Re: [RFC]: mm,power: introduce MADV_WIPEONSUSPEND

From: Alexander Graf <graf@amazon.com>
To: Pavel Machek <pavel@ucw.cz>, Jann Horn <jannh@google.com>
Cc: "Catangiu, Adrian Costin" <acatan@amazon.com>,
	"linux-mm@kvack.org" <linux-mm@kvack.org>,
	"linux-pm@vger.kernel.org" <linux-pm@vger.kernel.org>,
	"virtualization@lists.linux-foundation.org" 
	<virtualization@lists.linux-foundation.org>,
	"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
	"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
	"rjw@rjwysocki.net" <rjw@rjwysocki.net>,
	"len.brown@intel.com" <len.brown@intel.com>,
	"mhocko@kernel.org" <mhocko@kernel.org>,
	"fweimer@redhat.com" <fweimer@redhat.com>,
	"keescook@chromium.org" <keescook@chromium.org>,
	"luto@amacapital.net" <luto@amacapital.net>,
	"wad@chromium.org" <wad@chromium.org>,
	"mingo@kernel.org" <mingo@kernel.org>,
	"bonzini@gnu.org" <bonzini@gnu.org>,
	"MacCarthaigh, Colm" <colmmacc@amazon.com>,
	"Singh, Balbir" <sblbir@amazon.com>,
	"Sandu, Andrei" <sandreim@amazon.com>,
	"Brooker, Marc" <mbrooker@amazon.com>,
	"Weiss, Radu" <raduweis@amazon.com>,
	"Manwaring, Derek" <derekmn@amazon.com>
Subject: Re: [RFC]: mm,power: introduce MADV_WIPEONSUSPEND
Date: Mon, 6 Jul 2020 14:26:44 +0200	[thread overview]
Message-ID: <57ab4fb3-3f82-d34f-ad74-2214b45a4dd9@amazon.com> (raw)
In-Reply-To: <20200704114820.GA16083@amd>

On 04.07.20 13:48, Pavel Machek wrote:
> Hi!
> 
>>>> Cryptographic libraries carry pseudo random number generators to
>>>> quickly provide randomness when needed. If such a random pool gets
>>>> cloned, secrets may get revealed, as the same random number may get
>>>> used multiple times. For fork, this was fixed using the WIPEONFORK
>>>> madvise flag [1].
>>>
>>>> Unfortunately, the same problem surfaces when a virtual machine gets
>>>> cloned. The existing flag does not help there. This patch introduces a
>>>> new flag to automatically clear memory contents on VM suspend/resume,
>>>> which will allow random number generators to reseed when virtual
>>>> machines get cloned.
>>>
>>> Umm. If this is real problem, should kernel provide such rng in the
>>> vsdo page using vsyscalls? Kernel can have special interface to its
>>> vsyscalls, but we may not want to offer this functionality to rest of
>>> userland...
>>
>> And then the kernel would just need to maintain a sequence
>> number in the vDSO data page that gets bumped on suspen
> 
> Yes, something like that would work. Plus, we'd be free to change the
> mechanism in future.

So if we keep treading along that train of thought, a simple vsyscall 
that returns an epoch (incremented by every [VM] resume) would be good 
enough, as user space could in its own logic determine whether it's 
still living inside the same epoch.

The beauty of the clearing is that the checks on it are almost free and 
that we can avoid to store secrets on disk in the first place.

The latter I think is impossible to model with the epoch, but that might 
be ok.

Performance wise, I don't think we can make the vsyscall as cheap as a 
memory compare. Keep in mind that we need to check for the epoch in a 
pretty hot path. How bad would it really be? I'm not sure. It might be 
good enough.

My main concern however is around fragmentation of mechanisms. We 
already have the WIPEONFORK semantic in place in user space 
applications. Do we really want to introduce yet another check for 
what's almost the same semantic? With WIPEONSUSPEND, the hot path check 
between fork and suspend are identical. With an epoch, we have to check 
for zeros and the epoch in addition.

Unless we create a vsyscall that returns both the PID as well as the 
epoch and thus handles fork *and* suspend. I need to think about this a 
bit more :).

Alex

Amazon Development Center Germany GmbH
Krausenstr. 38
10117 Berlin
Geschaeftsfuehrung: Christian Schlaeger, Jonathan Weiss
Eingetragen am Amtsgericht Charlottenburg unter HRB 149173 B
Sitz: Berlin
Ust-ID: DE 289 237 879