For some reason gmail thought it would be a good ideas to move this into
the SPAM folder, so I only saw the recent replies just now.
I'm going to have a look at this soonish.
One point that popped up in the past and that I raised on the last RFC:
we should think about letting processes *opt out/disable* KSM on their
own. Either completely, or for selected VMAs.
Reasoning is, that if you have an application that really doesn't want
some memory regions to be applicable to KSM (memory de-duplication
attacks? Knowing that KSM on some regions will be counter-productive)
For example, remembering if MADV_UNMERGEABLE was called and not only
clearing the VMA flag. So even if KSM would be force-enabled by some
tooling after the process started, such regions would not get considered
for KSM.
It would a bit like how we handle THP.
On 24.02.23 05:39, Stefan Roesch wrote:
So far KSM can only be enabled by calling madvise for memory regions. To
be able to use KSM for more workloads, KSM needs to have the ability to be
enabled / disabled at the process / cgroup level.
Use case 1:
The madvise call is not available in the programming language. An example for
this are programs with forked workloads using a garbage collected language without
pointers. In such a language madvise cannot be made available.
In addition the addresses of objects get moved around as they are garbage
collected. KSM sharing needs to be enabled "from the outside" for these type of
workloads.
Use case 2:
The same interpreter can also be used for workloads where KSM brings no
benefit or even has overhead. We'd like to be able to enable KSM on a workload
by workload basis.
Use case 3:
With the madvise call sharing opportunities are only enabled for the current
process: it is a workload-local decision. A considerable number of sharing
opportuniites may exist across multiple workloads or jobs. Only a higler level
entity like a job scheduler or container can know for certain if its running
one or more instances of a job. That job scheduler however doesn't have
the necessary internal worklaod knowledge to make targeted madvise calls.
Security concerns:
In previous discussions security concerns have been brought up. The problem is
that an individual workload does not have the knowledge about what else is
running on a machine. Therefore it has to be very conservative in what memory
areas can be shared or not. However, if the system is dedicated to running
multiple jobs within the same security domain, its the job scheduler that has
the knowledge that sharing can be safely enabled and is even desirable.
Note that there are some papers about why limiting memory deduplciation
attacks to single security domains is not sufficient. Especially, the
remote deduplication attacks fall into that category IIRC.
--
Thanks,
David / dhildenb
