memfd_secret() in 5.14 [LWN.net]

memfd_secret() in 5.14

Posted Aug 7, 2021 7:23 UTC (Sat) by david.hildenbrand (subscriber, #108299)
In reply to: memfd_secret() in 5.14 by ericonr
Parent article: memfd_secret() in 5.14

I‘d like to note that secretmem does not protect against kernel exploits or against root in most setups getting hold of that data. Once you‘re already in the kernel, you might just be able to remap the pages. Once you‘re root, you can trigger kexec or kdump to expose the data. Further, if all memory isn‘t getting cleared during reboot (e.g., in most VMs) you might be able to reboot and extract that data.

to post comments

memfd_secret() in 5.14

Posted Aug 7, 2021 8:10 UTC (Sat) by randomguy3 (subscriber, #71063) [Link] (2 responses)

Which leads me to wonder: what does it protect against?

memfd_secret() in 5.14

Posted Aug 7, 2021 10:59 UTC (Sat) by david.hildenbrand (subscriber, #108299) [Link]

IIUC, the „easy“ ways to access this data (/proc/kcore), application BUGs (e.g., accidentally using the secretmem area as a sending buffer) and kernel/CPU BUGs. When disabling other features (e.g., kdump) and extending other features (e.g., clearing all secretmem areas before kexec or before reboots) we can make it even harder for root to still read secretmem in the future. But it might be hard to get rid of all (kdb?) such ways for root to still read that memory.

memfd_secret() in 5.14

Posted Aug 9, 2021 12:59 UTC (Mon) by hkario (subscriber, #94864) [Link]

application bugs: you can't use that memory in syscalls