[PATCH v2 4/4] virt: Add sev_secret module to expose confidential computing secrets
Dov Murik
dovmurik at linux.ibm.com
Fri Oct 8 05:51:55 UTC 2021
Thanks Dave for reviewing this.
On 07/10/2021 16:48, Dave Hansen wrote:
> On 10/6/21 11:18 PM, Dov Murik wrote:
>> +static void wipe_memory(void *addr, size_t size)
>> +{
>> + memzero_explicit(addr, size);
>> + clean_cache_range(addr, size);
>> +}
>
> What's the purpose of the clean_cache_range()? It's backed in a CLWB
> instruction on x86 which seems like an odd choice. I guess the point is
> that the memzero_explicit() will overwrite the contents, but might have
> dirty lines in the cache. The CLWB will ensure that the lines are
> actually written back to memory, clearing the secret out of memory.
> Without the CLWB, the secret might live in memory until the dirtied
> cachelines are written back.
Yes, that's the reason; as suggested by Andrew Scull in [1].
[1] https://lore.kernel.org/linux-coco/CADcWuH0mP+e6GxkUGN3ni_Yu0z8YTn-mo677obH+p-OFCL+wOQ@mail.gmail.com/
>
> Could you document this, please? It would also be nice to include some
> of this motivation in the patch that exports clean_cache_range() in the
> first place.
>
Yes, I'll add that.
> I also think clean_cache_range() an odd choice. If it were me, I
> probably would have just used the already-exported
> clflush_cache_range(). The practical difference between writing back
> and flushing the cachelines is basically zero. The lines will never be
> reused.
>
I agree that performance benefits of CLWB over CLFLUSH are negligible here
(but I have no way of measuring it). Andrew suggested [2] that the extra
invalidation that CLFLUSH does it unnecessary.
But if we all agree that the clflush_cache_range() is OK here, I'm OK
with removing patch 1 and calling clflush_cache_range() in wipe_memory()
here.
Does anyone know of other locations in the kernel where memory is needed
to be scrubbed (zeroed and flushed) - like my wipe_memory()? Maybe there's
a standard way of doing this?
[2] https://lore.kernel.org/linux-coco/CADcWuH05vbFtJ1WYSs3d+_=TGzh-MitvAXp1__d1kGJJkvkWpQ@mail.gmail.com/
> *If* we export anything from x86 code, I think it should be something
> which is specific to the task at hand, like arch_invalidate_pmem() is.
>
> Also, when you are modifying x86 code, including exports, it would be
> nice to include (all of) the x86 maintainers. The relevant ones for
> this series would probably be:
>
> X86 ARCHITECTURE (32-BIT AND 64-BIT)
> M: Thomas Gleixner <tglx at linutronix.de>
> M: Ingo Molnar <mingo at redhat.com>
> M: Borislav Petkov <bp at alien8.de>
> M: x86 at kernel.org
>
> X86 MM
> M: Dave Hansen <dave.hansen at linux.intel.com>
> M: Andy Lutomirski <luto at kernel.org>
> M: Peter Zijlstra <peterz at infradead.org>
>
> There's also the handy dandy scripts/get_maintainer.pl to help.
>
You're right, sorry for missing it in this round.
But even if I remove the x86 change, I'll keep you copied anyway...
-Dov
More information about the Linux-security-module-archive
mailing list