From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: Yann Droneaud <ydroneaud@opteya.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org, patches@lists.linux.dev,
tglx@linutronix.de, linux-crypto@vger.kernel.org,
linux-api@vger.kernel.org, x86@kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>,
Carlos O'Donell <carlos@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
Arnd Bergmann <arnd@arndb.de>, Jann Horn <jannh@google.com>,
Christian Brauner <brauner@kernel.org>,
linux-mm@kvack.org
Subject: Re: [PATCH v14 2/7] mm: add VM_DROPPABLE for designating always lazily freeable mappings
Date: Thu, 5 Jan 2023 23:57:26 +0100 [thread overview]
Message-ID: <Y7dV1lVUYjqs8fh0@zx2c4.com> (raw)
In-Reply-To: <10302240-51ec-0854-2c86-16752d67a9be@opteya.com>
On Thu, Jan 05, 2023 at 10:57:48PM +0100, Yann Droneaud wrote:
> Hi,
>
> Le 03/01/2023 à 21:44, Jason A. Donenfeld a écrit :
> > On Tue, Jan 03, 2023 at 12:15:57PM -0800, Linus Torvalds wrote:
> >> On Tue, Jan 3, 2023 at 12:03 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> >>> That buffering cannot be done safely currently
> >> .. again, this is "your semantics" (the (b) in my humbug list), not
> >> necessarily reality for anybody else.
> > Yea that's fair. Except, of course, I maintain that my semantics are
> > important ones. :)
>
>
> I concur.
>
> To hold secret material, we need MADV_WIPEONFORK | MADV_DONTDUMP and the side effect of mlock() (pages' content never written to swap), inherited across fork().
> And I want mlock() without paying the price.
>
> Jason's proposed semantics, which I call MADV_WIPEONSWAP, provide a mean to hold /unlimited/ amount secrets in userspace memory (not limited by RLIMIT_MEMLOCK).
> The only constraint for userspace is to handle the case pages are wiped, which is already the case of userspace arc4random()'s implementation.
If you're actually serious about wanting a generic mechanism for
userspace, I think the moral of yesterday's poo-poo'ing all over this
cool new idea is that the Linux innercircle doesn't really care for
"security things" as a motivator and just takes the shortest and easiest
route toward swatting it away like a gadfly, assuming that the concerns
are unreal or niche or paranoid or whatever. This is obviously nothing
new - it's an old complaint beaten to death for years, with people who
are diehard it about eventually getting burnt out and leaving. So,
practically speaking, if you want this to exist, I think you have to
find some other cool use cases. Like, see if the database cache people
would actually love this. Or if it could be used as an opportunistic
renderer cache in Chrome that wouldn't result in OOMing with lots of
tabs. Or if shared process compiler servers could benefit from it.
"Droppable cache" is likely useful lots of places. So just find
SOMETHING that doesn't mean having to convince folks of a new security
model that justifies tickling mm/ innards in uncomfortable ways.
Jason
next prev parent reply other threads:[~2023-01-05 22:57 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230101162910.710293-1-Jason@zx2c4.com>
2023-01-01 16:29 ` Jason A. Donenfeld
2023-01-03 10:50 ` Ingo Molnar
2023-01-03 15:01 ` Jason A. Donenfeld
2023-01-03 18:15 ` Ingo Molnar
2023-01-03 18:51 ` Jason A. Donenfeld
2023-01-03 18:36 ` Andy Lutomirski
2023-01-03 19:05 ` Jason A. Donenfeld
2023-01-03 20:52 ` Andy Lutomirski
2023-01-03 19:19 ` Linus Torvalds
2023-01-03 19:35 ` Jason A. Donenfeld
2023-01-03 19:54 ` Linus Torvalds
2023-01-03 20:03 ` Jason A. Donenfeld
2023-01-03 20:15 ` Linus Torvalds
2023-01-03 20:25 ` Linus Torvalds
2023-01-03 20:44 ` Jason A. Donenfeld
2023-01-05 21:57 ` Yann Droneaud
2023-01-05 22:57 ` Jason A. Donenfeld [this message]
2023-01-06 1:02 ` Linus Torvalds
2023-01-06 2:08 ` Linus Torvalds
2023-01-06 2:42 ` Jason A. Donenfeld
2023-01-06 20:53 ` Andy Lutomirski
2023-01-06 21:10 ` Linus Torvalds
2023-01-10 11:01 ` Dr. Greg
2023-01-06 21:36 ` Jason A. Donenfeld
2023-01-06 21:42 ` Matthew Wilcox
2023-01-06 22:06 ` Linus Torvalds
2023-01-06 2:14 ` Jason A. Donenfeld
2023-01-09 10:34 ` Florian Weimer
2023-01-09 14:28 ` Linus Torvalds
2023-01-11 7:27 ` Eric Biggers
2023-01-11 12:07 ` Linus Torvalds
2023-01-01 16:29 ` [PATCH v14 3/7] x86: mm: Skip faulting instruction for VM_DROPPABLE faults Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y7dV1lVUYjqs8fh0@zx2c4.com \
--to=jason@zx2c4.com \
--cc=adhemerval.zanella@linaro.org \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=patches@lists.linux.dev \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
--cc=ydroneaud@opteya.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox