Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map... | linux-arm-kernel

[PATCH v16 00/11] mm: introduce memfd_secret system call to create "secret" memory areas · Mike Rapoport <rppt@kernel.org> · 2021-01-21
[PATCH v16 01/11] mm: add definition of PMD_PAGE_ORDER · Mike Rapoport <rppt@kernel.org> · 2021-01-21
[PATCH v16 02/11] mmap: make mlock_future_check() global · Mike Rapoport <rppt@kernel.org> · 2021-01-21
[PATCH v16 08/11] secretmem: add memcg accounting · Mike Rapoport <rppt@kernel.org> · 2021-01-21
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Michal Hocko <mhocko@suse.com> · 2021-01-25
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Mike Rapoport <rppt@kernel.org> · 2021-01-25
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Matthew Wilcox <willy@infradead.org> · 2021-01-26
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Roman Gushchin <hidden> · 2021-01-27
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Michal Hocko <mhocko@suse.com> · 2021-01-28
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Shakeel Butt <hidden> · 2021-01-28
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Michal Hocko <mhocko@suse.com> · 2021-01-28
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Shakeel Butt <hidden> · 2021-01-28
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Mike Rapoport <rppt@kernel.org> · 2021-01-26
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Matthew Wilcox <willy@infradead.org> · 2021-01-26
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Shakeel Butt <hidden> · 2021-01-25
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Mike Rapoport <rppt@kernel.org> · 2021-01-25
Re: [PATCH v16 08/11] secretmem: add memcg accounting · Shakeel Butt <hidden> · 2021-01-28
[PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Mike Rapoport <rppt@kernel.org> · 2021-01-21
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · David Hildenbrand <hidden> · 2021-01-26
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Mike Rapoport <rppt@kernel.org> · 2021-01-28
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-01-28
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Christoph Lameter <hidden> · 2021-01-28
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-01-28
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Christoph Lameter <hidden> · 2021-01-28
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-01-28
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · James Bottomley <hidden> · 2021-01-28
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Mike Rapoport <rppt@kernel.org> · 2021-01-29
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · James Bottomley <hidden> · 2021-01-28
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-01-29
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-01-29
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · James Bottomley <hidden> · 2021-02-01
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Mike Rapoport <rppt@kernel.org> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · David Hildenbrand <hidden> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · David Hildenbrand <hidden> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · David Hildenbrand <hidden> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · David Hildenbrand <hidden> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Mike Rapoport <rppt@kernel.org> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · James Bottomley <hidden> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-02-03
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Mike Rapoport <rppt@kernel.org> · 2021-02-04
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Mike Rapoport <rppt@kernel.org> · 2021-02-02
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-02-03
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Mike Rapoport <rppt@kernel.org> · 2021-02-04
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-02-04
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Mike Rapoport <rppt@kernel.org> · 2021-01-29
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · Michal Hocko <mhocko@suse.com> · 2021-01-29
Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation · David Hildenbrand <hidden> · 2021-02-02
[PATCH v16 11/11] secretmem: test: add basic selftest for memfd_secret(2) · Mike Rapoport <rppt@kernel.org> · 2021-01-21
[PATCH v16 10/11] arch, mm: wire up memfd_secret system call where relevant · Mike Rapoport <rppt@kernel.org> · 2021-01-21
Re: [PATCH v16 10/11] arch, mm: wire up memfd_secret system call where relevant · Catalin Marinas <catalin.marinas@arm.com> · 2021-01-25
[PATCH v16 09/11] PM: hibernate: disable when there are active secretmem users · Mike Rapoport <rppt@kernel.org> · 2021-01-21
[PATCH v16 05/11] set_memory: allow querying whether set_direct_map_*() is actually enabled · Mike Rapoport <rppt@kernel.org> · 2021-01-21
[PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Mike Rapoport <rppt@kernel.org> · 2021-01-21
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Michal Hocko <mhocko@suse.com> · 2021-01-25
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Mike Rapoport <rppt@kernel.org> · 2021-01-25
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Mike Rapoport <rppt@kernel.org> · 2021-01-26
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Mike Rapoport <rppt@kernel.org> · 2021-01-26
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · David Hildenbrand <hidden> · 2021-01-26
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Michal Hocko <mhocko@suse.com> · 2021-01-26
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Michal Hocko <mhocko@suse.com> · 2021-02-03
Re: [PATCH v16 06/11] mm: introduce memfd_secret system call to create "secret" memory areas · Mike Rapoport <rppt@kernel.org> · 2021-02-04
[PATCH v16 03/11] riscv/Kconfig: make direct map manipulation options depend on MMU · Mike Rapoport <rppt@kernel.org> · 2021-01-21
[PATCH v16 04/11] set_memory: allow set_direct_map_*_noflush() for multiple pages · Mike Rapoport <rppt@kernel.org> · 2021-01-21
Re: [PATCH v16 00/11] mm: introduce memfd_secret system call to create "secret" memory areas · Andrew Morton <akpm@linux-foundation.org> · 2021-01-21

Re: [PATCH v16 07/11] secretmem: use PMD-size pages to amortize direct map fragmentation

From: Mike Rapoport <rppt@kernel.org>
Date: 2021-02-04 11:35:16
Also in: linux-api, linux-arch, linux-fsdevel, linux-kselftest, linux-mm, linux-riscv, lkml, nvdimm

On Wed, Feb 03, 2021 at 01:09:30PM +0100, Michal Hocko wrote:

On Tue 02-02-21 10:55:40, James Bottomley wrote:

quoted

On Tue, 2021-02-02 at 20:15 +0200, Mike Rapoport wrote:

quoted

On Tue, Feb 02, 2021 at 03:34:29PM +0100, David Hildenbrand wrote:

quoted

On 02.02.21 15:32, Michal Hocko wrote:

Well the safest security statement is that we never expose the data to
the kernel because it's a very clean security statement and easy to
enforce. It's also the easiest threat model to analyse.   Once we do
start exposing the secret to the kernel it alters the threat profile
and the analysis and obviously potentially provides the ROP gadget to
an attacker to do the same. Instinct tells me that the loss of
security doesn't really make up for the ability to swap or migrate but
if there were a case for doing the latter, it would have to be a
security policy of the user (i.e. a user should be able to decide their
data is too sensitive to expose to the kernel).

The security/threat model should be documented in the changelog as
well. I am not a security expert but I would tend to agree that not
allowing even temporal mapping for data copying (in the kernel) is the
most robust approach. Whether that is generally necessary for users I do
not know.

From the API POV I think it makes sense to have two
modes. NEVER_MAP_IN_KERNEL which would imply no migrateability, no
copy_{from,to}_user, no gup or any other way for the kernel to access
content of the memory. Maybe even zero the content on the last unmap to
never allow any data leak. ALLOW_TEMPORARY would unmap the page from
the direct mapping but it would still allow temporary mappings for
data copying inside the kernel (thus allow CoW, copy*user, migration).
Which one should be default and which an opt-in I do not know. A less
restrictive mode to be default and the more restrictive an opt-in via
flags makes a lot of sense to me though.

The default is already NEVER_MAP_IN_KERNEL, so there is no explicit flag
for this. ALLOW_TEMPORARY should be opt-in, IMHO, and we can add it on top
later on.

-- 
Sincerely yours,
Mike.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help