From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D1FFC433E0 for ; Mon, 22 Feb 2021 10:51:40 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D2AD864E04 for ; Mon, 22 Feb 2021 10:51:39 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D2AD864E04 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Type: Content-Transfer-Encoding:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:Subject: References:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Y3NtyZubJ/zdgDrtKO5ypXW/xvQz8Au33PQp42CZuJw=; b=FE3NQytAMACJDaN1N2rwMCdIE LY3GL8tLwdcnjdzcnom3rAeOuq7vusQB9fE66jKoQM4QCBHe46wF85gOCk5wAuHKTb/MOqnbI16Tg O5BpxMcIHNZv7xcYRd0JCImV6OqiNCAIp5V2g6b5bDgzlzZBeg91l2/n2PWKWKCvk0TbXj7pioEaE wNE61cpWdM+pjFRuHn6Y8WcNmm9FpgYO72xVKx6uF4eb9DfZ5r4a2yLuxoXwxjz2bMrBS5kFsdIfy Cz6PSBNq83BUl2xj40BTMcHhyCuZKRL2NFyQ6JlFFaC1Nsjdsa6rs4okMtwLpZF40Aiew6/2Gm4Tf 6IdZJXkpg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1lE8nL-0001RM-P4; Mon, 22 Feb 2021 10:50:27 +0000 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1lE8nG-0001PC-Ar for linux-arm-kernel@lists.infradead.org; Mon, 22 Feb 2021 10:50:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1613991021; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=B5Wwlru6GdzCo3Pp8y35Np82fHYLWpJqEicYWng65cw=; b=FdvkyOBmZeei7QJsFpH+WCZmLFOVd6LoIZY5GUKnc7ZOnIDanPNF3bPJksp96A3LTnZhMG 2Hr4YYlFDYQwwVyaDkONmEVs/rafO0bXPnvJ5OHitZBTzHzssHgORvDTaQnJ4rAuqSwBOV LzZUT7Jlq24YnYg2C4AlWC3WN3VeuGQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-367-FssqEYNDO-izvW_G71aw3w-1; Mon, 22 Feb 2021 05:50:17 -0500 X-MC-Unique: FssqEYNDO-izvW_G71aw3w-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 37EEA100CC88; Mon, 22 Feb 2021 10:50:12 +0000 (UTC) Received: from [10.36.115.16] (ovpn-115-16.ams2.redhat.com [10.36.115.16]) by smtp.corp.redhat.com (Postfix) with ESMTP id 61DED7771A; Mon, 22 Feb 2021 10:50:03 +0000 (UTC) From: David Hildenbrand To: jejb@linux.ibm.com, Michal Hocko References: <20210214091954.GM242749@kernel.org> <052DACE9-986B-424C-AF8E-D6A4277DE635@redhat.com> <244f86cba227fa49ca30cd595c4e5538fe2f7c2b.camel@linux.ibm.com> <12c3890b233c8ec8e3967352001a7b72a8e0bfd0.camel@linux.ibm.com> <000cfaa0a9a09f07c5e50e573393cda301d650c9.camel@linux.ibm.com> <5a8567a9-6940-c23f-0927-e4b5c5db0d5e@redhat.com> <304e4c9d-81aa-20ac-cfbe-245ed0de9a86@redhat.com> Organization: Red Hat GmbH Subject: Re: [PATCH v17 07/10] mm: introduce memfd_secret system call to create "secret" memory areas Message-ID: <878ca057-3262-179d-eb9b-a26829307d09@redhat.com> Date: Mon, 22 Feb 2021 11:50:02 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: <304e4c9d-81aa-20ac-cfbe-245ed0de9a86@redhat.com> Content-Language: en-US X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210222_055022_521278_3A92C8BF X-CRM114-Status: GOOD ( 27.48 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , Peter Zijlstra , Catalin Marinas , Dave Hansen , linux-mm@kvack.org, linux-kselftest@vger.kernel.org, "H. Peter Anvin" , Christopher Lameter , Shuah Khan , Thomas Gleixner , Elena Reshetova , linux-arch@vger.kernel.org, Tycho Andersen , linux-nvdimm@lists.01.org, Will Deacon , x86@kernel.org, Matthew Wilcox , Mike Rapoport , Ingo Molnar , Michael Kerrisk , Palmer Dabbelt , Arnd Bergmann , Hagen Paul Pfeifer , Borislav Petkov , Alexander Viro , Andy Lutomirski , Paul Walmsley , "Kirill A. Shutemov" , Dan Williams , linux-arm-kernel@lists.infradead.org, linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, Palmer Dabbelt , linux-fsdevel@vger.kernel.org, Shakeel Butt , Andrew Morton , Rick Edgecombe , Roman Gushchin , Mike Rapoport Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 22.02.21 10:38, David Hildenbrand wrote: > On 17.02.21 17:19, James Bottomley wrote: >> On Tue, 2021-02-16 at 18:16 +0100, David Hildenbrand wrote: >> [...] >>>>> The discussion regarding migratability only really popped up >>>>> because this is a user-visible thing and not being able to >>>>> migrate can be a real problem (fragmentation, ZONE_MOVABLE, ...). >>>> >>>> I think the biggest use will potentially come from hardware >>>> acceleration. If it becomes simple to add say encryption to a >>>> secret page with no cost, then no flag needed. However, if we only >>>> have a limited number of keys so once we run out no more encrypted >>>> memory then it becomes a costly resource and users might want a >>>> choice of being backed by encryption or not. >>> >>> Right. But wouldn't HW support with configurable keys etc. need more >>> syscall parameters (meaning, even memefd_secret() as it is would not >>> be sufficient?). I suspect the simplistic flag approach might not >>> be sufficient. I might be wrong because I have no clue about MKTME >>> and friends. >> >> The theory I was operating under is key management is automatic and >> hidden, but key scarcity can't be, so if you flag requesting hardware >> backing then you either get success (the kernel found a key) or failure >> (the kernel is out of keys). If we actually want to specify the key >> then we need an extra argument and we *must* have a new system call. >> >>> Anyhow, I still think extending memfd_create() might just be good >>> enough - at least for now. >> >> I really think this is the wrong approach for a user space ABI. If we >> think we'll ever need to move to a separate syscall, we should begin >> with one. The pain of trying to shift userspace from memfd_create to a >> new syscall would be enormous. It's not impossible (see clone3) but >> it's a pain we should avoid if we know it's coming. > > Sorry for the late reply, there is just too much going on :) > > *If* we ever realize we need to pass more parameters we can easily have > a new syscall for that purpose. *Then*, we know how that syscall will > look like. Right now, it's just pure speculation. > > Until then, going with memfd_create() works just fine IMHO. > > The worst think that could happen is that we might not be able to create > all fancy sectremem flavors in the future via memfd_create() but only > via different, highly specialized syscall. I don't see a real problem > with that. > Adding to that, I'll give up arguing now as I have more important things to do. It has been questioned by various people why we need a dedicate syscall and at least for me, without a satisfying answer. Worst thing is that we end up with a syscall that could have been avoided, for example, because 1. We add existing/future memfd_create() flags to memfd_secret() as well when we need them (sealing, hugetlb., ..). 2. We decide in the future to still add MFD_SECRET support to memfd_secret(). So be it. -- Thanks, David / dhildenb _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel