From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_MUTT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 102E0C31E57 for ; Mon, 17 Jun 2019 09:10:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D725D2080C for ; Mon, 17 Jun 2019 09:10:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="F60cT2pW" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727966AbfFQJKu (ORCPT ); Mon, 17 Jun 2019 05:10:50 -0400 Received: from merlin.infradead.org ([205.233.59.134]:58960 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726753AbfFQJKu (ORCPT ); Mon, 17 Jun 2019 05:10:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=lSBxG3pslaMoZ4q5LfNT8Zk++zn3HV9csalZ1zH5zZQ=; b=F60cT2pWFaw+0bzwXk+QRPjac SQSBB/T3pjj2vvFitGT/VQMox0OWHFlY644jDhByelCvdv36dXHlHs3LZfXBNZLOcSyAel99wBGkY dFsCansXAOcFaLXJODF/MXDuQ8yJInHw7J7paI8oo77fjHJJkvvsAKzyfXfCipuAVRZfyrQpHtdD/ QM8OcVqmrDNHs8qOYqIJsH4Lf8t+jhkz5jV/yXzAdo16KalPAs6LpG1ubmATO7b7shkE064qeSkQM bPPwCnc+sKzykEJ6dtXc1BDAiu59261Ly0WOF5HSco5f1OwG4zfFkrhkepGAG9wwbbdLQXTYyNU1T uXZZrXUnQ==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by merlin.infradead.org with esmtpsa (Exim 4.92 #3 (Red Hat Linux)) id 1hcnf0-0005x4-8P; Mon, 17 Jun 2019 09:10:42 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 0782E2025A803; Mon, 17 Jun 2019 11:10:41 +0200 (CEST) Date: Mon, 17 Jun 2019 11:10:40 +0200 From: Peter Zijlstra To: Dave Hansen Cc: Alison Schofield , "Kirill A. Shutemov" , Andrew Morton , x86@kernel.org, Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Borislav Petkov , Andy Lutomirski , David Howells , Kees Cook , Kai Huang , Jacob Pan , linux-mm@kvack.org, kvm@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH, RFC 44/62] x86/mm: Set KeyIDs in encrypted VMAs for MKTME Message-ID: <20190617091040.GZ3436@hirez.programming.kicks-ass.net> References: <20190508144422.13171-1-kirill.shutemov@linux.intel.com> <20190508144422.13171-45-kirill.shutemov@linux.intel.com> <20190614114408.GD3436@hirez.programming.kicks-ass.net> <20190614173345.GB5917@alison-desk.jf.intel.com> <20190614184602.GB7252@alison-desk.jf.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jun 14, 2019 at 12:11:23PM -0700, Dave Hansen wrote: > On 6/14/19 11:46 AM, Alison Schofield wrote: > > On Fri, Jun 14, 2019 at 11:26:10AM -0700, Dave Hansen wrote: > >> On 6/14/19 10:33 AM, Alison Schofield wrote: > >>> Preserving the data across encryption key changes has not > >>> been a requirement. I'm not clear if it was ever considered > >>> and rejected. I believe that copying in order to preserve > >>> the data was never considered. > >> > >> We could preserve the data pretty easily. It's just annoying, though. > >> Right now, our only KeyID conversions happen in the page allocator. If > >> we were to convert in-place, we'd need something along the lines of: > >> > >> 1. Allocate a scratch page > >> 2. Unmap target page, or at least make it entirely read-only > >> 3. Copy plaintext into scratch page > >> 4. Do cache KeyID conversion of page being converted: > >> Flush caches, change page_ext metadata > >> 5. Copy plaintext back into target page from scratch area > >> 6. Re-establish PTEs with new KeyID > > > > Seems like the 'Copy plaintext' steps might disappoint the user, as > > much as the 'we don't preserve your data' design. Would users be happy > > w the plain text steps ? > > Well, it got to be plaintext because they wrote it to memory in > plaintext in the first place, so it's kinda hard to disappoint them. :) > > IMNHO, the *vast* majority of cases, folks will allocate memory and then > put a secret in it. They aren't going to *get* a secret in some > mysterious fashion and then later decide they want to protect it. In > other words, the inability to convert it is pretty academic and not > worth the complexity. I'm not saying it is (required to preserve); but I do think it is somewhat surprising to have an mprotect() call destroy content. It's traditionally specified to not do that.