From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=3.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C943C433E0 for ; Tue, 7 Jul 2020 19:00:52 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id C4FDD206CD for ; Tue, 7 Jul 2020 19:00:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazon.com header.i=@amazon.com header.b="YKikeZ16" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C4FDD206CD Authentication-Results: mail.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=amazon.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 70F868D0017; Tue, 7 Jul 2020 15:00:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 698CE8D0003; Tue, 7 Jul 2020 15:00:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 560B78D0017; Tue, 7 Jul 2020 15:00:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0204.hostedemail.com [216.40.44.204]) by kanga.kvack.org (Postfix) with ESMTP id 3D5DE8D0003 for ; Tue, 7 Jul 2020 15:00:51 -0400 (EDT) Received: from smtpin04.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id EE86182499A8 for ; Tue, 7 Jul 2020 19:00:50 +0000 (UTC) X-FDA: 77012196660.04.patch11_5515f9726eb6 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin04.hostedemail.com (Postfix) with ESMTP id BA8998001988 for ; Tue, 7 Jul 2020 19:00:50 +0000 (UTC) X-HE-Tag: patch11_5515f9726eb6 X-Filterd-Recvd-Size: 6761 Received: from smtp-fw-4101.amazon.com (smtp-fw-4101.amazon.com [72.21.198.25]) by imf24.hostedemail.com (Postfix) with ESMTP for ; Tue, 7 Jul 2020 19:00:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1594148451; x=1625684451; h=from:to:cc:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding:subject; bh=QD0yoiQJ64ZH50Nb8QUb9xY3bBO2piXtj8cN3NBgLfY=; b=YKikeZ16EXiMuMdZ7yz9dqJXGlgDM942yeoVybPLUnrzpul36Y56L80e eXQ0+qWBxQBf+k8AHhizE+6s7SKpHQH+cSzzZxMHo7hEWO+I4XszyPisp Z4eAJqKPfq33pFiWz3U0RIOTSEW9aZdI/kvCnMQXTDV1T51c/1yq6u1xj g=; IronPort-SDR: B3h+DFBG1Xl4YYD/cYJKE4w3ELKOjFHUA60CMldW4a0c17c20DnwhXZdhAv22RInxhVZkD6Nzy gtSERwDXG7Sw== X-IronPort-AV: E=Sophos;i="5.75,324,1589241600"; d="scan'208,217";a="40688221" Subject: Re: [RFC]: mm,power: introduce MADV_WIPEONSUSPEND Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-2b-55156cd4.us-west-2.amazon.com) ([10.43.8.6]) by smtp-border-fw-out-4101.iad4.amazon.com with ESMTP; 07 Jul 2020 19:00:45 +0000 Received: from EX13MTAUWA001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2b-55156cd4.us-west-2.amazon.com (Postfix) with ESMTPS id 5CECCA2487; Tue, 7 Jul 2020 19:00:43 +0000 (UTC) Received: from EX13D01UWA003.ant.amazon.com (10.43.160.107) by EX13MTAUWA001.ant.amazon.com (10.43.160.58) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 7 Jul 2020 19:00:42 +0000 Received: from [10.94.101.198] (10.43.160.65) by EX13d01UWA003.ant.amazon.com (10.43.160.107) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 7 Jul 2020 19:00:41 +0000 From: Colm MacCarthaigh To: Pavel Machek CC: Michal Hocko , Jann Horn , "Catangiu, Adrian Costin" , , , , , , , , , , , , , , "Graf (AWS), Alexander" , "Singh, Balbir" , "Sandu, Andrei" , "Brooker, Marc" , "Weiss, Radu" , "Manwaring, Derek" Date: Tue, 7 Jul 2020 12:00:41 -0700 X-Mailer: MailMate Trial (1.13.1r5671) Message-ID: In-Reply-To: <20200707163758.GA1947@amd> References: <20200703113026.GT18446@dhcp22.suse.cz> <20200707073823.GA3820@dhcp22.suse.cz> <20200707080726.GA32357@amd> <20200707085847.GA5913@dhcp22.suse.cz> <20200707163758.GA1947@amd> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_0B47DC2B-5CD7-401E-8DCA-7E2E9151F9A1_=" X-Originating-IP: [10.43.160.65] X-ClientProxiedBy: EX13D40UWC002.ant.amazon.com (10.43.162.191) To EX13d01UWA003.ant.amazon.com (10.43.160.107) X-Rspamd-Queue-Id: BA8998001988 X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam03 Content-Transfer-Encoding: 7bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --=_MailMate_0B47DC2B-5CD7-401E-8DCA-7E2E9151F9A1_= Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable On 7 Jul 2020, at 9:37, Pavel Machek wrote: > Please go through the thread and try to understand it. > > You'd need syscalls per get_randomness(), not per migration. I think one check per get_randomness() is sufficient, though putting it=20 at the end of the critical section rather than the beginning helps. get_randomness( int len, void *out ) { retry: /* Generate random data */ *out =3D rng(len); if (vm_was_cloned) goto retry; } At that point if there is a VM snapshot event .. it happens in the=20 callers context and it=E2=80=99s the callers job to mitigate it, and the=20 caller can use the same trick if neccessary. Note though; the security issues arise when a snapshot is being restored=20 more than once. For those cases it seems very reasonable for the=20 snapshot takers to make the image quiescent prior to snapshotting, to=20 further reduce the risk of things like the snapshot occurring in the=20 middle of a different critical section. The mechanism here is about=20 communicating the snapshot to libraries which are self-contained. --=_MailMate_0B47DC2B-5CD7-401E-8DCA-7E2E9151F9A1_= Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On 7 Jul 2020, at 9:37, Pavel Machek wrote:

P= lease go through the thread and try to understand it.

You'd need syscalls per get_randomness(), not per migration.

I think one check per get_randomness() is sufficient, tho= ugh putting it at the end of the critical section rather than the beginni= ng helps.

get_randomness( i=
nt len, void *out )
{
   retry:
   /* Generate random data */
   *out =3D rng(len);

   if (vm_was_cloned)
       goto retry;
}

At that point if there is a VM snapshot event .. it happe= ns in the callers context and it=E2=80=99s the callers job to mitigate it= , and the caller can use the same trick if neccessary.

Note though; the security issues arise when a snapshot is= being restored more than once. For those cases it seems very reasonable = for the snapshot takers to make the image quiescent prior to snapshotting= , to further reduce the risk of things like the snapshot occurring in the= middle of a different critical section. The mechanism here is about comm= unicating the snapshot to libraries which are self-contained.

--=_MailMate_0B47DC2B-5CD7-401E-8DCA-7E2E9151F9A1_=--