[RFC v2 00/13] Multi-Key Total Memory Encryption API (MKTME)
Alison Schofield
alison.schofield at intel.com
Tue Dec 4 07:39:47 UTC 2018
Hi Thomas, David,
Here is an updated RFC on the API's to support MKTME.
(Multi-Key Total Memory Encryption)
This RFC presents the 2 API additions to support the creation and
usage of memory encryption keys:
1) Kernel Key Service type "mktme"
2) System call encrypt_mprotect()
This patchset is built upon Kirill Shutemov's work for the core MKTME
support.
David: Please let me know if the changes made, based on your review,
are reasonable. I don't think that the new changes touch key service
specific areas (much).
Thomas: Please provide feedback on encrypt_mprotect(). If not a
review, then a direction check would be helpful.
I picked up a few more 'CCs this time in get_maintainer!
Thanks!
Alison
Changes in RFC2
Add a preparser to mktme key service. (dhowells)
Replace key serial no. with key struct point in mktme_map. (dhowells)
Remove patch that inserts a special MKTME case in keyctl revoke. (dhowells)
Updated key usage syntax in the documentation (Kai)
Replaced NO_PKEY, NO_KEYID with a single constant NO_KEY. (Jarkko)
Clarified comments in changelog and code. (Jarkko)
Add clear, no-encrypt, and update key support.
Add mktme_savekeys (Patch 12 ) to give kernel permission to save key data.
Add cpu hotplug support. (Patch 13)
Alison Schofield (13):
x86/mktme: Document the MKTME APIs
mm: Generalize the mprotect implementation to support extensions
syscall/x86: Wire up a new system call for memory encryption keys
x86/mm: Add helper functions for MKTME memory encryption keys
x86/mm: Set KeyIDs in encrypted VMAs
mm: Add the encrypt_mprotect() system call
x86/mm: Add helpers for reference counting encrypted VMAs
mm: Use reference counting for encrypted VMAs
mm: Restrict memory encryption to anonymous VMA's
keys/mktme: Add the MKTME Key Service type for memory encryption
keys/mktme: Program memory encryption keys on a system wide basis
keys/mktme: Save MKTME data if kernel cmdline parameter allows
keys/mktme: Support CPU Hotplug for MKTME keys
Documentation/admin-guide/kernel-parameters.rst | 1 +
Documentation/admin-guide/kernel-parameters.txt | 11 +
Documentation/x86/mktme/index.rst | 11 +
Documentation/x86/mktme/mktme_demo.rst | 53 +++
Documentation/x86/mktme/mktme_encrypt.rst | 58 +++
Documentation/x86/mktme/mktme_keys.rst | 109 +++++
Documentation/x86/mktme/mktme_overview.rst | 60 +++
arch/x86/Kconfig | 1 +
arch/x86/entry/syscalls/syscall_32.tbl | 1 +
arch/x86/entry/syscalls/syscall_64.tbl | 1 +
arch/x86/include/asm/mktme.h | 25 +
arch/x86/mm/mktme.c | 179 ++++++++
fs/exec.c | 4 +-
include/keys/mktme-type.h | 41 ++
include/linux/key.h | 2 +
include/linux/mm.h | 11 +-
include/linux/syscalls.h | 2 +
include/uapi/asm-generic/unistd.h | 4 +-
kernel/fork.c | 2 +
kernel/sys_ni.c | 2 +
mm/mprotect.c | 91 +++-
security/keys/Kconfig | 11 +
security/keys/Makefile | 1 +
security/keys/mktme_keys.c | 580 ++++++++++++++++++++++++
24 files changed, 1249 insertions(+), 12 deletions(-)
create mode 100644 Documentation/x86/mktme/index.rst
create mode 100644 Documentation/x86/mktme/mktme_demo.rst
create mode 100644 Documentation/x86/mktme/mktme_encrypt.rst
create mode 100644 Documentation/x86/mktme/mktme_keys.rst
create mode 100644 Documentation/x86/mktme/mktme_overview.rst
create mode 100644 include/keys/mktme-type.h
create mode 100644 security/keys/mktme_keys.c
--
2.14.1
More information about the Linux-security-module-archive
mailing list