Re: [PATCH v4 01/12] mm/shmem: Introduce F_SEAL_INACCESSIBLE

From: Andy Lutomirski
Date: Fri Feb 11 2022 - 18:33:44 EST

Next message: Bill Wendling: "Re: [PATCH v4] x86: use builtins to read eflags"
Previous message: Danilo Krummrich: "[PATCH 2/2] input: ps2-gpio: enforce and document open drain"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/18/22 05:21, Chao Peng wrote:

From: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx>

Introduce a new seal F_SEAL_INACCESSIBLE indicating the content of
the file is inaccessible from userspace through ordinary MMU access
(e.g., read/write/mmap). However, the file content can be accessed
via a different mechanism (e.g. KVM MMU) indirectly.

It provides semantics required for KVM guest private memory support
that a file descriptor with this seal set is going to be used as the
source of guest memory in confidential computing environments such
as Intel TDX/AMD SEV but may not be accessible from host userspace.

At this time only shmem implements this seal.

I don't dislike this *that* much, but I do dislike this. F_SEAL_INACCESSIBLE essentially transmutes a memfd into a different type of object. While this can apparently be done successfully and without races (as in this code), it's at least awkward. I think that either creating a special inaccessible memfd should be a single operation that create the correct type of object or there should be a clear justification for why it's a two-step process.

(Imagine if the way to create an eventfd would be to call timerfd_create() and then do a special fcntl to turn it into an eventfd but only if it's not currently armed. This would be weird.)

Next message: Bill Wendling: "Re: [PATCH v4] x86: use builtins to read eflags"
Previous message: Danilo Krummrich: "[PATCH 2/2] input: ps2-gpio: enforce and document open drain"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]