[PATCH v10 0/9] mm: introduce memfd_secret system call to create "secret" memory areas

Andy Lutomirski luto at kernel.org
Mon Nov 23 10:28:22 EST 2020


On Mon, Nov 23, 2020 at 1:54 AM Mike Rapoport <rppt at kernel.org> wrote:
>
> From: Mike Rapoport <rppt at linux.ibm.com>
>
> Hi,
>
> This is an implementation of "secret" mappings backed by a file descriptor.
>
> The file descriptor backing secret memory mappings is created using a
> dedicated memfd_secret system call The desired protection mode for the
> memory is configured using flags parameter of the system call. The mmap()
> of the file descriptor created with memfd_secret() will create a "secret"
> memory mapping. The pages in that mapping will be marked as not present in
> the direct map and will have desired protection bits set in the user page
> table. For instance, current implementation allows uncached mappings.

I'm still not ready to ACK uncached mappings on x86.  I'm fine with
the concept of allowing privileged users to create UC memory on x86
for testing and experimentation, but it's a big can of worms in
general.  The issues that immediately come to mind are:

- Performance and DoS potential.  UC will have bizarre, architecture-
and platform-dependent performance characteristics.  For all I know,
even the access semantics might be architecture dependent.  I'm not
convinced it's possible to write portable code in C using the uncached
feature.  I'm also concerned that certain operation (unaligned locks,
for example, and possibly any locked access) will trigger bus locks on
x86, which, depending on CPU and kernel config will either DoS all
other CPUs or send signals.  (Or cause the hypervisor to terminate or
otherwise penalize the the VM, which would be nasty.)

 - Correctness.  I have reports that different x86 hypervisors do
different things with UC mappings, including treating them as regular
WB mappings.  So the memory type you get out when you ask for
"uncached" might not actually be uncached.

UC is really an MMIO feature, not a "protect my data" feature.
Abusing it to protect data is certainly interesting, but I'm far from
convinced that it's wise.  I'm especially unconvinced that
monkey-patching a program to use uncached memory when it expects
regular malloced memory is a reasonable thing to do.



More information about the linux-riscv mailing list