[v6,0/6] mm: introduce memfd_secret system call to create "secret" memory areas

From: Mike Rapoport <rppt@linux.ibm.com>

Hi,

This is an implementation of "secret" mappings backed by a file descriptor. 
I've dropped the boot time reservation patch for now as it is not strictly
required for the basic usage and can be easily added later either with or
without CMA.

v6 changes:
* Silence the warning about missing syscall, thanks to Qian Cai
* Replace spaces with tabs in Kconfig additions, per Randy
* Add a selftest. 

v5 changes:
* rebase on v5.9-rc5
* drop boot time memory reservation patch

v4 changes:
* rebase on v5.9-rc1
* Do not redefine PMD_PAGE_ORDER in fs/dax.c, thanks Kirill
* Make secret mappings exclusive by default and only require flags to
  memfd_secret() system call for uncached mappings, thanks again Kirill :)

v3 changes:
* Squash kernel-parameters.txt update into the commit that added the
  command line option.
* Make uncached mode explicitly selectable by architectures. For now enable
  it only on x86.

v2 changes:
* Follow Michael's suggestion and name the new system call 'memfd_secret'
* Add kernel-parameters documentation about the boot option
* Fix i386-tinyconfig regression reported by the kbuild bot.
  CONFIG_SECRETMEM now depends on !EMBEDDED to disable it on small systems
  from one side and still make it available unconditionally on
  architectures that support SET_DIRECT_MAP.

The file descriptor backing secret memory mappings is created using a
dedicated memfd_secret system call The desired protection mode for the
memory is configured using flags parameter of the system call. The mmap()
of the file descriptor created with memfd_secret() will create a "secret"
memory mapping. The pages in that mapping will be marked as not present in
the direct map and will have desired protection bits set in the user page
table. For instance, current implementation allows uncached mappings.

Although normally Linux userspace mappings are protected from other users, 
such secret mappings are useful for environments where a hostile tenant is
trying to trick the kernel into giving them access to other tenants
mappings.

Additionally, the secret mappings may be used as a mean to protect guest
memory in a virtual machine host.

For demonstration of secret memory usage we've created a userspace library
[1] that does two things: the first is act as a preloader for openssl to
redirect all the OPENSSL_malloc calls to secret memory meaning any secret
keys get automatically protected this way and the other thing it does is
expose the API to the user who needs it. We anticipate that a lot of the
use cases would be like the openssl one: many toolkits that deal with
secret keys already have special handling for the memory to try to give
them greater protection, so this would simply be pluggable into the
toolkits without any need for user application modification.

I've hesitated whether to continue to use new flags to memfd_create() or to
add a new system call and I've decided to use a new system call after I've
started to look into man pages update. There would have been two completely
independent descriptions and I think it would have been very confusing.

Hiding secret memory mappings behind an anonymous file allows (ab)use of
the page cache for tracking pages allocated for the "secret" mappings as
well as using address_space_operations for e.g. page migration callbacks.

The anonymous file may be also used implicitly, like hugetlb files, to
implement mmap(MAP_SECRET) and use the secret memory areas with "native" mm
ABIs in the future.

As the fragmentation of the direct map was one of the major concerns raised
during the previous postings, I've added an amortizing cache of PMD-size
pages to each file descriptor that is used as an allocation pool for the
secret memory areas.

v5: https://lore.kernel.org/lkml/20200916073539.3552-1-rppt@kernel.org
v4: https://lore.kernel.org/lkml/20200818141554.13945-1-rppt@kernel.org
v3: https://lore.kernel.org/lkml/20200804095035.18778-1-rppt@kernel.org
v2: https://lore.kernel.org/lkml/20200727162935.31714-1-rppt@kernel.org
v1: https://lore.kernel.org/lkml/20200720092435.17469-1-rppt@kernel.org

Mike Rapoport (6):
  mm: add definition of PMD_PAGE_ORDER
  mmap: make mlock_future_check() global
  mm: introduce memfd_secret system call to create "secret" memory areas
  arch, mm: wire up memfd_secret system call were relevant
  mm: secretmem: use PMD-size pages to amortize direct map fragmentation
  secretmem: test: add basic selftest for memfd_secret(2)

 arch/Kconfig                              |   7 +
 arch/arm64/include/asm/unistd.h           |   2 +-
 arch/arm64/include/asm/unistd32.h         |   2 +
 arch/arm64/include/uapi/asm/unistd.h      |   1 +
 arch/riscv/include/asm/unistd.h           |   1 +
 arch/x86/Kconfig                          |   1 +
 arch/x86/entry/syscalls/syscall_32.tbl    |   1 +
 arch/x86/entry/syscalls/syscall_64.tbl    |   1 +
 fs/dax.c                                  |  11 +-
 include/linux/pgtable.h                   |   3 +
 include/linux/syscalls.h                  |   1 +
 include/uapi/asm-generic/unistd.h         |   7 +-
 include/uapi/linux/magic.h                |   1 +
 include/uapi/linux/secretmem.h            |   8 +
 kernel/sys_ni.c                           |   2 +
 mm/Kconfig                                |   4 +
 mm/Makefile                               |   1 +
 mm/internal.h                             |   3 +
 mm/mmap.c                                 |   5 +-
 mm/secretmem.c                            | 333 ++++++++++++++++++++++
 scripts/checksyscalls.sh                  |   4 +
 tools/testing/selftests/vm/.gitignore     |   1 +
 tools/testing/selftests/vm/Makefile       |   3 +-
 tools/testing/selftests/vm/memfd_secret.c | 296 +++++++++++++++++++
 tools/testing/selftests/vm/run_vmtests    |  17 ++
 25 files changed, 703 insertions(+), 13 deletions(-)
 create mode 100644 include/uapi/linux/secretmem.h
 create mode 100644 mm/secretmem.c
 create mode 100644 tools/testing/selftests/vm/memfd_secret.c

On Thu, 24 Sep 2020 16:28:58 +0300 Mike Rapoport <rppt@kernel.org> wrote:

> From: Mike Rapoport <rppt@linux.ibm.com>
> 
> Hi,
> 
> This is an implementation of "secret" mappings backed by a file descriptor. 
> I've dropped the boot time reservation patch for now as it is not strictly
> required for the basic usage and can be easily added later either with or
> without CMA.
> 
> ...
> 
> The file descriptor backing secret memory mappings is created using a
> dedicated memfd_secret system call The desired protection mode for the
> memory is configured using flags parameter of the system call. The mmap()
> of the file descriptor created with memfd_secret() will create a "secret"
> memory mapping. The pages in that mapping will be marked as not present in
> the direct map and will have desired protection bits set in the user page
> table. For instance, current implementation allows uncached mappings.
> 
> Although normally Linux userspace mappings are protected from other users, 
> such secret mappings are useful for environments where a hostile tenant is
> trying to trick the kernel into giving them access to other tenants
> mappings.
> 
> Additionally, the secret mappings may be used as a mean to protect guest
> memory in a virtual machine host.
> 
> For demonstration of secret memory usage we've created a userspace library
> [1] that does two things: the first is act as a preloader for openssl to

I can find no [1].

I'm not a fan of the enumerated footnote thing.  Why not inline the url
right here so readers don't need to jump around?

On Thu, Sep 24, 2020 at 07:34:28PM -0700, Andrew Morton wrote:
> On Thu, 24 Sep 2020 16:28:58 +0300 Mike Rapoport <rppt@kernel.org> wrote:
> 
> > From: Mike Rapoport <rppt@linux.ibm.com>
> > 
> > Hi,
> > 
> > This is an implementation of "secret" mappings backed by a file descriptor. 
> > I've dropped the boot time reservation patch for now as it is not strictly
> > required for the basic usage and can be easily added later either with or
> > without CMA.
> > 
> > ...
> > 
> > The file descriptor backing secret memory mappings is created using a
> > dedicated memfd_secret system call The desired protection mode for the
> > memory is configured using flags parameter of the system call. The mmap()
> > of the file descriptor created with memfd_secret() will create a "secret"
> > memory mapping. The pages in that mapping will be marked as not present in
> > the direct map and will have desired protection bits set in the user page
> > table. For instance, current implementation allows uncached mappings.
> > 
> > Although normally Linux userspace mappings are protected from other users, 
> > such secret mappings are useful for environments where a hostile tenant is
> > trying to trick the kernel into giving them access to other tenants
> > mappings.
> > 
> > Additionally, the secret mappings may be used as a mean to protect guest
> > memory in a virtual machine host.
> > 
> > For demonstration of secret memory usage we've created a userspace library
> > [1] that does two things: the first is act as a preloader for openssl to
> 
> I can find no [1].

Oops, sorry. It's

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/secret-memory-preloader.git/

> I'm not a fan of the enumerated footnote thing.  Why not inline the url
> right here so readers don't need to jump around?
> 
>

On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:
> From: Mike Rapoport <rppt@linux.ibm.com>

> 

> Removing a PAGE_SIZE page from the direct map every time such page is

> allocated for a secret memory mapping will cause severe fragmentation of

> the direct map. This fragmentation can be reduced by using PMD-size pages

> as a pool for small pages for secret memory mappings.

> 

> Add a gen_pool per secretmem inode and lazily populate this pool with

> PMD-size pages.


What's the actual efficacy of this? Since the pmd is per inode, all I
need is a lot of inodes and we're in business to destroy the directmap,
no?

Afaict there's no privs needed to use this, all a process needs is to
stay below the mlock limit, so a 'fork-bomb' that maps a single secret
page will utterly destroy the direct map.

I really don't like this, at all.

IIRC Kirill looked at merging the directmap. I think he ran into
performance issues there, but we really need something like that before
something like this lands.

On 25.09.20 09:41, Peter Zijlstra wrote:
> On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:
>> From: Mike Rapoport <rppt@linux.ibm.com>
>>
>> Removing a PAGE_SIZE page from the direct map every time such page is
>> allocated for a secret memory mapping will cause severe fragmentation of
>> the direct map. This fragmentation can be reduced by using PMD-size pages
>> as a pool for small pages for secret memory mappings.
>>
>> Add a gen_pool per secretmem inode and lazily populate this pool with
>> PMD-size pages.
> 
> What's the actual efficacy of this? Since the pmd is per inode, all I
> need is a lot of inodes and we're in business to destroy the directmap,
> no?
> 
> Afaict there's no privs needed to use this, all a process needs is to
> stay below the mlock limit, so a 'fork-bomb' that maps a single secret
> page will utterly destroy the direct map.
> 
> I really don't like this, at all.

As I expressed earlier, I would prefer allowing allocation of secretmem
only from a previously defined CMA area. This would physically locally
limit the pain.

But my suggestion was not well received :)

On Fri, Sep 25, 2020 at 11:00:30AM +0200, David Hildenbrand wrote:
> On 25.09.20 09:41, Peter Zijlstra wrote:

> > On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:

> >> From: Mike Rapoport <rppt@linux.ibm.com>

> >>

> >> Removing a PAGE_SIZE page from the direct map every time such page is

> >> allocated for a secret memory mapping will cause severe fragmentation of

> >> the direct map. This fragmentation can be reduced by using PMD-size pages

> >> as a pool for small pages for secret memory mappings.

> >>

> >> Add a gen_pool per secretmem inode and lazily populate this pool with

> >> PMD-size pages.

> > 

> > What's the actual efficacy of this? Since the pmd is per inode, all I

> > need is a lot of inodes and we're in business to destroy the directmap,

> > no?

> > 

> > Afaict there's no privs needed to use this, all a process needs is to

> > stay below the mlock limit, so a 'fork-bomb' that maps a single secret

> > page will utterly destroy the direct map.

> > 

> > I really don't like this, at all.

> 

> As I expressed earlier, I would prefer allowing allocation of secretmem

> only from a previously defined CMA area. This would physically locally

> limit the pain.


Given that this thing doesn't have a migrate hook, that seems like an
eminently reasonable contraint. Because not only will it mess up the
directmap, it will also destroy the ability of the page-allocator /
compaction to re-form high order blocks by sprinkling holes throughout.

Also, this is all very close to XPFO, yet I don't see that mentioned
anywhere.

Further still, it has this HAVE_SECRETMEM_UNCACHED nonsense which is
completely unused. I'm not at all sure exposing UNCACHED to random
userspace is a sane idea.

Hi,

Sorry to come to this so late; I've been meaning to provide feedback on
this for a while but have been indisposed for a bit due to an injury.

On Fri, Sep 25, 2020 at 11:50:29AM +0200, Peter Zijlstra wrote:
> On Fri, Sep 25, 2020 at 11:00:30AM +0200, David Hildenbrand wrote:

> > On 25.09.20 09:41, Peter Zijlstra wrote:

> > > On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:

> > >> From: Mike Rapoport <rppt@linux.ibm.com>

> > >>

> > >> Removing a PAGE_SIZE page from the direct map every time such page is

> > >> allocated for a secret memory mapping will cause severe fragmentation of

> > >> the direct map. This fragmentation can be reduced by using PMD-size pages

> > >> as a pool for small pages for secret memory mappings.

> > >>

> > >> Add a gen_pool per secretmem inode and lazily populate this pool with

> > >> PMD-size pages.

> > > 

> > > What's the actual efficacy of this? Since the pmd is per inode, all I

> > > need is a lot of inodes and we're in business to destroy the directmap,

> > > no?

> > > 

> > > Afaict there's no privs needed to use this, all a process needs is to

> > > stay below the mlock limit, so a 'fork-bomb' that maps a single secret

> > > page will utterly destroy the direct map.

> > > 

> > > I really don't like this, at all.

> > 

> > As I expressed earlier, I would prefer allowing allocation of secretmem

> > only from a previously defined CMA area. This would physically locally

> > limit the pain.

> 

> Given that this thing doesn't have a migrate hook, that seems like an

> eminently reasonable contraint. Because not only will it mess up the

> directmap, it will also destroy the ability of the page-allocator /

> compaction to re-form high order blocks by sprinkling holes throughout.

> 

> Also, this is all very close to XPFO, yet I don't see that mentioned

> anywhere.


Agreed. I think if we really need something like this, something between
XPFO and DEBUG_PAGEALLOC would be generally better, since:

* Secretmem puts userspace in charge of kernel internals (AFAICT without
  any ulimits?), so that seems like an avenue for malicious or buggy
  userspace to exploit and trigger DoS, etc. The other approaches leave
  the kernel in charge at all times, and it's a system-level choice
  which is easier to reason about and test.

* Secretmem interaction with existing ABIs is unclear. Should uaccess
  primitives work for secretmem? If so, this means that it's not valid
  to transform direct uaccesses in syscalls etc into accesses via the
  linear/direct map. If not, how do we prevent syscalls? The other
  approaches are clear that this should always work, but the kernel
  should avoid mappings wherever possible.

* The uncached option doesn't work in a number of situations, such as
  systems which are purely cache coherent at all times, or where the
  hypervisor has overridden attributes. The kernel cannot even know that
  whther this works as intended. On its own this doens't solve a
  particular problem, and I think this is a solution looking for a
  problem.

... and fundamentally, this seems like a "more security, please" option
that is going to be abused, since everyone wants security, regardless of
how we say it *should* be used. The few use-cases that may make sense
(e.g. protection of ketys and/or crypto secrrets), aren't going to be
able to rely on this (since e.g. other uses may depelete memory pools),
so this is going to be best-effort. With all that in mind, I struggle to
beleive that this is going to be worth the maintenance cost (e.g. with
any issues arising from uaccess, IO, etc).

Overall, I would prefer to not see this syscall in the kernel.

> Further still, it has this HAVE_SECRETMEM_UNCACHED nonsense which is

> completely unused. I'm not at all sure exposing UNCACHED to random

> userspace is a sane idea.


I agree the uncached stuff should be removed. It is at best misleading
since the kernel can't guarantee it does what it says, I think it's
liable to lead to issues in future (e.g. since it can cause memory
operations to raise different exceptions relative to what they can
today), and as above it seems like a solution looking for a problem.

Thanks,
Mark.

On Fri, Sep 25, 2020 at 11:31:14AM +0100, Mark Rutland wrote:
> Hi,

> 

> Sorry to come to this so late; I've been meaning to provide feedback on

> this for a while but have been indisposed for a bit due to an injury.

> 

> On Fri, Sep 25, 2020 at 11:50:29AM +0200, Peter Zijlstra wrote:

> > On Fri, Sep 25, 2020 at 11:00:30AM +0200, David Hildenbrand wrote:

> > > On 25.09.20 09:41, Peter Zijlstra wrote:

> > > > On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:

> > > >> From: Mike Rapoport <rppt@linux.ibm.com>

> > > >>

> > > >> Removing a PAGE_SIZE page from the direct map every time such page is

> > > >> allocated for a secret memory mapping will cause severe fragmentation of

> > > >> the direct map. This fragmentation can be reduced by using PMD-size pages

> > > >> as a pool for small pages for secret memory mappings.

> > > >>

> > > >> Add a gen_pool per secretmem inode and lazily populate this pool with

> > > >> PMD-size pages.

> > > > 

> > > > What's the actual efficacy of this? Since the pmd is per inode, all I

> > > > need is a lot of inodes and we're in business to destroy the directmap,

> > > > no?

> > > > 

> > > > Afaict there's no privs needed to use this, all a process needs is to

> > > > stay below the mlock limit, so a 'fork-bomb' that maps a single secret

> > > > page will utterly destroy the direct map.

> > > > 

> > > > I really don't like this, at all.

> > > 

> > > As I expressed earlier, I would prefer allowing allocation of secretmem

> > > only from a previously defined CMA area. This would physically locally

> > > limit the pain.

> > 

> > Given that this thing doesn't have a migrate hook, that seems like an

> > eminently reasonable contraint. Because not only will it mess up the

> > directmap, it will also destroy the ability of the page-allocator /

> > compaction to re-form high order blocks by sprinkling holes throughout.

> > 

> > Also, this is all very close to XPFO, yet I don't see that mentioned

> > anywhere.

> 

> Agreed. I think if we really need something like this, something between

> XPFO and DEBUG_PAGEALLOC would be generally better, since:


Perhaps we can brainstorm on this? XPFO has mostly been abandoned
because there's no good/safe way to make it faster. There was work on
eliminating TLB flushes, but that waters down the protection. When I
was last thinking about it in anger, it just seemed like it was
destined to be slow, especially on $large_num_cores machines, since
you have to flush everyone else's map too.

I think the idea of "opt in to XPFO" is mostly attractive because then
people only have to pay the slowness cost for memory they really care
about. But if there's some way to make XPFO, or some alternative
design, that may be better.

Tycho

On Thu, 2020-09-24 at 16:29 +0300, Mike Rapoport wrote:
> Introduce "memfd_secret" system call with the ability to create

> memory

> areas visible only in the context of the owning process and not

> mapped not

> only to other processes but in the kernel page tables as well.

> 

> The user will create a file descriptor using the memfd_secret()

> system call

> where flags supplied as a parameter to this system call will define

> the

> desired protection mode for the memory associated with that file

> descriptor.

> 

>  Currently there are two protection modes:

> 

> * exclusive - the memory area is unmapped from the kernel direct map

> and it

>               is present only in the page tables of the owning mm.


Seems like there were some concerns raised around direct map
efficiency, but in case you are going to rework this...how does this
memory work for the existing kernel functionality that does things like
this?

get_user_pages(, &page);
ptr = kmap(page);
foo = *ptr;

Not sure if I'm missing something, but I think apps could cause the
kernel to access a not-present page and oops.

On Fri, Sep 25, 2020 at 09:41:25AM +0200, Peter Zijlstra wrote:
> On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:

> > From: Mike Rapoport <rppt@linux.ibm.com>

> > 

> > Removing a PAGE_SIZE page from the direct map every time such page is

> > allocated for a secret memory mapping will cause severe fragmentation of

> > the direct map. This fragmentation can be reduced by using PMD-size pages

> > as a pool for small pages for secret memory mappings.

> > 

> > Add a gen_pool per secretmem inode and lazily populate this pool with

> > PMD-size pages.

> 

> What's the actual efficacy of this? Since the pmd is per inode, all I

> need is a lot of inodes and we're in business to destroy the directmap,

> no?

> 

> Afaict there's no privs needed to use this, all a process needs is to

> stay below the mlock limit, so a 'fork-bomb' that maps a single secret

> page will utterly destroy the direct map.


This indeed will cause 1G pages in the direct map to be split into 2M
chunks, but I disagree with 'destroy' term here. Citing the cover letter
of an earlier version of this series:

  I've tried to find some numbers that show the benefit of using larger
  pages in the direct map, but I couldn't find anything so I've run a
  couple of benchmarks from phoronix-test-suite on my laptop (i7-8650U
  with 32G RAM).
  
  I've tested three variants: the default with 28G of the physical
  memory covered with 1G pages, then I disabled 1G pages using
  "nogbpages" in the kernel command line and at last I've forced the
  entire direct map to use 4K pages using a simple patch to
  arch/x86/mm/init.c.  I've made runs of the benchmarks with SSD and
  tmpfs.
  
  Surprisingly, the results does not show huge advantage for large
  pages. For instance, here the results for kernel build with
  'make -j8', in seconds:
  
                        |  1G    |  2M    |  4K
  ----------------------+--------+--------+---------
  ssd, mitigations=on	| 308.75 | 317.37 | 314.9
  ssd, mitigations=off	| 305.25 | 295.32 | 304.92
  ram, mitigations=on	| 301.58 | 322.49 | 306.54
  ram, mitigations=off	| 299.32 | 288.44 | 310.65
  
  All the results I have are available here:
 
  https://docs.google.com/spreadsheets/d/1tdD-cu8e93vnfGsTFxZ5YdaEfs2E1GELlvWNOGkJV2U/edit?usp=sharing

The numbers suggest that using smaller pages in the direct map does not
necessarily leads to performance degradation and some runs produced
better results with smaller pages in the direct map.

> I really don't like this, at all.

> 

> IIRC Kirill looked at merging the directmap. I think he ran into

> performance issues there, but we really need something like that before

> something like this lands.


-- 
Sincerely yours,
Mike.

On Tue, Sep 29, 2020 at 04:58:44AM +0000, Edgecombe, Rick P wrote:
> On Thu, 2020-09-24 at 16:29 +0300, Mike Rapoport wrote:
> > Introduce "memfd_secret" system call with the ability to create
> > memory
> > areas visible only in the context of the owning process and not
> > mapped not
> > only to other processes but in the kernel page tables as well.
> > 
> > The user will create a file descriptor using the memfd_secret()
> > system call
> > where flags supplied as a parameter to this system call will define
> > the
> > desired protection mode for the memory associated with that file
> > descriptor.
> > 
> >  Currently there are two protection modes:
> > 
> > * exclusive - the memory area is unmapped from the kernel direct map
> > and it
> >               is present only in the page tables of the owning mm.
> 
> Seems like there were some concerns raised around direct map
> efficiency, but in case you are going to rework this...how does this
> memory work for the existing kernel functionality that does things like
> this?
> 
> get_user_pages(, &page);
> ptr = kmap(page);
> foo = *ptr;
> 
> Not sure if I'm missing something, but I think apps could cause the
> kernel to access a not-present page and oops.

The idea is that this memory should not be accessible by the kernel, so
the sequence you describe should indeed fail.

Probably oops would be to noisy and in this case the report needs to be
less verbose.

On Fri, Sep 25, 2020 at 11:00:30AM +0200, David Hildenbrand wrote:
> On 25.09.20 09:41, Peter Zijlstra wrote:

> > On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:

> >> From: Mike Rapoport <rppt@linux.ibm.com>

> >>

> >> Removing a PAGE_SIZE page from the direct map every time such page is

> >> allocated for a secret memory mapping will cause severe fragmentation of

> >> the direct map. This fragmentation can be reduced by using PMD-size pages

> >> as a pool for small pages for secret memory mappings.

> >>

> >> Add a gen_pool per secretmem inode and lazily populate this pool with

> >> PMD-size pages.

> > 

> > What's the actual efficacy of this? Since the pmd is per inode, all I

> > need is a lot of inodes and we're in business to destroy the directmap,

> > no?

> > 

> > Afaict there's no privs needed to use this, all a process needs is to

> > stay below the mlock limit, so a 'fork-bomb' that maps a single secret

> > page will utterly destroy the direct map.

> > 

> > I really don't like this, at all.

> 

> As I expressed earlier, I would prefer allowing allocation of secretmem

> only from a previously defined CMA area. This would physically locally

> limit the pain.


The prevois version contained a patch that allowed reserving a memory
pool for the secretmem at boot time to avpoid splitting pages from the
direct map

> But my suggestion was not well received :)


The disagreemet was only whether to use CMA or simple boot time
reservation :-P

> -- 

> Thanks,

> 

> David / dhildenb

> 


-- 
Sincerely yours,
Mike.

On Fri, Sep 25, 2020 at 11:50:29AM +0200, Peter Zijlstra wrote:
> On Fri, Sep 25, 2020 at 11:00:30AM +0200, David Hildenbrand wrote:
> > On 25.09.20 09:41, Peter Zijlstra wrote:
> > > On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:
> > >> From: Mike Rapoport <rppt@linux.ibm.com>
> > >>
> > >> Removing a PAGE_SIZE page from the direct map every time such page is
> > >> allocated for a secret memory mapping will cause severe fragmentation of
> > >> the direct map. This fragmentation can be reduced by using PMD-size pages
> > >> as a pool for small pages for secret memory mappings.
> > >>
> > >> Add a gen_pool per secretmem inode and lazily populate this pool with
> > >> PMD-size pages.
> > > 
> > > What's the actual efficacy of this? Since the pmd is per inode, all I
> > > need is a lot of inodes and we're in business to destroy the directmap,
> > > no?
> > > 
> > > Afaict there's no privs needed to use this, all a process needs is to
> > > stay below the mlock limit, so a 'fork-bomb' that maps a single secret
> > > page will utterly destroy the direct map.
> > > 
> > > I really don't like this, at all.
> > 
> > As I expressed earlier, I would prefer allowing allocation of secretmem
> > only from a previously defined CMA area. This would physically locally
> > limit the pain.
> 
> Given that this thing doesn't have a migrate hook, that seems like an
> eminently reasonable contraint. Because not only will it mess up the
> directmap, it will also destroy the ability of the page-allocator /
> compaction to re-form high order blocks by sprinkling holes throughout.
> 
> Also, this is all very close to XPFO, yet I don't see that mentioned
> anywhere.

It's close to XPFO in the sense it removes pages from the kernel page
table. But unlike XPFO memfd_secret() does not mean allowing access to
these pages in the kernel until they are freed by the user. And, unlike
XPFO, it does not require TLB flushing all over the place.

> Further still, it has this HAVE_SECRETMEM_UNCACHED nonsense which is
> completely unused. I'm not at all sure exposing UNCACHED to random
> userspace is a sane idea.

The uncached mappings were originally proposed as a mean "... to prevent
or considerably restrict speculation on such pages" [1] as a comment to
my initial proposal to use mmap(MAP_EXCLUSIVE).

I've added the ability to create uncached mappings into the fd-based
implementation of the exclusive mappings as it is indeed can reduce
availability of side channels and the implementation was quite straight
forward.

[1] https://lore.kernel.org/linux-mm/2236FBA76BA1254E88B949DDB74E612BA4EEC0CE@IRSMSX102.ger.corp.intel.com/

On Fri, Sep 25, 2020 at 11:31:14AM +0100, Mark Rutland wrote:
> Hi,

> 

> Agreed. I think if we really need something like this, something between

> XPFO and DEBUG_PAGEALLOC would be generally better, since:

> 

> * Secretmem puts userspace in charge of kernel internals (AFAICT without

>   any ulimits?), so that seems like an avenue for malicious or buggy

>   userspace to exploit and trigger DoS, etc. The other approaches leave

>   the kernel in charge at all times, and it's a system-level choice

>   which is easier to reason about and test.


Secretmem obeys RLIMIT_MLOCK.
I don't see why it "puts userpspace in charge of kernel internals" more
than other system calls. The fact that memory is dropped from
linear/direct mapping does not make userspace in charge of the kernel
internals. The fact that this is not system-level actually makes it more
controllable and tunable, IMHO.

> * Secretmem interaction with existing ABIs is unclear. Should uaccess

>   primitives work for secretmem? If so, this means that it's not valid

>   to transform direct uaccesses in syscalls etc into accesses via the

>   linear/direct map. If not, how do we prevent syscalls? The other

>   approaches are clear that this should always work, but the kernel

>   should avoid mappings wherever possible.


Our idea was that direct uaccess in the context of the process that owns
the secretmem should work and that transforming the direct uaccesses
into accesses via the linear map would be valid only when allowed
explicitly. E.g with addition of FOLL_SOMETHING to gup.
Yet, this would be required for any implementation of memory areas that
excludes pages from the linear mapping.

> * The uncached option doesn't work in a number of situations, such as

>   systems which are purely cache coherent at all times, or where the

>   hypervisor has overridden attributes. The kernel cannot even know that

>   whther this works as intended. On its own this doens't solve a

>   particular problem, and I think this is a solution looking for a

>   problem.


As we discussed at one of the previous iterations, the uncached makes
sense for x86 to reduce availability of side channels and I've only
enabled uncached mappings on x86.

> ... and fundamentally, this seems like a "more security, please" option

> that is going to be abused, since everyone wants security, regardless of

> how we say it *should* be used. The few use-cases that may make sense

> (e.g. protection of ketys and/or crypto secrrets), aren't going to be

> able to rely on this (since e.g. other uses may depelete memory pools),

> so this is going to be best-effort. With all that in mind, I struggle to

> beleive that this is going to be worth the maintenance cost (e.g. with

> any issues arising from uaccess, IO, etc).


I think that making secretmem a file descriptor that only allows mmap()
already makes it quite self contained and simple. There could be several
cases that will need special treatment, but I don't think it will have
large maintenance cost.
I've run syzkaller for some time with memfd_secret() enabled and I never
hit a crash because of it.

> Thanks,

> Mark.


-- 
Sincerely yours,
Mike.

On Tue, Sep 29, 2020 at 04:05:29PM +0300, Mike Rapoport wrote:
> On Fri, Sep 25, 2020 at 09:41:25AM +0200, Peter Zijlstra wrote:
> > On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:
> > > From: Mike Rapoport <rppt@linux.ibm.com>
> > > 
> > > Removing a PAGE_SIZE page from the direct map every time such page is
> > > allocated for a secret memory mapping will cause severe fragmentation of
> > > the direct map. This fragmentation can be reduced by using PMD-size pages
> > > as a pool for small pages for secret memory mappings.
> > > 
> > > Add a gen_pool per secretmem inode and lazily populate this pool with
> > > PMD-size pages.
> > 
> > What's the actual efficacy of this? Since the pmd is per inode, all I
> > need is a lot of inodes and we're in business to destroy the directmap,
> > no?
> > 
> > Afaict there's no privs needed to use this, all a process needs is to
> > stay below the mlock limit, so a 'fork-bomb' that maps a single secret
> > page will utterly destroy the direct map.
> 
> This indeed will cause 1G pages in the direct map to be split into 2M
> chunks, but I disagree with 'destroy' term here. Citing the cover letter
> of an earlier version of this series:

It will drop them down to 4k pages. Given enough inodes, and allocating
only a single sekrit page per pmd, we'll shatter the directmap into 4k.

>   I've tried to find some numbers that show the benefit of using larger
>   pages in the direct map, but I couldn't find anything so I've run a
>   couple of benchmarks from phoronix-test-suite on my laptop (i7-8650U
>   with 32G RAM).

Existing benchmarks suck at this, but FB had a load that had a
deterministic enough performance regression to bisect to a directmap
issue, fixed by:

  7af0145067bc ("x86/mm/cpa: Prevent large page split when ftrace flips RW on kernel text")

>   I've tested three variants: the default with 28G of the physical
>   memory covered with 1G pages, then I disabled 1G pages using
>   "nogbpages" in the kernel command line and at last I've forced the
>   entire direct map to use 4K pages using a simple patch to
>   arch/x86/mm/init.c.  I've made runs of the benchmarks with SSD and
>   tmpfs.
>   
>   Surprisingly, the results does not show huge advantage for large
>   pages. For instance, here the results for kernel build with
>   'make -j8', in seconds:

Your benchmark should stress the TLB of your uarch, such that additional
pressure added by the shattered directmap shows up.

And no, I don't have one either.

>                         |  1G    |  2M    |  4K
>   ----------------------+--------+--------+---------
>   ssd, mitigations=on	| 308.75 | 317.37 | 314.9
>   ssd, mitigations=off	| 305.25 | 295.32 | 304.92
>   ram, mitigations=on	| 301.58 | 322.49 | 306.54
>   ram, mitigations=off	| 299.32 | 288.44 | 310.65

These results lack error data, but assuming the reults are significant,
then this very much makes a case for 1G mappings. 5s on a kernel builds
is pretty good.

On 9/29/20 7:12 AM, Peter Zijlstra wrote:
>>                              |  1G    |  2M    |  4K

>>        ----------------------+--------+--------+---------

>>   ssd, mitigations=on	| 308.75 | 317.37 | 314.9

>>   ssd, mitigations=off	| 305.25 | 295.32 | 304.92

>>   ram, mitigations=on	| 301.58 | 322.49 | 306.54

>>   ram, mitigations=off	| 299.32 | 288.44 | 310.65

> These results lack error data, but assuming the reults are significant,

> then this very much makes a case for 1G mappings. 5s on a kernel builds

> is pretty good.


Is something like secretmem all or nothing?

This seems like a similar situation to the side-channel mitigations.  We
know what the most "secure" thing to do is.  But, folks also disagree
about how much pain that security is worth.

That seems to indicate we're never going to come up with a
one-size-fits-all solution to this.  Apps are going to have to live
without secretmem being around if they want to run on old kernels
anyway, so it seems like something we should be able to enable or
disable without ABI concerns.

Do we just include it, but disable it by default so it doesn't eat
performance?  But, allow it to be reenabled by the folks who generally
prioritize hardening over performance, like Chromebooks for instance.

On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra wrote:
> On Tue, Sep 29, 2020 at 04:05:29PM +0300, Mike Rapoport wrote:

> > On Fri, Sep 25, 2020 at 09:41:25AM +0200, Peter Zijlstra wrote:

> > > On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:

> > > > From: Mike Rapoport <rppt@linux.ibm.com>

> > > > 

> > > > Removing a PAGE_SIZE page from the direct map every time such page is

> > > > allocated for a secret memory mapping will cause severe fragmentation of

> > > > the direct map. This fragmentation can be reduced by using PMD-size pages

> > > > as a pool for small pages for secret memory mappings.

> > > > 

> > > > Add a gen_pool per secretmem inode and lazily populate this pool with

> > > > PMD-size pages.

> > > 

> > > What's the actual efficacy of this? Since the pmd is per inode, all I

> > > need is a lot of inodes and we're in business to destroy the directmap,

> > > no?

> > > 

> > > Afaict there's no privs needed to use this, all a process needs is to

> > > stay below the mlock limit, so a 'fork-bomb' that maps a single secret

> > > page will utterly destroy the direct map.

> > 

> > This indeed will cause 1G pages in the direct map to be split into 2M

> > chunks, but I disagree with 'destroy' term here. Citing the cover letter

> > of an earlier version of this series:

> 

> It will drop them down to 4k pages. Given enough inodes, and allocating

> only a single sekrit page per pmd, we'll shatter the directmap into 4k.


Why? Secretmem allocates PMD-size page per inode and uses it as a pool
of 4K pages for that inode. This way it ensures that
__kernel_map_pages() is always called on PMD boundaries.

-- 
Sincerely yours,
Mike.

On Tue, 2020-09-29 at 16:12 +0200, Peter Zijlstra wrote:
> On Tue, Sep 29, 2020 at 04:05:29PM +0300, Mike Rapoport wrote:
> > On Fri, Sep 25, 2020 at 09:41:25AM +0200, Peter Zijlstra wrote:
> > > On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:
> > > > From: Mike Rapoport <rppt@linux.ibm.com>
> > > > 
> > > > Removing a PAGE_SIZE page from the direct map every time such
> > > > page is allocated for a secret memory mapping will cause severe
> > > > fragmentation of the direct map. This fragmentation can be
> > > > reduced by using PMD-size pages as a pool for small pages for
> > > > secret memory mappings.
> > > > 
> > > > Add a gen_pool per secretmem inode and lazily populate this
> > > > pool with PMD-size pages.
> > > 
> > > What's the actual efficacy of this? Since the pmd is per inode,
> > > all I need is a lot of inodes and we're in business to destroy
> > > the directmap, no?
> > > 
> > > Afaict there's no privs needed to use this, all a process needs
> > > is to stay below the mlock limit, so a 'fork-bomb' that maps a
> > > single secret page will utterly destroy the direct map.
> > 
> > This indeed will cause 1G pages in the direct map to be split into
> > 2M chunks, but I disagree with 'destroy' term here. Citing the
> > cover letter of an earlier version of this series:
> 
> It will drop them down to 4k pages. Given enough inodes, and
> allocating only a single sekrit page per pmd, we'll shatter the
> directmap into 4k.

Since the only requirement is 2M, even if this happens, which I'm not
sure it does, it's fixable to only fragment down to 2M, right?

We could also enforce a global limit in the secretmem syscall, so the
fork bomb problem can be made to go away.

Lastly, we could go back to boot time allocation as the previous patch
did, so this isn't even a fundamental problem with the patch set.

That said, I think investigation of the importance of direct map tiling
is useful, since it does fragment for other reasons, and fixing or
proving that the fragmentation doesn't matter is also something we'll
keep on investigating.  But it would be useful in the meantime to
explore things which may be more fundamental issues with the approach.

Regards,

James

On Tue, Sep 29, 2020 at 05:58:13PM +0300, Mike Rapoport wrote:
> On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra wrote:


> > It will drop them down to 4k pages. Given enough inodes, and allocating

> > only a single sekrit page per pmd, we'll shatter the directmap into 4k.

> 

> Why? Secretmem allocates PMD-size page per inode and uses it as a pool

> of 4K pages for that inode. This way it ensures that

> __kernel_map_pages() is always called on PMD boundaries.


Oh, you unmap the 2m page upfront? I read it like you did the unmap at
the sekrit page alloc, not the pool alloc side of things.

Then yes, but then you're wasting gobs of memory. Basically you can pin
2M per inode while only accounting a single page.

On Tue, 2020-09-29 at 16:06 +0300, Mike Rapoport wrote:
> On Tue, Sep 29, 2020 at 04:58:44AM +0000, Edgecombe, Rick P wrote:

> > On Thu, 2020-09-24 at 16:29 +0300, Mike Rapoport wrote:

> > > Introduce "memfd_secret" system call with the ability to create

> > > memory

> > > areas visible only in the context of the owning process and not

> > > mapped not

> > > only to other processes but in the kernel page tables as well.

> > > 

> > > The user will create a file descriptor using the memfd_secret()

> > > system call

> > > where flags supplied as a parameter to this system call will

> > > define

> > > the

> > > desired protection mode for the memory associated with that file

> > > descriptor.

> > > 

> > >   Currently there are two protection modes:

> > > 

> > > * exclusive - the memory area is unmapped from the kernel direct

> > > map

> > > and it

> > >                is present only in the page tables of the owning

> > > mm.

> > 

> > Seems like there were some concerns raised around direct map

> > efficiency, but in case you are going to rework this...how does

> > this

> > memory work for the existing kernel functionality that does things

> > like

> > this?

> > 

> > get_user_pages(, &page);

> > ptr = kmap(page);

> > foo = *ptr;

> > 

> > Not sure if I'm missing something, but I think apps could cause the

> > kernel to access a not-present page and oops.

> 

> The idea is that this memory should not be accessible by the kernel,

> so

> the sequence you describe should indeed fail.

> 

> Probably oops would be to noisy and in this case the report needs to

> be

> less verbose.


I was more concerned that it could cause kernel instabilities.

I see, so it should not be accessed even at the userspace address? I
wonder if it should be prevented somehow then. At least
get_user_pages() should be prevented I think. Blocking copy_*_user()
access might not be simple.

I'm also not so sure that a user would never have any possible reason
to copy data from this memory into the kernel, even if it's just
convenience. In which case a user setup could break if a specific
kernel implementation switched to get_user_pages()/kmap() from using
copy_*_user(). So seems maybe a bit thorny without fully blocking
access from the kernel, or deprecating that pattern.

You should probably call out these "no passing data to/from the kernel"
expectations, unless I missed them somewhere.

On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra wrote:
> On Tue, Sep 29, 2020 at 04:05:29PM +0300, Mike Rapoport wrote:

> > On Fri, Sep 25, 2020 at 09:41:25AM +0200, Peter Zijlstra wrote:

> > > On Thu, Sep 24, 2020 at 04:29:03PM +0300, Mike Rapoport wrote:

> > > > From: Mike Rapoport <rppt@linux.ibm.com>

> > > > 

> > > > Removing a PAGE_SIZE page from the direct map every time such page is

> > > > allocated for a secret memory mapping will cause severe fragmentation of

> > > > the direct map. This fragmentation can be reduced by using PMD-size pages

> > > > as a pool for small pages for secret memory mappings.

> > > > 

> > > > Add a gen_pool per secretmem inode and lazily populate this pool with

> > > > PMD-size pages.

> > > 

> > > What's the actual efficacy of this? Since the pmd is per inode, all I

> > > need is a lot of inodes and we're in business to destroy the directmap,

> > > no?

> > > 

> > > Afaict there's no privs needed to use this, all a process needs is to

> > > stay below the mlock limit, so a 'fork-bomb' that maps a single secret

> > > page will utterly destroy the direct map.

> > 

> > This indeed will cause 1G pages in the direct map to be split into 2M

> > chunks, but I disagree with 'destroy' term here. Citing the cover letter

> > of an earlier version of this series:

> 

> It will drop them down to 4k pages. Given enough inodes, and allocating

> only a single sekrit page per pmd, we'll shatter the directmap into 4k.

> 

> >   I've tried to find some numbers that show the benefit of using larger

> >   pages in the direct map, but I couldn't find anything so I've run a

> >   couple of benchmarks from phoronix-test-suite on my laptop (i7-8650U

> >   with 32G RAM).

> 

> Existing benchmarks suck at this, but FB had a load that had a


I tried to dig the regression report in the mailing list, and the best I
could find is

https://lore.kernel.org/lkml/20190823052335.572133-1-songliubraving@fb.com/

which does not mention the actual performance regression but it only
complaints about kernel text mapping being split into 4K pages.

Any chance you have the regression report handy? 

> deterministic enough performance regression to bisect to a directmap

> issue, fixed by:

> 

>   7af0145067bc ("x86/mm/cpa: Prevent large page split when ftrace flips RW on kernel text")


This commit talks about large page split for the text and mentions iTLB
performance.
Could it be that for data the behavoiur is different?

> >   I've tested three variants: the default with 28G of the physical

> >   memory covered with 1G pages, then I disabled 1G pages using

> >   "nogbpages" in the kernel command line and at last I've forced the

> >   entire direct map to use 4K pages using a simple patch to

> >   arch/x86/mm/init.c.  I've made runs of the benchmarks with SSD and

> >   tmpfs.

> >   

> >   Surprisingly, the results does not show huge advantage for large

> >   pages. For instance, here the results for kernel build with

> >   'make -j8', in seconds:

> 

> Your benchmark should stress the TLB of your uarch, such that additional

> pressure added by the shattered directmap shows up.


I understand that the benchmark should stress the TLB, but it's not that
we can add something like random access to a large working set as a
kernel module and insmod it. The userspace should do something that will
cause the stress to the TLB so that entries corresponding to the direct
map will be evicted frequently. And, frankly, 

> And no, I don't have one either.

> 

> >                         |  1G    |  2M    |  4K

> >   ----------------------+--------+--------+---------

> >   ssd, mitigations=on	| 308.75 | 317.37 | 314.9

> >   ssd, mitigations=off	| 305.25 | 295.32 | 304.92

> >   ram, mitigations=on	| 301.58 | 322.49 | 306.54

> >   ram, mitigations=off	| 299.32 | 288.44 | 310.65

> 

> These results lack error data, but assuming the reults are significant,

> then this very much makes a case for 1G mappings. 5s on a kernel builds

> is pretty good.


The standard error for those are between 2.5 and 4.5 out of 3 runs for
each variant. 

For kernel build 1G mappings perform better, but here 5s is only 1.6% of
300s and the direct map fragmentation was taken to the extreme here.
I'm not saying that the direct map fragmentation comes with no cost, but
the cost is not so big to dismiss features that cause the fragmentation
out of hand.

There were also benchmarks that actually performed better with 2M pages
in the direct map, so I'm still not convinced that 1G pages in the
direct map are the clear cut winner.

-- 
Sincerely yours,
Mike.

On Tue, Sep 29, 2020 at 05:15:52PM +0200, Peter Zijlstra wrote:
> On Tue, Sep 29, 2020 at 05:58:13PM +0300, Mike Rapoport wrote:
> > On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra wrote:
> 
> > > It will drop them down to 4k pages. Given enough inodes, and allocating
> > > only a single sekrit page per pmd, we'll shatter the directmap into 4k.
> > 
> > Why? Secretmem allocates PMD-size page per inode and uses it as a pool
> > of 4K pages for that inode. This way it ensures that
> > __kernel_map_pages() is always called on PMD boundaries.
> 
> Oh, you unmap the 2m page upfront? I read it like you did the unmap at
> the sekrit page alloc, not the pool alloc side of things.
> 
> Then yes, but then you're wasting gobs of memory. Basically you can pin
> 2M per inode while only accounting a single page.

Right, quite like THP :)

I considered using a global pool of 2M pages for secretmem and handing
4K pages to each inode from that global pool. But I've decided to waste
memory in favor of simplicity.

The prevoius version of this set included additional patch that allowed
reserving chunk of the physical memory for a global secretmem pool at
boot time. We didn't reach an agreement with David H. about whether this
pool should be allocated directly from memblock or from CMA and I've
dropped the boot time reservation patch because it can always be added on
top.

On Tue, Sep 29, 2020 at 08:06:03PM +0000, Edgecombe, Rick P wrote:
> On Tue, 2020-09-29 at 16:06 +0300, Mike Rapoport wrote:

> > On Tue, Sep 29, 2020 at 04:58:44AM +0000, Edgecombe, Rick P wrote:

> > > On Thu, 2020-09-24 at 16:29 +0300, Mike Rapoport wrote:

> > > > Introduce "memfd_secret" system call with the ability to create

> > > > memory

> > > > areas visible only in the context of the owning process and not

> > > > mapped not

> > > > only to other processes but in the kernel page tables as well.

> > > > 

> > > > The user will create a file descriptor using the memfd_secret()

> > > > system call

> > > > where flags supplied as a parameter to this system call will

> > > > define

> > > > the

> > > > desired protection mode for the memory associated with that file

> > > > descriptor.

> > > > 

> > > >   Currently there are two protection modes:

> > > > 

> > > > * exclusive - the memory area is unmapped from the kernel direct

> > > > map

> > > > and it

> > > >                is present only in the page tables of the owning

> > > > mm.

> > > 

> > > Seems like there were some concerns raised around direct map

> > > efficiency, but in case you are going to rework this...how does

> > > this

> > > memory work for the existing kernel functionality that does things

> > > like

> > > this?

> > > 

> > > get_user_pages(, &page);

> > > ptr = kmap(page);

> > > foo = *ptr;

> > > 

> > > Not sure if I'm missing something, but I think apps could cause the

> > > kernel to access a not-present page and oops.

> > 

> > The idea is that this memory should not be accessible by the kernel,

> > so

> > the sequence you describe should indeed fail.

> > 

> > Probably oops would be to noisy and in this case the report needs to

> > be

> > less verbose.

> 

> I was more concerned that it could cause kernel instabilities.


I think kernel recovers nicely from such sort of page fault, at least on
x86.

> I see, so it should not be accessed even at the userspace address? I

> wonder if it should be prevented somehow then. At least

> get_user_pages() should be prevented I think. Blocking copy_*_user()

> access might not be simple.

> 

> I'm also not so sure that a user would never have any possible reason

> to copy data from this memory into the kernel, even if it's just

> convenience. In which case a user setup could break if a specific

> kernel implementation switched to get_user_pages()/kmap() from using

> copy_*_user(). So seems maybe a bit thorny without fully blocking

> access from the kernel, or deprecating that pattern.

> 

> You should probably call out these "no passing data to/from the kernel"

> expectations, unless I missed them somewhere.


You are right, I should have been more explicit in the description of
the expected behavoir. 

Our thinking was that copy_*user() would work in the context of the
process that "owns" the secretmem and gup() would not allow access in
general, unless requested with certail (yet another) FOLL_ flag.

-- 
Sincerely yours,
Mike.

On Wed, Sep 30, 2020 at 01:20:31PM +0300, Mike Rapoport wrote:

> I tried to dig the regression report in the mailing list, and the best I
> could find is
> 
> https://lore.kernel.org/lkml/20190823052335.572133-1-songliubraving@fb.com/
> 
> which does not mention the actual performance regression but it only
> complaints about kernel text mapping being split into 4K pages.
> 
> Any chance you have the regression report handy? 

I think the saga started here:

 20190820075128.2912224-1-songliubraving@fb.com
 20190820202314.1083149-1-songliubraving@fb.com
 20190823052335.572133-1-songliubraving@fb.com

After that Thomas did the patch I referred to earlier and I endeavoured
to rewrite x86-ftrace.

I added Song to CC, maybe he can remember more.

On Wed, 2020-09-30 at 13:27 +0300, Mike Rapoport wrote:
> On Tue, Sep 29, 2020 at 05:15:52PM +0200, Peter Zijlstra wrote:

> > On Tue, Sep 29, 2020 at 05:58:13PM +0300, Mike Rapoport wrote:

> > > On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra wrote:

> > > > It will drop them down to 4k pages. Given enough inodes, and

> > > > allocating only a single sekrit page per pmd, we'll shatter the

> > > > directmap into 4k.

> > > 

> > > Why? Secretmem allocates PMD-size page per inode and uses it as a

> > > pool of 4K pages for that inode. This way it ensures that

> > > __kernel_map_pages() is always called on PMD boundaries.

> > 

> > Oh, you unmap the 2m page upfront? I read it like you did the unmap

> > at the sekrit page alloc, not the pool alloc side of things.

> > 

> > Then yes, but then you're wasting gobs of memory. Basically you can

> > pin 2M per inode while only accounting a single page.

> 

> Right, quite like THP :)

> 

> I considered using a global pool of 2M pages for secretmem and

> handing 4K pages to each inode from that global pool. But I've

> decided to waste memory in favor of simplicity.


I can also add that the user space consumer of this we wrote does its
user pool allocation at a 2M granularity, so nothing is actually
wasted.

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/secret-memory-preloader.git/

James

On 30.09.20 16:39, James Bottomley wrote:
> On Wed, 2020-09-30 at 13:27 +0300, Mike Rapoport wrote:
>> On Tue, Sep 29, 2020 at 05:15:52PM +0200, Peter Zijlstra wrote:
>>> On Tue, Sep 29, 2020 at 05:58:13PM +0300, Mike Rapoport wrote:
>>>> On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra wrote:
>>>>> It will drop them down to 4k pages. Given enough inodes, and
>>>>> allocating only a single sekrit page per pmd, we'll shatter the
>>>>> directmap into 4k.
>>>>
>>>> Why? Secretmem allocates PMD-size page per inode and uses it as a
>>>> pool of 4K pages for that inode. This way it ensures that
>>>> __kernel_map_pages() is always called on PMD boundaries.
>>>
>>> Oh, you unmap the 2m page upfront? I read it like you did the unmap
>>> at the sekrit page alloc, not the pool alloc side of things.
>>>
>>> Then yes, but then you're wasting gobs of memory. Basically you can
>>> pin 2M per inode while only accounting a single page.
>>
>> Right, quite like THP :)
>>
>> I considered using a global pool of 2M pages for secretmem and
>> handing 4K pages to each inode from that global pool. But I've
>> decided to waste memory in favor of simplicity.
> 
> I can also add that the user space consumer of this we wrote does its
> user pool allocation at a 2M granularity, so nothing is actually
> wasted.

... for that specific user space consumer. (or am I missing something?)

On Wed, Sep 30, 2020 at 01:27:45PM +0300, Mike Rapoport wrote:
> On Tue, Sep 29, 2020 at 05:15:52PM +0200, Peter Zijlstra wrote:

> > On Tue, Sep 29, 2020 at 05:58:13PM +0300, Mike Rapoport wrote:

> > > On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra wrote:

> > 

> > > > It will drop them down to 4k pages. Given enough inodes, and allocating

> > > > only a single sekrit page per pmd, we'll shatter the directmap into 4k.

> > > 

> > > Why? Secretmem allocates PMD-size page per inode and uses it as a pool

> > > of 4K pages for that inode. This way it ensures that

> > > __kernel_map_pages() is always called on PMD boundaries.

> > 

> > Oh, you unmap the 2m page upfront? I read it like you did the unmap at

> > the sekrit page alloc, not the pool alloc side of things.

> > 

> > Then yes, but then you're wasting gobs of memory. Basically you can pin

> > 2M per inode while only accounting a single page.

> 

> Right, quite like THP :)


Huh?  THP accounts every page it allocates.  If you allocate 2MB,
it accounts 512 pages.  And THP are reclaimable by vmscan, this is
obviously not.

On Wed, 2020-09-30 at 16:45 +0200, David Hildenbrand wrote:
> On 30.09.20 16:39, James Bottomley wrote:
> > On Wed, 2020-09-30 at 13:27 +0300, Mike Rapoport wrote:
> > > On Tue, Sep 29, 2020 at 05:15:52PM +0200, Peter Zijlstra wrote:
> > > > On Tue, Sep 29, 2020 at 05:58:13PM +0300, Mike Rapoport wrote:
> > > > > On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra
> > > > > wrote:
> > > > > > It will drop them down to 4k pages. Given enough inodes,
> > > > > > and allocating only a single sekrit page per pmd, we'll
> > > > > > shatter the directmap into 4k.
> > > > > 
> > > > > Why? Secretmem allocates PMD-size page per inode and uses it
> > > > > as a pool of 4K pages for that inode. This way it ensures
> > > > > that __kernel_map_pages() is always called on PMD boundaries.
> > > > 
> > > > Oh, you unmap the 2m page upfront? I read it like you did the
> > > > unmap at the sekrit page alloc, not the pool alloc side of
> > > > things.
> > > > 
> > > > Then yes, but then you're wasting gobs of memory. Basically you
> > > > can pin 2M per inode while only accounting a single page.
> > > 
> > > Right, quite like THP :)
> > > 
> > > I considered using a global pool of 2M pages for secretmem and
> > > handing 4K pages to each inode from that global pool. But I've
> > > decided to waste memory in favor of simplicity.
> > 
> > I can also add that the user space consumer of this we wrote does
> > its user pool allocation at a 2M granularity, so nothing is
> > actually wasted.
> 
> ... for that specific user space consumer. (or am I missing
> something?)

I'm not sure I understand what you mean?  It's designed to be either
the standard wrapper or an example of how to do the standard wrapper
for the syscall.  It uses the same allocator system glibc uses for
malloc/free ... which pretty much everyone uses instead of calling
sys_brk directly.  If you look at the granularity glibc uses for
sys_brk, it's not 4k either.

James

On 30.09.20 17:17, James Bottomley wrote:
> On Wed, 2020-09-30 at 16:45 +0200, David Hildenbrand wrote:

>> On 30.09.20 16:39, James Bottomley wrote:

>>> On Wed, 2020-09-30 at 13:27 +0300, Mike Rapoport wrote:

>>>> On Tue, Sep 29, 2020 at 05:15:52PM +0200, Peter Zijlstra wrote:

>>>>> On Tue, Sep 29, 2020 at 05:58:13PM +0300, Mike Rapoport wrote:

>>>>>> On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra

>>>>>> wrote:

>>>>>>> It will drop them down to 4k pages. Given enough inodes,

>>>>>>> and allocating only a single sekrit page per pmd, we'll

>>>>>>> shatter the directmap into 4k.

>>>>>>

>>>>>> Why? Secretmem allocates PMD-size page per inode and uses it

>>>>>> as a pool of 4K pages for that inode. This way it ensures

>>>>>> that __kernel_map_pages() is always called on PMD boundaries.

>>>>>

>>>>> Oh, you unmap the 2m page upfront? I read it like you did the

>>>>> unmap at the sekrit page alloc, not the pool alloc side of

>>>>> things.

>>>>>

>>>>> Then yes, but then you're wasting gobs of memory. Basically you

>>>>> can pin 2M per inode while only accounting a single page.

>>>>

>>>> Right, quite like THP :)

>>>>

>>>> I considered using a global pool of 2M pages for secretmem and

>>>> handing 4K pages to each inode from that global pool. But I've

>>>> decided to waste memory in favor of simplicity.

>>>

>>> I can also add that the user space consumer of this we wrote does

>>> its user pool allocation at a 2M granularity, so nothing is

>>> actually wasted.

>>

>> ... for that specific user space consumer. (or am I missing

>> something?)

> 

> I'm not sure I understand what you mean?  It's designed to be either

> the standard wrapper or an example of how to do the standard wrapper

> for the syscall.  It uses the same allocator system glibc uses for

> malloc/free ... which pretty much everyone uses instead of calling

> sys_brk directly.  If you look at the granularity glibc uses for

> sys_brk, it's not 4k either.


Okay thanks, "the user space consumer of this we wrote" didn't sound as
generic to me as "the standard wrapper".

-- 
Thanks,

David / dhildenb

On Wed, 2020-09-30 at 13:35 +0300, Mike Rapoport wrote:
> On Tue, Sep 29, 2020 at 08:06:03PM +0000, Edgecombe, Rick P wrote:

> > On Tue, 2020-09-29 at 16:06 +0300, Mike Rapoport wrote:

> > > On Tue, Sep 29, 2020 at 04:58:44AM +0000, Edgecombe, Rick P

> > > wrote:

> > > > On Thu, 2020-09-24 at 16:29 +0300, Mike Rapoport wrote:

> > > > > Introduce "memfd_secret" system call with the ability to

> > > > > create

> > > > > memory

> > > > > areas visible only in the context of the owning process and

> > > > > not

> > > > > mapped not

> > > > > only to other processes but in the kernel page tables as

> > > > > well.

> > > > > 

> > > > > The user will create a file descriptor using the

> > > > > memfd_secret()

> > > > > system call

> > > > > where flags supplied as a parameter to this system call will

> > > > > define

> > > > > the

> > > > > desired protection mode for the memory associated with that

> > > > > file

> > > > > descriptor.

> > > > > 

> > > > >   Currently there are two protection modes:

> > > > > 

> > > > > * exclusive - the memory area is unmapped from the kernel

> > > > > direct

> > > > > map

> > > > > and it

> > > > >                is present only in the page tables of the

> > > > > owning

> > > > > mm.

> > > > 

> > > > Seems like there were some concerns raised around direct map

> > > > efficiency, but in case you are going to rework this...how does

> > > > this

> > > > memory work for the existing kernel functionality that does

> > > > things

> > > > like

> > > > this?

> > > > 

> > > > get_user_pages(, &page);

> > > > ptr = kmap(page);

> > > > foo = *ptr;

> > > > 

> > > > Not sure if I'm missing something, but I think apps could cause

> > > > the

> > > > kernel to access a not-present page and oops.

> > > 

> > > The idea is that this memory should not be accessible by the

> > > kernel,

> > > so

> > > the sequence you describe should indeed fail.

> > > 

> > > Probably oops would be to noisy and in this case the report needs

> > > to

> > > be

> > > less verbose.

> > 

> > I was more concerned that it could cause kernel instabilities.

> 

> I think kernel recovers nicely from such sort of page fault, at least

> on

> x86.


We are talking about the kernel taking a direct map NP fault and
oopsing? Hmm, I thought it should often recover, but stability should
be considered reduced. How could the kernel know whether to release
locks or clean up other state? Pretty sure I've seen deadlocks in this
case.

> > I see, so it should not be accessed even at the userspace address?

> > I

> > wonder if it should be prevented somehow then. At least

> > get_user_pages() should be prevented I think. Blocking

> > copy_*_user()

> > access might not be simple.

> > 

> > I'm also not so sure that a user would never have any possible

> > reason

> > to copy data from this memory into the kernel, even if it's just

> > convenience. In which case a user setup could break if a specific

> > kernel implementation switched to get_user_pages()/kmap() from

> > using

> > copy_*_user(). So seems maybe a bit thorny without fully blocking

> > access from the kernel, or deprecating that pattern.

> > 

> > You should probably call out these "no passing data to/from the

> > kernel"

> > expectations, unless I missed them somewhere.

> 

> You are right, I should have been more explicit in the description of

> the expected behavoir. 

> 

> Our thinking was that copy_*user() would work in the context of the

> process that "owns" the secretmem and gup() would not allow access in

> general, unless requested with certail (yet another) FOLL_ flag.


Hmm, yes. I think one easier thing about this design over the series
Kirill sent out is that the actual page will never transition to and
from unmapped while it's mapped in userspace. If it could transition,
you'd have to worry about a race window between
get_user_pages(FOLL_foo) and the kmap() where the page might get
unmapped.

Without the ability to transition pages though, using this for KVM
guests memory remains a not completely worked through problem since it
has the get_user_pages()/kmap() pattern quite a bit. Did you have an
idea for that? (I thought I saw that use case mentioned somewhere).

On Wed, Sep 30, 2020 at 04:09:28PM +0100, Matthew Wilcox wrote:
> On Wed, Sep 30, 2020 at 01:27:45PM +0300, Mike Rapoport wrote:
> > On Tue, Sep 29, 2020 at 05:15:52PM +0200, Peter Zijlstra wrote:
> > > On Tue, Sep 29, 2020 at 05:58:13PM +0300, Mike Rapoport wrote:
> > > > On Tue, Sep 29, 2020 at 04:12:16PM +0200, Peter Zijlstra wrote:
> > > 
> > > > > It will drop them down to 4k pages. Given enough inodes, and allocating
> > > > > only a single sekrit page per pmd, we'll shatter the directmap into 4k.
> > > > 
> > > > Why? Secretmem allocates PMD-size page per inode and uses it as a pool
> > > > of 4K pages for that inode. This way it ensures that
> > > > __kernel_map_pages() is always called on PMD boundaries.
> > > 
> > > Oh, you unmap the 2m page upfront? I read it like you did the unmap at
> > > the sekrit page alloc, not the pool alloc side of things.
> > > 
> > > Then yes, but then you're wasting gobs of memory. Basically you can pin
> > > 2M per inode while only accounting a single page.
> > 
> > Right, quite like THP :)
> 
> Huh?  THP accounts every page it allocates.  If you allocate 2MB,
> it accounts 512 pages.

I meant that secremem allocates 2M in advance like THP and not that it
similar because only page is accounted.
Anyway, the intention was to account the entrire 2M chunk (512 pages),
so I'll recheck the accounting and I'll fix it if I missed something.

> And THP are reclaimable by vmscan, this is obviously not.

True, this is more like mlock in that sense.

On Wed, Sep 30, 2020 at 08:11:28PM +0000, Edgecombe, Rick P wrote:
> On Wed, 2020-09-30 at 13:35 +0300, Mike Rapoport wrote:
> > 
> > Our thinking was that copy_*user() would work in the context of the
> > process that "owns" the secretmem and gup() would not allow access in
> > general, unless requested with certail (yet another) FOLL_ flag.
> 
> Hmm, yes. I think one easier thing about this design over the series
> Kirill sent out is that the actual page will never transition to and
> from unmapped while it's mapped in userspace. If it could transition,
> you'd have to worry about a race window between
> get_user_pages(FOLL_foo) and the kmap() where the page might get
> unmapped.
> 
> Without the ability to transition pages though, using this for KVM
> guests memory remains a not completely worked through problem since it
> has the get_user_pages()/kmap() pattern quite a bit. Did you have an
> idea for that? (I thought I saw that use case mentioned somewhere).
 
I've mentioned the KVM usecase because it was dicussed at the hallway
track at KVM Forum last year and also after looking at Kirill's patches
I though that "KVM protected" memory could be implemented on top of
secretmem. Can't say I have enough expertise in KVM to have a completely
worked through solution for that.

* Mike Rapoport | 2020-09-24 16:28:58 [+0300]:

>This is an implementation of "secret" mappings backed by a file descriptor. 

>I've dropped the boot time reservation patch for now as it is not strictly

>required for the basic usage and can be easily added later either with or

>without CMA.


Isn't memfd_secret currently *unnecessarily* designed to be a "one task
feature"? memfd_secret fulfills exactly two (generic) features:

- address space isolation from kernel (aka SECRET_EXCLUSIVE, not in kernel's
  direct map) - hide from kernel, great
- disabling processor's memory caches against speculative-execution vulnerabilities
  (spectre and friends, aka SECRET_UNCACHED), also great

But, what about the following use-case: implementing a hardened IPC mechanism
where even the kernel is not aware of any data and optionally via SECRET_UNCACHED
even the hardware caches are bypassed! With the patches we are so close to
achieving this.

How? Shared, SECRET_EXCLUSIVE and SECRET_UNCACHED mmaped pages for IPC
involved tasks required to know this mapping (and memfd_secret fd). After IPC
is done, tasks can copy sensitive data from IPC pages into memfd_secret()
pages, un-sensitive data can be used/copied everywhere.

One missing piece is still the secure zeroization of the page(s) if the
mapping is closed by last process to guarantee a secure cleanup. This can
probably done as an general mmap feature, not coupled to memfd_secret() and
can be done independently ("reverse" MAP_UNINITIALIZED feature).

PS: thank you Mike for your effort!

See the following pseudo-code as an example:


// simple assume file-descriptor and mapping is inherited
// by child for simplicity, ptr is 
int fd = memfd_secret(SECRETMEM_UNCACHED);
ftruncate(fd, PAGE_SIZE);
uint32_t *ptr = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

pid_t pid_other;

void signal_handler(int sig)
{
	// update IPC data on shared, uncachaed, exclusive mapped page
	*ptr += 1;
	// inform other
	sleep(1);
	kill(pid_other, SIGUSR1);
}

void ipc_loop(void)
{
	signal(SIGUSR1, signal_handler);
	while (1) {
		sleep(1);
	}
}

int main(void)
{
	pid_t child_pid;

	switch (child_pid = fork()) {
	case 0:
		pid_other = getppid();
		break;
	default:
		pid_other = child_pid
		break;
	}
	
	ipc_loop();
}


Hagen

On 24.09.20 15:28, Mike Rapoport wrote:
> From: Mike Rapoport <rppt@linux.ibm.com>
> 
> Hi,
> 
> This is an implementation of "secret" mappings backed by a file descriptor.
> I've dropped the boot time reservation patch for now as it is not strictly
> required for the basic usage and can be easily added later either with or
> without CMA.

Hi Mike,

I'd like to stress again that I'd prefer *any* secretmem allocations 
going via CMA as long as these pages are unmovable. The user can 
allocate a non-significant amount of unmovable allocations only fenced 
by the mlock limit, which behave very different to mlocked pages - they 
are not movable for page compaction/migration.

Assume you have a system with quite some ZONE_MOVABLE memory (esp. in 
virtualized environments), eating up a significant amount of 
!ZONE_MOVABLE memory dynamically at runtime can lead to non-obvious 
issues. It looks like you have plenty of free memory, but the kernel 
might still OOM when trying to do kernel allocations e.g., for 
pagetables. With CMA we at least know what we're dealing with - it 
behaves like ZONE_MOVABLE except for the owner that can place unmovable 
pages there. We can use it to compute statically the amount of 
ZONE_MOVABLE memory we can have in the system without doing harm to the 
system.

Ideally, we would want to support page migration/compaction and allow 
for allocation from ZONE_MOVABLE as well. Would involve temporarily 
mapping, copying, unmapping. Sounds feasible, but not sure which 
roadblocks we would find on the way.

[...]

> 
> The file descriptor backing secret memory mappings is created using a
> dedicated memfd_secret system call The desired protection mode for the
> memory is configured using flags parameter of the system call. The mmap()
> of the file descriptor created with memfd_secret() will create a "secret"
> memory mapping. The pages in that mapping will be marked as not present in
> the direct map and will have desired protection bits set in the user page
> table. For instance, current implementation allows uncached mappings.
> 
> Although normally Linux userspace mappings are protected from other users,
> such secret mappings are useful for environments where a hostile tenant is
> trying to trick the kernel into giving them access to other tenants
> mappings.
> 
> Additionally, the secret mappings may be used as a mean to protect guest
> memory in a virtual machine host.
> 
> For demonstration of secret memory usage we've created a userspace library
> [1] that does two things: the first is act as a preloader for openssl to
> redirect all the OPENSSL_malloc calls to secret memory meaning any secret
> keys get automatically protected this way and the other thing it does is
> expose the API to the user who needs it. We anticipate that a lot of the
> use cases would be like the openssl one: many toolkits that deal with
> secret keys already have special handling for the memory to try to give
> them greater protection, so this would simply be pluggable into the
> toolkits without any need for user application modification.
> 
> I've hesitated whether to continue to use new flags to memfd_create() or to
> add a new system call and I've decided to use a new system call after I've
> started to look into man pages update. There would have been two completely
> independent descriptions and I think it would have been very confusing.

This was also raised on lwn.net by "dullfire" [1]. I do wonder if it 
would be the right place as well.

[1] https://lwn.net/Articles/835342/#Comments

> 
> Hiding secret memory mappings behind an anonymous file allows (ab)use of
> the page cache for tracking pages allocated for the "secret" mappings as
> well as using address_space_operations for e.g. page migration callbacks.
> 
> The anonymous file may be also used implicitly, like hugetlb files, to
> implement mmap(MAP_SECRET) and use the secret memory areas with "native" mm
> ABIs in the future.
> 
> As the fragmentation of the direct map was one of the major concerns raised
> during the previous postings, I've added an amortizing cache of PMD-size
> pages to each file descriptor that is used as an allocation pool for the
> secret memory areas.

On 02.11.20 10:11, David Hildenbrand wrote:
> On 24.09.20 15:28, Mike Rapoport wrote:
>> From: Mike Rapoport <rppt@linux.ibm.com>
>>
>> Hi,
>>
>> This is an implementation of "secret" mappings backed by a file descriptor.
>> I've dropped the boot time reservation patch for now as it is not strictly
>> required for the basic usage and can be easily added later either with or
>> without CMA.
> 
> Hi Mike,
> 
> I'd like to stress again that I'd prefer *any* secretmem allocations
> going via CMA as long as these pages are unmovable. The user can
> allocate a non-significant amount of unmovable allocations only fenced

lol, "non-neglectable" or "significant". Guess I need another coffee :)

On Sun, Nov 01, 2020 at 12:09:35PM +0100, Hagen Paul Pfeifer wrote:
> * Mike Rapoport | 2020-09-24 16:28:58 [+0300]:

> 

> >This is an implementation of "secret" mappings backed by a file descriptor. 

> >I've dropped the boot time reservation patch for now as it is not strictly

> >required for the basic usage and can be easily added later either with or

> >without CMA.

> 

> Isn't memfd_secret currently *unnecessarily* designed to be a "one task

> feature"? memfd_secret fulfills exactly two (generic) features:

> 

> - address space isolation from kernel (aka SECRET_EXCLUSIVE, not in kernel's

>   direct map) - hide from kernel, great

> - disabling processor's memory caches against speculative-execution vulnerabilities

>   (spectre and friends, aka SECRET_UNCACHED), also great

> 

> But, what about the following use-case: implementing a hardened IPC mechanism

> where even the kernel is not aware of any data and optionally via SECRET_UNCACHED

> even the hardware caches are bypassed! With the patches we are so close to

> achieving this.

> 

> How? Shared, SECRET_EXCLUSIVE and SECRET_UNCACHED mmaped pages for IPC

> involved tasks required to know this mapping (and memfd_secret fd). After IPC

> is done, tasks can copy sensitive data from IPC pages into memfd_secret()

> pages, un-sensitive data can be used/copied everywhere.


As long as the task share the file descriptor, they can share the
secretmem pages, pretty much like normal memfd.

> One missing piece is still the secure zeroization of the page(s) if the

> mapping is closed by last process to guarantee a secure cleanup. This can

> probably done as an general mmap feature, not coupled to memfd_secret() and

> can be done independently ("reverse" MAP_UNINITIALIZED feature).


There are "init_on_alloc" and "init_on_free" kernel parameters that
enable zeroing of the pages on alloc and on free globally.
Anyway, I'll add zeroing of the freed memory to secretmem.

> PS: thank you Mike for your effort!

> 

> See the following pseudo-code as an example:

> 

> 

> // simple assume file-descriptor and mapping is inherited

> // by child for simplicity, ptr is 

> int fd = memfd_secret(SECRETMEM_UNCACHED);

> ftruncate(fd, PAGE_SIZE);

> uint32_t *ptr = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);

 
The ptr here will be visible to both parent and child.

> pid_t pid_other;

> 

> void signal_handler(int sig)

> {

> 	// update IPC data on shared, uncachaed, exclusive mapped page

> 	*ptr += 1;

> 	// inform other

> 	sleep(1);

> 	kill(pid_other, SIGUSR1);

> }

> 

> void ipc_loop(void)

> {

> 	signal(SIGUSR1, signal_handler);

> 	while (1) {

> 		sleep(1);

> 	}

> }

> 

> int main(void)

> {

> 	pid_t child_pid;

> 

> 	switch (child_pid = fork()) {

> 	case 0:

> 		pid_other = getppid();

> 		break;

> 	default:

> 		pid_other = child_pid

> 		break;

> 	}

> 	

> 	ipc_loop();

> }

> 

> 

> Hagen

> 


-- 
Sincerely yours,
Mike.

On Mon, Nov 02, 2020 at 10:11:12AM +0100, David Hildenbrand wrote:
> On 24.09.20 15:28, Mike Rapoport wrote:

> > From: Mike Rapoport <rppt@linux.ibm.com>

> > 

> > Hi,

> > 

> > This is an implementation of "secret" mappings backed by a file descriptor.

> > I've dropped the boot time reservation patch for now as it is not strictly

> > required for the basic usage and can be easily added later either with or

> > without CMA.

> 

> Hi Mike,

> 

> I'd like to stress again that I'd prefer *any* secretmem allocations going

> via CMA as long as these pages are unmovable. The user can allocate a

> non-significant amount of unmovable allocations only fenced by the mlock

> limit, which behave very different to mlocked pages - they are not movable

> for page compaction/migration.

> 

> Assume you have a system with quite some ZONE_MOVABLE memory (esp. in

> virtualized environments), eating up a significant amount of !ZONE_MOVABLE

> memory dynamically at runtime can lead to non-obvious issues. It looks like

> you have plenty of free memory, but the kernel might still OOM when trying

> to do kernel allocations e.g., for pagetables. With CMA we at least know

> what we're dealing with - it behaves like ZONE_MOVABLE except for the owner

> that can place unmovable pages there. We can use it to compute statically

> the amount of ZONE_MOVABLE memory we can have in the system without doing

> harm to the system.


Why would you say that secretmem allocates from !ZONE_MOVABLE?
If we put boot time reservations aside, the memory allocation for
secretmem follows the same rules as the memory allocations for any file
descriptor. That means we allocate memory with GFP_HIGHUSER_MOVABLE.
After the allocation the memory indeed becomes unmovable but it's not
like we are eating memory from other zones here.

Maybe I'm missing something, but it seems to me that using CMA for any
secretmem allocation would needlessly complicate things.

> Ideally, we would want to support page migration/compaction and allow for

> allocation from ZONE_MOVABLE as well. Would involve temporarily mapping,

> copying, unmapping. Sounds feasible, but not sure which roadblocks we would

> find on the way.


We can support migration/compaction with temporary mapping. The first
roadblock I've hit there was that migration allocates 4K destination
page and if we use it in secret map we are back to scrambling the direct
map into 4K pieces. It still sounds feasible but not as trivial :)

But again, there is nothing in the current form of secretmem that
prevents allocation from ZONE_MOVABLE.

> [...]

> 

> > I've hesitated whether to continue to use new flags to memfd_create() or to

> > add a new system call and I've decided to use a new system call after I've

> > started to look into man pages update. There would have been two completely

> > independent descriptions and I think it would have been very confusing.

> 

> This was also raised on lwn.net by "dullfire" [1]. I do wonder if it would

> be the right place as well.


I lean towards a dedicated syscall because, as I said, to me it would
seem less confusing.

> [1] https://lwn.net/Articles/835342/#Comments

> 

> > 

> > Hiding secret memory mappings behind an anonymous file allows (ab)use of

> > the page cache for tracking pages allocated for the "secret" mappings as

> > well as using address_space_operations for e.g. page migration callbacks.

> > 

> > The anonymous file may be also used implicitly, like hugetlb files, to

> > implement mmap(MAP_SECRET) and use the secret memory areas with "native" mm

> > ABIs in the future.

> > 

> > As the fragmentation of the direct map was one of the major concerns raised

> > during the previous postings, I've added an amortizing cache of PMD-size

> > pages to each file descriptor that is used as an allocation pool for the

> > secret memory areas.


-- 
Sincerely yours,
Mike.

>> Assume you have a system with quite some ZONE_MOVABLE memory (esp. in
>> virtualized environments), eating up a significant amount of !ZONE_MOVABLE
>> memory dynamically at runtime can lead to non-obvious issues. It looks like
>> you have plenty of free memory, but the kernel might still OOM when trying
>> to do kernel allocations e.g., for pagetables. With CMA we at least know
>> what we're dealing with - it behaves like ZONE_MOVABLE except for the owner
>> that can place unmovable pages there. We can use it to compute statically
>> the amount of ZONE_MOVABLE memory we can have in the system without doing
>> harm to the system.
> 
> Why would you say that secretmem allocates from !ZONE_MOVABLE?
> If we put boot time reservations aside, the memory allocation for
> secretmem follows the same rules as the memory allocations for any file
> descriptor. That means we allocate memory with GFP_HIGHUSER_MOVABLE.

Oh, okay - I missed that! I had the impression that pages are unmovable 
and allocating from ZONE_MOVABLE would be a violation of that?

> After the allocation the memory indeed becomes unmovable but it's not
> like we are eating memory from other zones here.

... and here you have your problem. That's a no-no. We only allow it in 
very special cases where it can't be avoided - e.g., vfio having to pin 
guest memory when passing through memory to VMs.

Hotplug memory, online it to ZONE_MOVABLE. Allocate secretmem. Try to 
unplug the memory again -> endless loop in offline_pages().

Or have a CMA area that gets used with GFP_HIGHUSER_MOVABLE. Allocate 
secretmem. The owner of the area tries to allocate memory - always 
fails. Purpose of CMA destroyed.

> 
>> Ideally, we would want to support page migration/compaction and allow for
>> allocation from ZONE_MOVABLE as well. Would involve temporarily mapping,
>> copying, unmapping. Sounds feasible, but not sure which roadblocks we would
>> find on the way.
> 
> We can support migration/compaction with temporary mapping. The first
> roadblock I've hit there was that migration allocates 4K destination
> page and if we use it in secret map we are back to scrambling the direct
> map into 4K pieces. It still sounds feasible but not as trivial :)

That sounds like the proper way for me to do it then.

> 
> But again, there is nothing in the current form of secretmem that
> prevents allocation from ZONE_MOVABLE.

Oh, there is something: That the pages are not movable.

On Mon, Nov 02, 2020 at 06:51:09PM +0100, David Hildenbrand wrote:
> > > Assume you have a system with quite some ZONE_MOVABLE memory (esp. in

> > > virtualized environments), eating up a significant amount of !ZONE_MOVABLE

> > > memory dynamically at runtime can lead to non-obvious issues. It looks like

> > > you have plenty of free memory, but the kernel might still OOM when trying

> > > to do kernel allocations e.g., for pagetables. With CMA we at least know

> > > what we're dealing with - it behaves like ZONE_MOVABLE except for the owner

> > > that can place unmovable pages there. We can use it to compute statically

> > > the amount of ZONE_MOVABLE memory we can have in the system without doing

> > > harm to the system.

> > 

> > Why would you say that secretmem allocates from !ZONE_MOVABLE?

> > If we put boot time reservations aside, the memory allocation for

> > secretmem follows the same rules as the memory allocations for any file

> > descriptor. That means we allocate memory with GFP_HIGHUSER_MOVABLE.

> 

> Oh, okay - I missed that! I had the impression that pages are unmovable and

> allocating from ZONE_MOVABLE would be a violation of that?

> 

> > After the allocation the memory indeed becomes unmovable but it's not

> > like we are eating memory from other zones here.

> 

> ... and here you have your problem. That's a no-no. We only allow it in very

> special cases where it can't be avoided - e.g., vfio having to pin guest

> memory when passing through memory to VMs.

> 

> Hotplug memory, online it to ZONE_MOVABLE. Allocate secretmem. Try to unplug

> the memory again -> endless loop in offline_pages().

> 

> Or have a CMA area that gets used with GFP_HIGHUSER_MOVABLE. Allocate

> secretmem. The owner of the area tries to allocate memory - always fails.

> Purpose of CMA destroyed.

> 

> > 

> > > Ideally, we would want to support page migration/compaction and allow for

> > > allocation from ZONE_MOVABLE as well. Would involve temporarily mapping,

> > > copying, unmapping. Sounds feasible, but not sure which roadblocks we would

> > > find on the way.

> > 

> > We can support migration/compaction with temporary mapping. The first

> > roadblock I've hit there was that migration allocates 4K destination

> > page and if we use it in secret map we are back to scrambling the direct

> > map into 4K pieces. It still sounds feasible but not as trivial :)

> 

> That sounds like the proper way for me to do it then.

 
Although migration of secretmem pages sounds feasible now, there maybe
other issues I didn't see because I'm not very familiar with
migration/compaction code.

I've looked again at CMA and I'm inclined to agree with you that using
CMA for secretmem allocations could be the right thing. 

-- 
Sincerely yours,
Mike.

On 03.11.20 10:52, Mike Rapoport wrote:
> On Mon, Nov 02, 2020 at 06:51:09PM +0100, David Hildenbrand wrote:
>>>> Assume you have a system with quite some ZONE_MOVABLE memory (esp. in
>>>> virtualized environments), eating up a significant amount of !ZONE_MOVABLE
>>>> memory dynamically at runtime can lead to non-obvious issues. It looks like
>>>> you have plenty of free memory, but the kernel might still OOM when trying
>>>> to do kernel allocations e.g., for pagetables. With CMA we at least know
>>>> what we're dealing with - it behaves like ZONE_MOVABLE except for the owner
>>>> that can place unmovable pages there. We can use it to compute statically
>>>> the amount of ZONE_MOVABLE memory we can have in the system without doing
>>>> harm to the system.
>>>
>>> Why would you say that secretmem allocates from !ZONE_MOVABLE?
>>> If we put boot time reservations aside, the memory allocation for
>>> secretmem follows the same rules as the memory allocations for any file
>>> descriptor. That means we allocate memory with GFP_HIGHUSER_MOVABLE.
>>
>> Oh, okay - I missed that! I had the impression that pages are unmovable and
>> allocating from ZONE_MOVABLE would be a violation of that?
>>
>>> After the allocation the memory indeed becomes unmovable but it's not
>>> like we are eating memory from other zones here.
>>
>> ... and here you have your problem. That's a no-no. We only allow it in very
>> special cases where it can't be avoided - e.g., vfio having to pin guest
>> memory when passing through memory to VMs.
>>
>> Hotplug memory, online it to ZONE_MOVABLE. Allocate secretmem. Try to unplug
>> the memory again -> endless loop in offline_pages().
>>
>> Or have a CMA area that gets used with GFP_HIGHUSER_MOVABLE. Allocate
>> secretmem. The owner of the area tries to allocate memory - always fails.
>> Purpose of CMA destroyed.
>>
>>>
>>>> Ideally, we would want to support page migration/compaction and allow for
>>>> allocation from ZONE_MOVABLE as well. Would involve temporarily mapping,
>>>> copying, unmapping. Sounds feasible, but not sure which roadblocks we would
>>>> find on the way.
>>>
>>> We can support migration/compaction with temporary mapping. The first
>>> roadblock I've hit there was that migration allocates 4K destination
>>> page and if we use it in secret map we are back to scrambling the direct
>>> map into 4K pieces. It still sounds feasible but not as trivial :)
>>
>> That sounds like the proper way for me to do it then.
>   
> Although migration of secretmem pages sounds feasible now, there maybe
> other issues I didn't see because I'm not very familiar with
> migration/compaction code.

Migration of PMDs might also be feasible -  and it would be even 
cleaner. But I agree that that might require more work and starting with 
something simpler (!movable) is the right way to move forward.

> On 11/02/2020 4:40 PM Mike Rapoport <rppt@kernel.org> wrote:

> > Isn't memfd_secret currently *unnecessarily* designed to be a "one task
> > feature"? memfd_secret fulfills exactly two (generic) features:
> > 
> > - address space isolation from kernel (aka SECRET_EXCLUSIVE, not in kernel's
> >   direct map) - hide from kernel, great
> > - disabling processor's memory caches against speculative-execution vulnerabilities
> >   (spectre and friends, aka SECRET_UNCACHED), also great
> > 
> > But, what about the following use-case: implementing a hardened IPC mechanism
> > where even the kernel is not aware of any data and optionally via SECRET_UNCACHED
> > even the hardware caches are bypassed! With the patches we are so close to
> > achieving this.
> > 
> > How? Shared, SECRET_EXCLUSIVE and SECRET_UNCACHED mmaped pages for IPC
> > involved tasks required to know this mapping (and memfd_secret fd). After IPC
> > is done, tasks can copy sensitive data from IPC pages into memfd_secret()
> > pages, un-sensitive data can be used/copied everywhere.
> 
> As long as the task share the file descriptor, they can share the
> secretmem pages, pretty much like normal memfd.

Including process_vm_readv() and process_vm_writev()? Let's take a hypothetical
"dbus-daemon-secure" service that receives data from process A and wants to
copy/distribute it to data areas of N other processes. Much like dbus but without
SOCK_DGRAM rather direct copy into secretmem/mmap pages (ring-buffer). Should be
possible, right?

> > One missing piece is still the secure zeroization of the page(s) if the
> > mapping is closed by last process to guarantee a secure cleanup. This can
> > probably done as an general mmap feature, not coupled to memfd_secret() and
> > can be done independently ("reverse" MAP_UNINITIALIZED feature).
> 
> There are "init_on_alloc" and "init_on_free" kernel parameters that
> enable zeroing of the pages on alloc and on free globally.
> Anyway, I'll add zeroing of the freed memory to secretmem.

Great, this allows page-specific (thus runtime-performance-optimized) zeroing
of secured pages. init_on_free lowers the performance to much and is not precice
enough.

Hagen

On Tue, Nov 03, 2020 at 02:52:14PM +0100, Hagen Paul Pfeifer wrote:
> > On 11/02/2020 4:40 PM Mike Rapoport <rppt@kernel.org> wrote:

> 

> > > Isn't memfd_secret currently *unnecessarily* designed to be a "one task

> > > feature"? memfd_secret fulfills exactly two (generic) features:

> > > 

> > > - address space isolation from kernel (aka SECRET_EXCLUSIVE, not in kernel's

> > >   direct map) - hide from kernel, great

> > > - disabling processor's memory caches against speculative-execution vulnerabilities

> > >   (spectre and friends, aka SECRET_UNCACHED), also great

> > > 

> > > But, what about the following use-case: implementing a hardened IPC mechanism

> > > where even the kernel is not aware of any data and optionally via SECRET_UNCACHED

> > > even the hardware caches are bypassed! With the patches we are so close to

> > > achieving this.

> > > 

> > > How? Shared, SECRET_EXCLUSIVE and SECRET_UNCACHED mmaped pages for IPC

> > > involved tasks required to know this mapping (and memfd_secret fd). After IPC

> > > is done, tasks can copy sensitive data from IPC pages into memfd_secret()

> > > pages, un-sensitive data can be used/copied everywhere.

> > 

> > As long as the task share the file descriptor, they can share the

> > secretmem pages, pretty much like normal memfd.

> 

> Including process_vm_readv() and process_vm_writev()? Let's take a hypothetical

> "dbus-daemon-secure" service that receives data from process A and wants to

> copy/distribute it to data areas of N other processes. Much like dbus but without

> SOCK_DGRAM rather direct copy into secretmem/mmap pages (ring-buffer). Should be

> possible, right?


I'm not sure I follow you here.
For process_vm_readv() and process_vm_writev() secremem will be only
accessible on the local part, but not on the remote.
So copying data to secretmem pages using process_vm_writev wouldn't
work.

> > > One missing piece is still the secure zeroization of the page(s) if the

> > > mapping is closed by last process to guarantee a secure cleanup. This can

> > > probably done as an general mmap feature, not coupled to memfd_secret() and

> > > can be done independently ("reverse" MAP_UNINITIALIZED feature).

> > 

> > There are "init_on_alloc" and "init_on_free" kernel parameters that

> > enable zeroing of the pages on alloc and on free globally.

> > Anyway, I'll add zeroing of the freed memory to secretmem.

> 

> Great, this allows page-specific (thus runtime-performance-optimized) zeroing

> of secured pages. init_on_free lowers the performance to much and is not precice

> enough.

> 

> Hagen


-- 
Sincerely yours,
Mike.

> On 11/03/2020 5:30 PM Mike Rapoport <rppt@kernel.org> wrote:

> 

> > > As long as the task share the file descriptor, they can share the

> > > secretmem pages, pretty much like normal memfd.

> > 

> > Including process_vm_readv() and process_vm_writev()? Let's take a hypothetical

> > "dbus-daemon-secure" service that receives data from process A and wants to

> > copy/distribute it to data areas of N other processes. Much like dbus but without

> > SOCK_DGRAM rather direct copy into secretmem/mmap pages (ring-buffer). Should be

> > possible, right?

> 

> I'm not sure I follow you here.

> For process_vm_readv() and process_vm_writev() secremem will be only

> accessible on the local part, but not on the remote.

> So copying data to secretmem pages using process_vm_writev wouldn't

> work.


A hypothetical "dbus-daemon-secure" service will not be *process related* with communication
peers. E.g. a password-input process (reading a password into secured-memory page) will
transfer the password to dbus-daemon-secure and this service will hand-over the password to
two additional applications: a IPsec process on CPU0 und CPU1 (which itself use a
secured-memory page).

So four applications IPC chain:
 password-input -> dbus-daemon-secure -> {IPsec0, IPsec1}

- password-input: uses a secured page to read/save the password locally after reading from TTY
- dbus-daemon-secure: uses a secured page for IPC (legitimate user can write and read into the secured page)
- IPSecN has secured page to save the password locally (and probably other data as well), IPC memory is memset'ed after copy

Goal: the whole password is never saved/touched on non secured pages during IPC transfer.

Question: maybe a *file-descriptor passing* mechanism can do the trick? I.e. dbus-daemon-secure
allocates via memfd_secret/mmap secure pages and permitted processes will get the descriptor/mmaped-page
passed so they can use the pages directly?

Hagen

On Wed, Nov 04, 2020 at 12:39:13PM +0100, Hagen Paul Pfeifer wrote:
> > On 11/03/2020 5:30 PM Mike Rapoport <rppt@kernel.org> wrote:
> > 
> > > > As long as the task share the file descriptor, they can share the
> > > > secretmem pages, pretty much like normal memfd.
> > > 
> > > Including process_vm_readv() and process_vm_writev()? Let's take a hypothetical
> > > "dbus-daemon-secure" service that receives data from process A and wants to
> > > copy/distribute it to data areas of N other processes. Much like dbus but without
> > > SOCK_DGRAM rather direct copy into secretmem/mmap pages (ring-buffer). Should be
> > > possible, right?
> > 
> > I'm not sure I follow you here.
> > For process_vm_readv() and process_vm_writev() secremem will be only
> > accessible on the local part, but not on the remote.
> > So copying data to secretmem pages using process_vm_writev wouldn't
> > work.
> 
> A hypothetical "dbus-daemon-secure" service will not be *process related* with communication
> peers. E.g. a password-input process (reading a password into secured-memory page) will
> transfer the password to dbus-daemon-secure and this service will hand-over the password to
> two additional applications: a IPsec process on CPU0 und CPU1 (which itself use a
> secured-memory page).
> 
> So four applications IPC chain:
>  password-input -> dbus-daemon-secure -> {IPsec0, IPsec1}
> 
> - password-input: uses a secured page to read/save the password locally after reading from TTY
> - dbus-daemon-secure: uses a secured page for IPC (legitimate user can write and read into the secured page)
> - IPSecN has secured page to save the password locally (and probably other data as well), IPC memory is memset'ed after copy
> 
> Goal: the whole password is never saved/touched on non secured pages during IPC transfer.
> 
> Question: maybe a *file-descriptor passing* mechanism can do the trick? I.e. dbus-daemon-secure
> allocates via memfd_secret/mmap secure pages and permitted processes will get the descriptor/mmaped-page
> passed so they can use the pages directly?

Yes, this will work. The processes that share the memfd_secret file
descriptor will have access to the same memory pages, pretty much like
with shared memory.

> Hagen

> On 11/04/2020 6:02 PM Mike Rapoport <rppt@kernel.org> wrote:

> 

> Yes, this will work. The processes that share the memfd_secret file

> descriptor will have access to the same memory pages, pretty much like

> with shared memory.


Perfect!

Acked-by: Hagen Paul Pfeifer <hagen@jauu.net>


Thank you for the effort Mike, if zeroize feature will also included it will
be great! The memset-all-pages after use is just overkill, a dedicated flag for
memfd_secret (or mmap) would be superior.

Hagen