From: Andrew Morton <akpm@linux-foundation.org>
To: Mike Rapoport <rppt@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Borislav Petkov <bp@alien8.de>,
Catalin Marinas <catalin.marinas@arm.com>,
Christopher Lameter <cl@linux.com>,
Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
David Hildenbrand <david@redhat.com>,
Elena Reshetova <elena.reshetova@intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
James Bottomley <jejb@linux.ibm.com>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
Matthew Wilcox <willy@infradead.org>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Mark Rutland <mark.rutland@arm.com>,
Michal Hocko <mhocko@suse.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Peter Zijlstra <peterz@infradead.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Roman Gushchin <guro@fb.com>, Shakeel Butt <shakeelb@google.com>,
Shuah Khan <shuah@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Tycho Andersen <tycho@tycho.ws>, Will Deacon <will@kernel.org>,
linux-api@vger.kernel.org, linux-arch@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org,
x86@kernel.org
Subject: Re: [PATCH v18 0/9] mm: introduce memfd_secret system call to create "secret" memory areas
Date: Wed, 5 May 2021 12:08:06 -0700 [thread overview]
Message-ID: <20210505120806.abfd4ee657ccabf2f221a0eb@linux-foundation.org> (raw)
In-Reply-To: <20210303162209.8609-1-rppt@kernel.org>
On Wed, 3 Mar 2021 18:22:00 +0200 Mike Rapoport <rppt@kernel.org> wrote:
> This is an implementation of "secret" mappings backed by a file descriptor.
>
> The file descriptor backing secret memory mappings is created using a
> dedicated memfd_secret system call The desired protection mode for the
> memory is configured using flags parameter of the system call. The mmap()
> of the file descriptor created with memfd_secret() will create a "secret"
> memory mapping. The pages in that mapping will be marked as not present in
> the direct map and will be present only in the page table of the owning mm.
>
> Although normally Linux userspace mappings are protected from other users,
> such secret mappings are useful for environments where a hostile tenant is
> trying to trick the kernel into giving them access to other tenants
> mappings.
I continue to struggle with this and I don't recall seeing much
enthusiasm from others. Perhaps we're all missing the value point and
some additional selling is needed.
Am I correct in understanding that the overall direction here is to
protect keys (and perhaps other things) from kernel bugs? That if the
kernel was bug-free then there would be no need for this feature? If
so, that's a bit sad. But realistic I guess.
Is this intended to protect keys/etc after the attacker has gained the
ability to run arbitrary kernel-mode code? If so, that seems
optimistic, doesn't it?
I think that a very complete description of the threats which this
feature addresses would be helpful.
WARNING: multiple messages have this Message-ID (diff)
From: Andrew Morton <akpm@linux-foundation.org>
To: Mike Rapoport <rppt@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Borislav Petkov <bp@alien8.de>,
Catalin Marinas <catalin.marinas@arm.com>,
Christopher Lameter <cl@linux.com>,
Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
David Hildenbrand <david@redhat.com>,
Elena Reshetova <elena.reshetova@intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
James Bottomley <jejb@linux.ibm.com>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
Matthew Wilcox <willy@infradead.org>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Mark Rutland <mark.rutland@arm.com>,
Michal Hocko <mhocko@suse.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Peter Zijlstra <peterz@infradead.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Roman Gushchin <guro@fb.com>, Shakeel Butt <shakeelb@google.com>,
Shuah Khan <shuah@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Tycho Andersen <tycho@tycho.ws>, Will Deacon <will@kernel.org>,
linux-api@vger.kernel.org, linux-arch@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org,
x86@kernel.org
Subject: Re: [PATCH v18 0/9] mm: introduce memfd_secret system call to create "secret" memory areas
Date: Wed, 5 May 2021 12:08:06 -0700 [thread overview]
Message-ID: <20210505120806.abfd4ee657ccabf2f221a0eb@linux-foundation.org> (raw)
In-Reply-To: <20210303162209.8609-1-rppt@kernel.org>
On Wed, 3 Mar 2021 18:22:00 +0200 Mike Rapoport <rppt@kernel.org> wrote:
> This is an implementation of "secret" mappings backed by a file descriptor.
>
> The file descriptor backing secret memory mappings is created using a
> dedicated memfd_secret system call The desired protection mode for the
> memory is configured using flags parameter of the system call. The mmap()
> of the file descriptor created with memfd_secret() will create a "secret"
> memory mapping. The pages in that mapping will be marked as not present in
> the direct map and will be present only in the page table of the owning mm.
>
> Although normally Linux userspace mappings are protected from other users,
> such secret mappings are useful for environments where a hostile tenant is
> trying to trick the kernel into giving them access to other tenants
> mappings.
I continue to struggle with this and I don't recall seeing much
enthusiasm from others. Perhaps we're all missing the value point and
some additional selling is needed.
Am I correct in understanding that the overall direction here is to
protect keys (and perhaps other things) from kernel bugs? That if the
kernel was bug-free then there would be no need for this feature? If
so, that's a bit sad. But realistic I guess.
Is this intended to protect keys/etc after the attacker has gained the
ability to run arbitrary kernel-mode code? If so, that seems
optimistic, doesn't it?
I think that a very complete description of the threats which this
feature addresses would be helpful.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: Andrew Morton <akpm@linux-foundation.org>
To: Mike Rapoport <rppt@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Borislav Petkov <bp@alien8.de>,
Catalin Marinas <catalin.marinas@arm.com>,
Christopher Lameter <cl@linux.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
David Hildenbrand <david@redhat.com>,
Elena Reshetova <elena.reshetova@intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
James Bottomley <jejb@linux.ibm.com>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
Matthew Wilcox <willy@infradead.org>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Mark Rutland <mark.rutland@arm.com>,
Michal Hocko <mhocko@suse.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Peter Zijlstra <peterz@infradead.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Roman Gushchin <guro@fb.com>, Shakeel Butt <shakeelb@google.com>,
Shuah Khan <shuah@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Tycho Andersen <tycho@tycho.ws>, Will Deacon <will@kernel.org>,
linux-api@vger.kernel.org, linux-arch@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org,
x86@kernel.org
Subject: Re: [PATCH v18 0/9] mm: introduce memfd_secret system call to create "secret" memory areas
Date: Wed, 5 May 2021 12:08:06 -0700 [thread overview]
Message-ID: <20210505120806.abfd4ee657ccabf2f221a0eb@linux-foundation.org> (raw)
In-Reply-To: <20210303162209.8609-1-rppt@kernel.org>
On Wed, 3 Mar 2021 18:22:00 +0200 Mike Rapoport <rppt@kernel.org> wrote:
> This is an implementation of "secret" mappings backed by a file descriptor.
>
> The file descriptor backing secret memory mappings is created using a
> dedicated memfd_secret system call The desired protection mode for the
> memory is configured using flags parameter of the system call. The mmap()
> of the file descriptor created with memfd_secret() will create a "secret"
> memory mapping. The pages in that mapping will be marked as not present in
> the direct map and will be present only in the page table of the owning mm.
>
> Although normally Linux userspace mappings are protected from other users,
> such secret mappings are useful for environments where a hostile tenant is
> trying to trick the kernel into giving them access to other tenants
> mappings.
I continue to struggle with this and I don't recall seeing much
enthusiasm from others. Perhaps we're all missing the value point and
some additional selling is needed.
Am I correct in understanding that the overall direction here is to
protect keys (and perhaps other things) from kernel bugs? That if the
kernel was bug-free then there would be no need for this feature? If
so, that's a bit sad. But realistic I guess.
Is this intended to protect keys/etc after the attacker has gained the
ability to run arbitrary kernel-mode code? If so, that seems
optimistic, doesn't it?
I think that a very complete description of the threats which this
feature addresses would be helpful.
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org
WARNING: multiple messages have this Message-ID (diff)
From: Andrew Morton <akpm@linux-foundation.org>
To: Mike Rapoport <rppt@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Borislav Petkov <bp@alien8.de>,
Catalin Marinas <catalin.marinas@arm.com>,
Christopher Lameter <cl@linux.com>,
Dan Williams <dan.j.williams@intel.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
David Hildenbrand <david@redhat.com>,
Elena Reshetova <elena.reshetova@intel.com>,
"H. Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
James Bottomley <jejb@linux.ibm.com>,
"Kirill A. Shutemov" <kirill@shutemov.name>,
Matthew Wilcox <willy@infradead.org>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Mark Rutland <mark.rutland@arm.com>,
Michal Hocko <mhocko@suse.com>,
Mike Rapoport <rppt@linux.ibm.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Paul Walmsley <paul.walmsley@sifive.com>,
Peter Zijlstra <peterz@infradead.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Rick Edgecombe <rick.p.edgecombe@intel.com>,
Roman Gushchin <guro@fb.com>, Shakeel Butt <shakeelb@google.com>,
Shuah Khan <shuah@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Tycho Andersen <tycho@tycho.ws>, Will Deacon <will@kernel.org>,
linux-api@vger.kernel.org, linux-arch@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
linux-nvdimm@lists.01.org, linux-riscv@lists.infradead.org,
x86@kernel.org
Subject: Re: [PATCH v18 0/9] mm: introduce memfd_secret system call to create "secret" memory areas
Date: Wed, 5 May 2021 12:08:06 -0700 [thread overview]
Message-ID: <20210505120806.abfd4ee657ccabf2f221a0eb@linux-foundation.org> (raw)
In-Reply-To: <20210303162209.8609-1-rppt@kernel.org>
On Wed, 3 Mar 2021 18:22:00 +0200 Mike Rapoport <rppt@kernel.org> wrote:
> This is an implementation of "secret" mappings backed by a file descriptor.
>
> The file descriptor backing secret memory mappings is created using a
> dedicated memfd_secret system call The desired protection mode for the
> memory is configured using flags parameter of the system call. The mmap()
> of the file descriptor created with memfd_secret() will create a "secret"
> memory mapping. The pages in that mapping will be marked as not present in
> the direct map and will be present only in the page table of the owning mm.
>
> Although normally Linux userspace mappings are protected from other users,
> such secret mappings are useful for environments where a hostile tenant is
> trying to trick the kernel into giving them access to other tenants
> mappings.
I continue to struggle with this and I don't recall seeing much
enthusiasm from others. Perhaps we're all missing the value point and
some additional selling is needed.
Am I correct in understanding that the overall direction here is to
protect keys (and perhaps other things) from kernel bugs? That if the
kernel was bug-free then there would be no need for this feature? If
so, that's a bit sad. But realistic I guess.
Is this intended to protect keys/etc after the attacker has gained the
ability to run arbitrary kernel-mode code? If so, that seems
optimistic, doesn't it?
I think that a very complete description of the threats which this
feature addresses would be helpful.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-05-05 19:08 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-03 16:22 [PATCH v18 0/9] mm: introduce memfd_secret system call to create "secret" memory areas Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` [PATCH v18 1/9] mm: add definition of PMD_PAGE_ORDER Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` [PATCH v18 2/9] mmap: make mlock_future_check() global Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` [PATCH v18 3/9] riscv/Kconfig: make direct map manipulation options depend on MMU Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` [PATCH v18 4/9] set_memory: allow set_direct_map_*_noflush() for multiple pages Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` [PATCH v18 5/9] set_memory: allow querying whether set_direct_map_*() is actually enabled Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` [PATCH v18 6/9] mm: introduce memfd_secret system call to create "secret" memory areas Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` [PATCH v18 7/9] PM: hibernate: disable when there are active secretmem users Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` [PATCH v18 8/9] arch, mm: wire up memfd_secret system call where relevant Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` [PATCH v18 9/9] secretmem: test: add basic selftest for memfd_secret(2) Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-03-03 16:22 ` Mike Rapoport
2021-05-05 19:08 ` Andrew Morton [this message]
2021-05-05 19:08 ` [PATCH v18 0/9] mm: introduce memfd_secret system call to create "secret" memory areas Andrew Morton
2021-05-05 19:08 ` Andrew Morton
2021-05-05 19:08 ` Andrew Morton
2021-05-06 15:26 ` James Bottomley
2021-05-06 15:26 ` James Bottomley
2021-05-06 15:26 ` James Bottomley
2021-05-06 15:26 ` James Bottomley
2021-05-06 16:45 ` David Hildenbrand
2021-05-06 16:45 ` David Hildenbrand
2021-05-06 16:45 ` David Hildenbrand
2021-05-06 16:45 ` David Hildenbrand
2021-05-06 17:05 ` James Bottomley
2021-05-06 17:05 ` James Bottomley
2021-05-06 17:05 ` James Bottomley
2021-05-06 17:05 ` James Bottomley
2021-05-06 17:24 ` David Hildenbrand
2021-05-06 17:24 ` David Hildenbrand
2021-05-06 17:24 ` David Hildenbrand
2021-05-06 17:24 ` David Hildenbrand
2021-05-06 23:16 ` Nick Kossifidis
2021-05-06 23:16 ` Nick Kossifidis
2021-05-06 23:16 ` Nick Kossifidis
2021-05-06 23:16 ` Nick Kossifidis
2021-05-07 7:35 ` David Hildenbrand
2021-05-07 7:35 ` David Hildenbrand
2021-05-07 7:35 ` David Hildenbrand
2021-05-07 7:35 ` David Hildenbrand
2021-05-06 17:33 ` Kees Cook
2021-05-06 17:33 ` Kees Cook
2021-05-06 17:33 ` Kees Cook
2021-05-06 17:33 ` Kees Cook
2021-05-06 18:47 ` James Bottomley
2021-05-06 18:47 ` James Bottomley
2021-05-06 18:47 ` James Bottomley
2021-05-06 18:47 ` James Bottomley
2021-05-07 23:57 ` Kees Cook
2021-05-07 23:57 ` Kees Cook
2021-05-07 23:57 ` Kees Cook
2021-05-07 23:57 ` Kees Cook
2021-05-10 18:02 ` Mike Rapoport
2021-05-10 18:02 ` Mike Rapoport
2021-05-10 18:02 ` Mike Rapoport
2021-05-10 18:02 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210505120806.abfd4ee657ccabf2f221a0eb@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=dan.j.williams@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=david@redhat.com \
--cc=elena.reshetova@intel.com \
--cc=guro@fb.com \
--cc=hpa@zytor.com \
--cc=jejb@linux.ibm.com \
--cc=kirill@shutemov.name \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-nvdimm@lists.01.org \
--cc=linux-riscv@lists.infradead.org \
--cc=luto@kernel.org \
--cc=mark.rutland@arm.com \
--cc=mhocko@suse.com \
--cc=mingo@redhat.com \
--cc=mjg59@srcf.ucam.org \
--cc=mtk.manpages@gmail.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=rjw@rjwysocki.net \
--cc=rppt@kernel.org \
--cc=rppt@linux.ibm.com \
--cc=shakeelb@google.com \
--cc=shuah@kernel.org \
--cc=tglx@linutronix.de \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=willy@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.