|
From: | Andy Lutomirski |
Subject: | Re: [RFC v2 PATCH 01/13] mm/shmem: Introduce F_SEAL_GUEST |
Date: | Thu, 2 Dec 2021 17:11:02 -0800 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 |
On 11/19/21 05:47, Chao Peng wrote:
From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> The new seal type provides semantics required for KVM guest private memory support. A file descriptor with the seal set is going to be used as source of guest memory in confidential computing environments such as Intel TDX and AMD SEV. F_SEAL_GUEST can only be set on empty memfd. After the seal is set userspace cannot read, write or mmap the memfd.
I don't have a strong objection here, but, given that you're only supporting it for memfd, would a memfd_create() flag be more straightforward? If nothing else, it would avoid any possible locking issue.
I'm also very very slightly nervous about a situation in which one program sends a memfd to an untrusted other process and that process truncates the memfd and then F_SEAL_GUESTs it. This could be mostly mitigated by also requiring that no other seals be set when F_SEAL_GUEST happens, but the alternative MFD_GUEST would eliminate this issue too.
[Prev in Thread] | Current Thread | [Next in Thread] |