LWN: Comments on "Two address-space-isolation patches get closer"

Two address-space-isolation patches get closer

zengtm — Wed, 26 May 2021 02:36:40 +0000

A few years ago, linux-arch-msm + QHEE (Qualcomm Hypervisor Execution Environment) also posted patches to take memory away from host kernel via a new Hypercall "hyp_assign_phys()", with this proposed patch:

https://patchwork.kernel.org/project/linux-arm-msm/patch/...

> + ret = hyp_assign_phys(qproc->dev, addr, size,
> + qproc->vmid_details.srcVM,
> + src_count, qproc->vmid_details.destVM,
> + qproc->vmid_details.destVMperm, dest_count);

Agree it is a trade-off between fragmentation and protection.

Two address-space-isolation patches get closer

nybble41 — Mon, 02 Nov 2020 22:14:01 +0000

> Secretmem prevents ptrace access…

*All* ptrace access, or just PTRACE_PEEKDATA? If it's the latter then ptrace could still be used to access the "secret" memory by first injecting code into the process to copy the data elsewhere.

I can't say I'm all that comfortable with the idea of handing processes rootkit-like tools to hide the contents of their memory from the system administrator, though I suppose the enforcement aspects could be patched out of the kernel easily enough without affecting the userspace ABI. This seems like something that could benefit malware (including, but not limited to, DRM) at least as much as security software.

Two address-space-isolation patches get closer

rppt — Mon, 02 Nov 2020 17:49:19 +0000

Secretmem prevents ptrace access so debuggers and core dumping won't be able to read these pages. As for criu, in theory it could read secretmem mappings, but this would reduce the security benefits of using secretmem.

Two address-space-isolation patches get closer

rppt — Mon, 02 Nov 2020 16:12:52 +0000

I hesitated a lot and decided in favour of a new systcall after I've started to draft man page.
The description would be quite different and I though it would be confusing.

Two address-space-isolation patches get closer

mss — Wed, 28 Oct 2020 14:51:34 +0000

In terms of address space isolation there is also KVM Address Space Isolation (ASI).

There will be talk about it later today at the KVM Forum:
https://kvmforum2020.sched.com/event/eE2A/kvm-address-spa...

Two address-space-isolation patches get closer

mathstuf — Wed, 28 Oct 2020 14:29:22 +0000

How will this affect debuggers and core dumping? Will these be inaccessible through ptrace? What's the interaction with criu saving and restoring? If VM rebooting is being given up, I'd expect criu is also out of luck here.

Two address-space-isolation patches get closer

dullfire — Tue, 27 Oct 2020 23:41:23 +0000

why is memfd_secret another syscall? doesn't it make much more sense as a flag to memfd_create?

and if you really really want, the 'secret' flag could add a 'secret_flags' argument.

unless memfd_create does not error on unknown flags I don't see a reason not to have done that.