archive mirror
 help / color / mirror / Atom feed
From: Mike Rapoport <>
To: Andrew Morton <>
Cc: Alexander Viro <>,
	Andy Lutomirski <>, Arnd Bergmann <>,
	Borislav Petkov <>,
	Catalin Marinas <>,
	Christopher Lameter <>,
	Dan Williams <>,
	Dave Hansen <>,
	David Hildenbrand <>,
	Elena Reshetova <>,
	"H. Peter Anvin" <>, Ingo Molnar <>,
	James Bottomley <>,
	"Kirill A. Shutemov" <>,
	Matthew Wilcox <>,
	Mark Rutland <>,
	Mike Rapoport <>,
	Mike Rapoport <>,
	Michael Kerrisk <>,
	Palmer Dabbelt <>,
	Paul Walmsley <>,
	Peter Zijlstra <>,
	Rick Edgecombe <>,
	Shuah Khan <>,
	Thomas Gleixner <>,
	Tycho Andersen <>, Will Deacon <>,,,,,,,,,,
Subject: [PATCH v7 0/7] mm: introduce memfd_secret system call to create "secret" memory areas
Date: Mon, 26 Oct 2020 10:37:45 +0200	[thread overview]
Message-ID: <> (raw)

From: Mike Rapoport <>


This is an implementation of "secret" mappings backed by a file descriptor.

The file descriptor backing secret memory mappings is created using a
dedicated memfd_secret system call The desired protection mode for the
memory is configured using flags parameter of the system call. The mmap()
of the file descriptor created with memfd_secret() will create a "secret"
memory mapping. The pages in that mapping will be marked as not present in
the direct map and will have desired protection bits set in the user page
table. For instance, current implementation allows uncached mappings.

Although normally Linux userspace mappings are protected from other users,
such secret mappings are useful for environments where a hostile tenant is
trying to trick the kernel into giving them access to other tenants

Additionally, in the future the secret mappings may be used as a mean to
protect guest memory in a virtual machine host.

For demonstration of secret memory usage we've created a userspace library

that does two things: the first is act as a preloader for openssl to
redirect all the OPENSSL_malloc calls to secret memory meaning any secret
keys get automatically protected this way and the other thing it does is
expose the API to the user who needs it. We anticipate that a lot of the
use cases would be like the openssl one: many toolkits that deal with
secret keys already have special handling for the memory to try to give
them greater protection, so this would simply be pluggable into the
toolkits without any need for user application modification.

Hiding secret memory mappings behind an anonymous file allows (ab)use of
the page cache for tracking pages allocated for the "secret" mappings as
well as using address_space_operations for e.g. page migration callbacks.

The anonymous file may be also used implicitly, like hugetlb files, to
implement mmap(MAP_SECRET) and use the secret memory areas with "native" mm
ABIs in the future.

To limit fragmentation of the direct map to splitting only PUD-size pages,
I've added an amortizing cache of PMD-size pages to each file descriptor
that is used as an allocation pool for the secret memory areas.

It is easy to add boot time reservation of the memory for secretmem
needs. There was an implementation in earlier version of this set, but I've
dropped it for now as there is no consensus whether the boot time
reservation should be done from memblock or from CMA. I beleive we can have
this discussion after straightening out the basic implementation.

* Use set_direct_map() instead of __kernel_map_pages() to ensure error
  handling in case the direct map update fails
* Add accounting of large pages used to reduce the direct map fragmentation
* Teach get_user_pages() and frieds to refuse get/pin secretmem pages

* Silence the warning about missing syscall, thanks to Qian Cai
* Replace spaces with tabs in Kconfig additions, per Randy
* Add a selftest.

* rebase on v5.9-rc5
* drop boot time memory reservation patch

* rebase on v5.9-rc1
* Do not redefine PMD_PAGE_ORDER in fs/dax.c, thanks Kirill
* Make secret mappings exclusive by default and only require flags to
  memfd_secret() system call for uncached mappings, thanks again Kirill :)

* Squash kernel-parameters.txt update into the commit that added the
  command line option.
* Make uncached mode explicitly selectable by architectures. For now enable
  it only on x86.

* Follow Michael's suggestion and name the new system call 'memfd_secret'
* Add kernel-parameters documentation about the boot option
* Fix i386-tinyconfig regression reported by the kbuild bot.
  CONFIG_SECRETMEM now depends on !EMBEDDED to disable it on small systems
  from one side and still make it available unconditionally on
  architectures that support SET_DIRECT_MAP.


Mike Rapoport (8):
  mm: add definition of PMD_PAGE_ORDER
  mmap: make mlock_future_check() global
  set_memory: allow set_direct_map_*_noflush() for multiple pages
  mm: introduce memfd_secret system call to create "secret" memory areas
  arch, mm: wire up memfd_secret system call were relevant
  mm: secretmem: use PMD-size pages to amortize direct map fragmentation
  secretmem: test: add basic selftest for memfd_secret(2)
  mm: secretmem: add ability to reserve memory at boot

 arch/Kconfig                              |   7 +
 arch/arm64/include/asm/cacheflush.h       |   4 +-
 arch/arm64/include/asm/unistd.h           |   2 +-
 arch/arm64/include/asm/unistd32.h         |   2 +
 arch/arm64/include/uapi/asm/unistd.h      |   1 +
 arch/arm64/mm/pageattr.c                  |  10 +-
 arch/riscv/include/asm/set_memory.h       |   4 +-
 arch/riscv/include/asm/unistd.h           |   1 +
 arch/riscv/mm/pageattr.c                  |   8 +-
 arch/x86/Kconfig                          |   1 +
 arch/x86/entry/syscalls/syscall_32.tbl    |   1 +
 arch/x86/entry/syscalls/syscall_64.tbl    |   1 +
 arch/x86/include/asm/set_memory.h         |   4 +-
 arch/x86/mm/pat/set_memory.c              |   8 +-
 fs/dax.c                                  |  11 +-
 include/linux/pgtable.h                   |   3 +
 include/linux/set_memory.h                |   4 +-
 include/linux/syscalls.h                  |   1 +
 include/uapi/asm-generic/unistd.h         |   7 +-
 include/uapi/linux/magic.h                |   1 +
 include/uapi/linux/secretmem.h            |   8 +
 kernel/sys_ni.c                           |   2 +
 mm/Kconfig                                |   4 +
 mm/Makefile                               |   1 +
 mm/gup.c                                  |  10 +
 mm/internal.h                             |   3 +
 mm/mmap.c                                 |   5 +-
 mm/secretmem.c                            | 487 ++++++++++++++++++++++
 mm/vmalloc.c                              |   5 +-
 scripts/                  |   4 +
 tools/testing/selftests/vm/.gitignore     |   1 +
 tools/testing/selftests/vm/Makefile       |   3 +-
 tools/testing/selftests/vm/memfd_secret.c | 296 +++++++++++++
 tools/testing/selftests/vm/run_vmtests    |  17 +
 34 files changed, 892 insertions(+), 35 deletions(-)
 create mode 100644 include/uapi/linux/secretmem.h
 create mode 100644 mm/secretmem.c
 create mode 100644 tools/testing/selftests/vm/memfd_secret.c


             reply	other threads:[~2020-10-26  8:38 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-26  8:37 Mike Rapoport [this message]
2020-10-26  8:37 ` [PATCH v7 1/7] mm: add definition of PMD_PAGE_ORDER Mike Rapoport
2020-10-27  8:26   ` David Hildenbrand
2020-10-26  8:37 ` [PATCH v7 2/7] mmap: make mlock_future_check() global Mike Rapoport
2020-10-26  8:37 ` [PATCH v7 3/7] set_memory: allow set_direct_map_*_noflush() for multiple pages Mike Rapoport
2020-10-26 19:01   ` Edgecombe, Rick P
2020-10-27  8:12     ` David Hildenbrand
2020-10-27  9:48       ` Mike Rapoport
2020-10-26  8:37 ` [PATCH v7 4/7] mm: introduce memfd_secret system call to create "secret" memory areas Mike Rapoport
2020-10-26  8:37 ` [PATCH v7 5/7] arch, mm: wire up memfd_secret system call were relevant Mike Rapoport
2020-10-26  8:37 ` [PATCH v7 6/7] mm: secretmem: use PMD-size pages to amortize direct map fragmentation Mike Rapoport
2020-10-26  8:37 ` [PATCH v7 7/7] secretmem: test: add basic selftest for memfd_secret(2) Mike Rapoport

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).