https://lwn.net/Articles/812325/ This is a special feed containing comments posted to the individual LWN article titled "Keeping secrets in memfd areas". en-us Sun, 19 Oct 2025 02:21:01 +0000 Sun, 19 Oct 2025 02:21:01 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/812951/ https://lwn.net/Articles/812951/ chutzpah <div class="FormattedComment"> An IOMMU should be able to protect against rogue devices with DMA access, currently Linux's IOMMU usage does have some leaks, but it should be able to protect this memory.<br> </div> Thu, 20 Feb 2020 22:42:50 +0000 https://lwn.net/Articles/812780/ https://lwn.net/Articles/812780/ excors <div class="FormattedComment"> That depends on the hardware details - e.g. I believe some common ARM TrustZone implementations can mark regions of memory as inaccessible to the DMA controller, the GPU, the CPU, etc, which sounds like it could be useful here. (Sometimes used for DRM video decoding, where the decrypted bitstream and decoded frames are accessible to the VPU/GPU/display and not to the CPU, but it could be configured the other way round.)<br> </div> Tue, 18 Feb 2020 23:38:03 +0000 https://lwn.net/Articles/812778/ https://lwn.net/Articles/812778/ ncm <div class="FormattedComment"> Of course nothing is concealed from DMA. NICs, GPUs, and even audio hardware and USB bridges often have poorly-secured DMA capability.<br> </div> Tue, 18 Feb 2020 22:38:00 +0000 https://lwn.net/Articles/812695/ https://lwn.net/Articles/812695/ flussence <div class="FormattedComment"> It'd be nice if this enables the use of hardware encryption widgets like SME transparently. AIUI it can't safely be turned on globally because some drivers expect to be able to peek and poke shared memory - but if an area's explicitly flagged as secret that shouldn't be an obstacle. Having the contents encrypted at rest would also mean it's safe to swap out (as long as the key isn't!).<br> </div> Tue, 18 Feb 2020 08:13:04 +0000 https://lwn.net/Articles/812554/ https://lwn.net/Articles/812554/ edeloget <div class="FormattedComment"> I would expect it too but for a PoC that might be implied only - there is absolutely 0 chance for this PoC to be merged, so it should noly serve as a basis for discussion. <br> <p> Anyway, I like the idea - although I'm wondering if hiding memory from the kernel would not allow some kind of abuse (like hiding malicious stuff).<br> </div> Sat, 15 Feb 2020 12:01:47 +0000 https://lwn.net/Articles/812548/ https://lwn.net/Articles/812548/ mezcalero <div class="FormattedComment"> I hope this also erases the memory when freeing it and marks all mappings of it as not suitable for inclusion in coredumps.<br> <p> <p> </div> Sat, 15 Feb 2020 11:26:35 +0000 https://lwn.net/Articles/812500/ https://lwn.net/Articles/812500/ hansendc <div class="FormattedComment"> Theoretically. But, rowhammer is also most effective when you can get access to *lots* of memory so you can find flips of value between pages with special physical relationships on the media. This mechanism is at least limited by RLIMIT_MEMLOCK, which means that normal users can't normally get large swaths of it. <br> </div> Fri, 14 Feb 2020 17:02:43 +0000 https://lwn.net/Articles/812499/ https://lwn.net/Articles/812499/ zlynx <div class="FormattedComment"> I am fairly sure that user-space programs on x86 can already bypass cache using the non-temporal store instructions.<br> </div> Fri, 14 Feb 2020 15:52:43 +0000 https://lwn.net/Articles/812498/ https://lwn.net/Articles/812498/ Funcan <div class="FormattedComment"> Does allowing uncached memory access to userspace make rowhammer easier?<br> </div> Fri, 14 Feb 2020 15:34:24 +0000