> >
> > Have we thought about how this is going to work in practice, e.g. on
> > mobile systems? It seems to me that there are a variety of common
> > applications which might want to use this which people don't expect
> > to inhibit hibernate (e.g. authentication agents, web browsers).
>
> If mobile systems require hibernate, then the choice is to disable this
> functionality or implement a secure hibernation store. I also thought
> most mobile hibernation was basically equivalent to S3, in which case
> there's no actual writing of ram into storage, in which case there's no
> security barrier and likely the inhibition needs to be made a bit more
> specific to the suspend to disk case?
>
> > Are we happy to say that any userspace application can incidentally
> > inhibit hibernate?
>
> Well, yes, for the laptop use case because we don't want suspend to
> disk to be able to compromise the secret area. You can disable this
> for mobile if you like, or work out how to implement hibernate securely
> if you're really suspending to disk.

Forgive me if this was already asked and answered. Why not document
that secretmem is ephemeral in the case of hibernate and push the
problem to userspace to disable hibernation? In other words
hibernation causes applications to need to reload their secretmem, it
will be destroyed on the way down and SIGBUS afterwards. That at least
gives a system the flexibility to either sacrifice hibernate for
secretmem (with a userspace controlled policy), or sacrifice secretmem
using processes for hibernate.

Next message: Kefeng Wang: "Re: [PATCH 3/3] arm: extend pfn_valid to take into accound freed memory map alignment"
Previous message: Liuxiangdong: "Re: [PATCH v6 00/16] KVM: x86/pmu: Add *basic* support to enable guest PEBS via DS"
In reply to: James Bottomley: "Re: [PATCH v19 6/8] PM: hibernate: disable when there are active secretmem users"
Next in thread: James Bottomley: "Re: [PATCH v19 6/8] PM: hibernate: disable when there are active secretmem users"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]