From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=yPvx=AP=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=0.3 required=3.0 tests=DKIM_ADSP_ALL,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6F27FC433E2
	for <linux-mm@archiver.kernel.org>; Sat,  4 Jul 2020 01:33:15 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 0F1FC20747
	for <linux-mm@archiver.kernel.org>; Sat,  4 Jul 2020 01:33:14 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b="t6jSlYkh"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0F1FC20747
Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 465268D0002; Fri,  3 Jul 2020 21:33:14 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 414F18D0001; Fri,  3 Jul 2020 21:33:14 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 32A3D8D0002; Fri,  3 Jul 2020 21:33:14 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0222.hostedemail.com [216.40.44.222])
	by kanga.kvack.org (Postfix) with ESMTP id 1CD558D0001
	for <linux-mm@kvack.org>; Fri,  3 Jul 2020 21:33:14 -0400 (EDT)
Received: from smtpin21.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id AF41B181AC9C6
	for <linux-mm@kvack.org>; Sat,  4 Jul 2020 01:33:13 +0000 (UTC)
X-FDA: 76998670266.21.shade55_5b08e4826e96
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin21.hostedemail.com (Postfix) with ESMTP id 8A211180442C0
	for <linux-mm@kvack.org>; Sat,  4 Jul 2020 01:33:13 +0000 (UTC)
X-HE-Tag: shade55_5b08e4826e96
X-Filterd-Recvd-Size: 4253
Received: from smtp-fw-33001.amazon.com (smtp-fw-33001.amazon.com [207.171.190.10])
	by imf01.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Sat,  4 Jul 2020 01:33:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209;
  t=1593826394; x=1625362394;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=yZOA5jNuhD7ergwOgohOsatx92Oagwl7YS30ee6JkJY=;
  b=t6jSlYkhNJe78t6SVp/BQZH4rYL+L14+EImsmFgmZEsT8DYG7dpeao8H
   lX9kb4CkVGQPAVBeQLejhgM/tZnd67du8sE/xPi4AYq5epCdSuxb95rLc
   yebF/yVK9ENyoB8ge1mmGLj2UacRz49//ZjSu35YZHbh3v815QmTRRXaI
   w=;
IronPort-SDR: 8fE+uRAOvSYpKn58tAwfs4W0gGeiSnr+xNekpJsrtft03Rk7Yrr72AOHYjFAgNChxct5cyLC7G
 PQ7pNZ1qED3g==
X-IronPort-AV: E=Sophos;i="5.75,309,1589241600"; 
   d="scan'208";a="55965210"
Received: from sea32-co-svc-lb4-vlan3.sea.corp.amazon.com (HELO email-inbound-relay-1d-37fd6b3d.us-east-1.amazon.com) ([10.47.23.38])
  by smtp-border-fw-out-33001.sea14.amazon.com with ESMTP; 04 Jul 2020 01:33:09 +0000
Received: from EX13MTAUWA001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162])
	by email-inbound-relay-1d-37fd6b3d.us-east-1.amazon.com (Postfix) with ESMTPS id BDF432850D9;
	Sat,  4 Jul 2020 01:33:07 +0000 (UTC)
Received: from EX13D01UWA003.ant.amazon.com (10.43.160.107) by
 EX13MTAUWA001.ant.amazon.com (10.43.160.118) with Microsoft SMTP Server (TLS)
 id 15.0.1497.2; Sat, 4 Jul 2020 01:33:07 +0000
Received: from [192.168.1.11] (10.43.160.48) by EX13d01UWA003.ant.amazon.com
 (10.43.160.107) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sat, 4 Jul
 2020 01:33:06 +0000
From: Colm =?utf-8?q?MacC=C3=A1rthaigh?= <colmmacc@amazon.com>
To: Jann Horn <jannh@google.com>
CC: "Catangiu, Adrian Costin" <acatan@amazon.com>, <linux-mm@kvack.org>,
	<linux-pm@vger.kernel.org>, <virtualization@lists.linux-foundation.org>,
	<linux-api@vger.kernel.org>, <akpm@linux-foundation.org>,
	<rjw@rjwysocki.net>, <len.brown@intel.com>, <pavel@ucw.cz>,
	<mhocko@kernel.org>, <fweimer@redhat.com>, <keescook@chromium.org>,
	<luto@amacapital.net>, <wad@chromium.org>, <mingo@kernel.org>,
	<bonzini@gnu.org>, "Graf (AWS), Alexander" <graf@amazon.de>, "Singh, Balbir"
	<sblbir@amazon.com>, "Sandu, Andrei" <sandreim@amazon.com>, "Brooker, Marc"
	<mbrooker@amazon.com>, "Weiss, Radu" <raduweis@amazon.com>, "Manwaring,
 Derek" <derekmn@amazon.com>
Subject: Re: [RFC]: mm,power: introduce MADV_WIPEONSUSPEND
Date: Fri, 3 Jul 2020 18:33:05 -0700
X-Mailer: MailMate Trial (1.13.1r5671)
Message-ID: <5E780027-A6A7-4ED3-AA76-16C2036FF8D4@amazon.com>
In-Reply-To: <CAG48ez2CpHX9i3YgkNyMHPz63ohjkaSZscMtwSHOFYN4VQow3Q@mail.gmail.com>
References: <B7793B7A-3660-4769-9B9A-FFCF250728BB@amazon.com>
 <CAG48ez2CpHX9i3YgkNyMHPz63ohjkaSZscMtwSHOFYN4VQow3Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
X-Originating-IP: [10.43.160.48]
X-ClientProxiedBy: EX13D36UWB003.ant.amazon.com (10.43.161.118) To
 EX13d01UWA003.ant.amazon.com (10.43.160.107)
X-Rspamd-Queue-Id: 8A211180442C0
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam04
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>



On 3 Jul 2020, at 4:04, Jann Horn wrote:

>>  - Provides a simple mechanism to avoid RAM exfiltration during
>>    traditional sleep/hibernate on a laptop or desktop when memory,
>>    and thus secrets, are vulnerable to offline tampering or=20
>> inspection.
>
> For the first usecase, I wonder which way around this would work
> better - do the wiping when a VM is saved, or do it when the VM is
> restored? I guess that at least in some scenarios, doing it on restore
> would be nicer because that way the hypervisor can always instantly
> save a VM without having to wait for the guest to say "alright, I'm
> ready" - especially if someone e.g. wants to take a snapshot of a
> running VM while keeping it running? Or do hypervisors inject such
> ACPI transitions every time they snapshot/save/restore a VM anyway?


Just to answer this - I=E2=80=99d expect wipe-after-save rather than=20
wipe-on-restore to be common for some. That provides the most defense=20
against secrets ending up on disk or some other durable medium when the=20
VM images are being saved.

-
Colm