On Tue, 2021-02-16 at 17:34 +0100, David Hildenbrand wrote:
On 16.02.21 17:25, James Bottomley wrote:
On Mon, 2021-02-15 at 20:20 +0100, Michal Hocko wrote: [...]
What kind of flags are we talking about and why would that be a problem with memfd_create interface? Could you be more specific please?
You mean what were the ioctl flags in the patch series linked above? They were SECRETMEM_EXCLUSIVE and SECRETMEM_UNCACHED in patch 3/5.
OK I see. How many potential modes are we talking about? A few or potentially many?
Well I initially thought there were two (uncached or not) until you came up with the migratable or non-migratable, which affects the security properties. But now there's also potential for hardware backing, like mktme, described by flags as well. I suppose you could also use RDT to restrict which cache the data goes into: say L1 but not L2 on to lessen the impact of fully uncached (although the big thrust of uncached was to blunt hyperthread side channels). So there is potential for quite a large expansion even though I'd be willing to bet that a lot of the modes people have thought about turn out not to be very effective in the field.
Thanks for the insight. I remember that even the "uncached" parts was effectively nacked by x86 maintainers (I might be wrong).
It wasn't liked by x86 maintainers, no. Plus there's no architecturally standard mechanism for making a page uncached and, as the arm people pointed out, sometimes no way of ensuring it's never cached.
For the other parts, the question is what we actually want to let user space configure.
Being able to specify "Very secure" "maximum secure" "average secure" all doesn't really make sense to me.
Well, it doesn't to me either unless the user feels a cost/benefit, so if max cost $100 per invocation and average cost nothing, most people would chose average unless they had a very good reason not to. In your migratable model, if we had separate limits for non-migratable and migratable, with non-migratable being set low to prevent exhaustion, max secure becomes a highly scarce resource, whereas average secure is abundant then having the choice might make sense.
The discussion regarding migratability only really popped up because this is a user-visible thing and not being able to migrate can be a real problem (fragmentation, ZONE_MOVABLE, ...).
I think the biggest use will potentially come from hardware acceleration. If it becomes simple to add say encryption to a secret page with no cost, then no flag needed. However, if we only have a limited number of keys so once we run out no more encrypted memory then it becomes a costly resource and users might want a choice of being backed by encryption or not.
James