On Mon, Nov 23, 2020 at 1:54 AM Mike Rapoport rppt@kernel.org wrote:
From: Mike Rapoport rppt@linux.ibm.com
Hi,
This is an implementation of "secret" mappings backed by a file descriptor.
The file descriptor backing secret memory mappings is created using a dedicated memfd_secret system call The desired protection mode for the memory is configured using flags parameter of the system call. The mmap() of the file descriptor created with memfd_secret() will create a "secret" memory mapping. The pages in that mapping will be marked as not present in the direct map and will have desired protection bits set in the user page table. For instance, current implementation allows uncached mappings.
I'm still not ready to ACK uncached mappings on x86. I'm fine with the concept of allowing privileged users to create UC memory on x86 for testing and experimentation, but it's a big can of worms in general. The issues that immediately come to mind are:
- Performance and DoS potential. UC will have bizarre, architecture- and platform-dependent performance characteristics. For all I know, even the access semantics might be architecture dependent. I'm not convinced it's possible to write portable code in C using the uncached feature. I'm also concerned that certain operation (unaligned locks, for example, and possibly any locked access) will trigger bus locks on x86, which, depending on CPU and kernel config will either DoS all other CPUs or send signals. (Or cause the hypervisor to terminate or otherwise penalize the the VM, which would be nasty.)
- Correctness. I have reports that different x86 hypervisors do different things with UC mappings, including treating them as regular WB mappings. So the memory type you get out when you ask for "uncached" might not actually be uncached.
UC is really an MMIO feature, not a "protect my data" feature. Abusing it to protect data is certainly interesting, but I'm far from convinced that it's wise. I'm especially unconvinced that monkey-patching a program to use uncached memory when it expects regular malloced memory is a reasonable thing to do.