Re: [PATCH v17 08/10] PM: hibernate: disable when there are active secretmem users

[David Hildenbrand]

On 08.02.21 11:57, Michal Hocko wrote:
> On Mon 08-02-21 11:53:58, David Hildenbrand wrote:
> > On 08.02.21 11:51, Michal Hocko wrote:
> > > On Mon 08-02-21 11:32:11, David Hildenbrand wrote:
> > > > On 08.02.21 11:18, Michal Hocko wrote:
> > > > > On Mon 08-02-21 10:49:18, Mike Rapoport wrote:
> > > > > > From: Mike Rapoport <rppt@xxxxxxxxxxxxx>
> > > > > >
> > > > > > It is unsafe to allow saving of secretmem areas to the hibernation
> > > > > > snapshot as they would be visible after the resume and this essentially
> > > > > > will defeat the purpose of secret memory mappings.
> > > > > >
> > > > > > Prevent hibernation whenever there are active secret memory users.
> > > > >
> > > > > Does this feature need any special handling? As it is effectivelly
> > > > > unevictable memory then it should behave the same as other mlock, ramfs
> > > > > which should already disable hibernation as those cannot be swapped out,
> > > > > no?
> > > >
> > > > Why should unevictable memory not go to swap when hibernating? We're merely
> > > > dumping all of our system RAM (including any unmovable allocations) to swap
> > > > storage and the system is essentially completely halted.
> > > My understanding is that mlock is never really made visible via swap
> > > storage.
> >
> > "Using swap storage for hibernation" and "swapping at runtime" are two
> > different things. I might be wrong, though.
>
> Well, mlock is certainly used to keep sensitive information, not only to
> protect from major/minor faults.

I think you're right in theory, the man page mentions "Cryptographic 
security software often handles critical bytes like passwords or secret 
keys as data structures" ...

however, I am not aware of any such swap handling and wasn't able to 
spot it quickly. Let me take a closer look.


--
Thanks,

David / dhildenb