From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 97E43C433FE for ; Thu, 2 Dec 2021 10:20:11 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id CA2D66B0072; Thu, 2 Dec 2021 05:20:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C522E6B0073; Thu, 2 Dec 2021 05:20:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B1A356B0074; Thu, 2 Dec 2021 05:20:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0146.hostedemail.com [216.40.44.146]) by kanga.kvack.org (Postfix) with ESMTP id 9EC666B0072 for ; Thu, 2 Dec 2021 05:20:00 -0500 (EST) Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 6371D181CAEF7 for ; Thu, 2 Dec 2021 10:19:50 +0000 (UTC) X-FDA: 78872458140.28.6526D97 Received: from mail-yb1-f178.google.com (mail-yb1-f178.google.com [209.85.219.178]) by imf31.hostedemail.com (Postfix) with ESMTP id 1F4581046300 for ; Thu, 2 Dec 2021 10:19:50 +0000 (UTC) Received: by mail-yb1-f178.google.com with SMTP id q74so71863621ybq.11 for ; Thu, 02 Dec 2021 02:19:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=Za0kaT6g40WJpHWAfmmfYpfZptIcPgux6JQLED5a3Rg=; b=oKjTN2nIFOoZ3XLKvzhkqqaUUdEav1rt1zHMyiT8Ysrsz5CKAEBXY1BXmHvxguXaUU +9ETzA96MKOLKgtFleK5ed23UjIjbNdXfFVBP4mHjClyO0v78iOwGUheE0OxR73CdAuV ADpSCkz2MehIKcbXANM0soUnH9DU0/eTIpmytpkaKpRW0KRfKLcmuP2BFIWvvBlecQGl aGVyejBDJnHp7vuMj6z/qf1KG1INZ6iNVeepyrc5QluaDmAwCDfPP3al/JB8RaA3dcpE LPlGAo+jGOI/xts+XD+/4lbebc8M4T1hzLbEUWs/y4rPfkPWOnzPHXRcn+dfzoUJbCi3 Y/5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Za0kaT6g40WJpHWAfmmfYpfZptIcPgux6JQLED5a3Rg=; b=CUK0MH9yPodGMXnXjvg1sJzmbzuTcGzoYK1vlhIS+7Svl5o6wYjKa0esM8iPuRA20F W5q2ltG54Ru1fd2HKdtssRqKbP8/9YS2DgC9kuzNKtmiUou07RwP1FTQQ7hZkIkf0Qo7 KqRXHqe7iIZ6naCKq3pyz02HUcXQmhev6diwBB6dtZE8RhWHdQQRm6Ficf8Qvi8lHWly ip+OW+dLVUQXqZx79U2IryiWFcD24Ei/jeyfXNRWJ1Nj4P+mMtYR/NeSH0Ivfx/Jb3/M FiRwvRM8AItG6Ju/XaNsZ16SRpsYPO+RF6nZJBCjFVxscAhF6pavCekefzXQHdt9UNHN WlOQ== X-Gm-Message-State: AOAM5323Ndf+JuzBDEXSSWUaDt4dLbeeN8oUeCLtd2EzgSlsIe7FAHsA zouyZm0hRowXmxiuTAksKFnA5I2/T1g6eW9cVsI= X-Google-Smtp-Source: ABdhPJx0geoanJc6biTrDwDYskbN8QNpfS8Py5UWPBVMLBtC87/6rZwymxCzcOuN5mvipt2PIUUAhoElQiHwzTBNuUE= X-Received: by 2002:a25:6c07:: with SMTP id h7mr14244583ybc.603.1638440389493; Thu, 02 Dec 2021 02:19:49 -0800 (PST) MIME-Version: 1.0 From: fei luo Date: Thu, 2 Dec 2021 18:19:38 +0800 Message-ID: Subject: [RFD] clear virtual machine memory when virtual machine is turned off To: akpm@linux-foundation.org, mike.kravetz@oracle.com, arnd@arndb.de, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org Content-Type: multipart/alternative; boundary="00000000000066c76905d22721a8" X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 1F4581046300 X-Stat-Signature: khcjzfd7myma6r8m7gatiqrs6xs16aeo Authentication-Results: imf31.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=oKjTN2nI; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf31.hostedemail.com: domain of morphyluo@gmail.com designates 209.85.219.178 as permitted sender) smtp.mailfrom=morphyluo@gmail.com X-HE-Tag: 1638440390-334394 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000316, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --00000000000066c76905d22721a8 Content-Type: text/plain; charset="UTF-8" Hi, When running the kvm virtual machine in Linux, because the virtual machine may contain sensitive data, the user may not want these data to remain in the memory after the virtual machine is turned off. Although this part of memory will be cleared before being reused by user-mode programs , But the sensitive data staying in the memory for a long time will undoubtedly increase the risk of information leakage, so I wonder whether it is possible to add a flag (like MAP_UNMAPZERO) to the mmap(2) system call to indicate that the mapped memory needs to be cleared zero when unmap called or when the program exits. Of course, the page clear operation not only occurs when unmap called or program exits, but also need to consider scenes such as page migration, swap, balloon etc. When reusing the page that has been cleared, there is no need to clear it again, which also speeds up the memory allocation of user-mode programs. Is this feature feasible? --00000000000066c76905d22721a8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Hi,

When running the kvm virtual machine in Linux, because = the virtual

machine=C2=A0<= span style=3D"background-color:rgb(247,248,250);color:rgb(51,51,51);font-fa= mily:Arial;font-size:10.5pt;letter-spacing:0pt;text-indent:0pt">may contain= sensitive data, the user may not want these

data to remain in=C2=A0the=C2=A0memory after the virt= ual machine is turned off.


Although this part of memory will = be cleared before being reused by

user-mode=C2=A0programs , But the sensitive data staying in the memory

for a long time= will=C2=A0undoubtedly increase the risk of information leakage,

so I wonder whether it i= s=C2=A0possible to add a flag (like MAP_UNMAPZERO)

to the mmap(2) system call to=C2=A0indicate tha= t t= he mapped memory=C2=A0needs

to be cleared zero when= =C2=A0unmap=C2=A0called or w= hen the program exits.


Of course, the page clear operation n= ot only occurs when unmap called

= or program exits,=C2=A0but also need to consider scenes such as=C2=A0page migration,

swap, balloon= etc.


When reusing the page that has been cleared, there is no need to clear = it

again,=C2=A0which also speeds up the memory allocation = of user-mode programs.


Is this feature feasible?

--00000000000066c76905d22721a8--