On 07/19/2018 12:16 AM, Kirill A. Shutemov wrote: > On Wed, Jul 18, 2018 at 10:36:24AM -0700, Dave Hansen wrote: >> On 07/17/2018 04:20 AM, Kirill A. Shutemov wrote: >>> Zero page is not encrypted and putting it into encrypted VMA produces >>> garbage. >>> >>> We can map zero page with KeyID-0 into an encrypted VMA, but this would >>> be violation security boundary between encryption domains. >> Why? How is it a violation? >> >> It only matters if they write secrets. They can't write secrets to the >> zero page. > I believe usage of zero page is wrong here. It would indirectly reveal > content of supposedly encrypted memory region. > > I can see argument why it should be okay and I don't have very strong > opinion on this. I think we should make the zero page work. If folks are security-sensitive, they need to write to guarantee it isn't being shared. That's a pretty low bar. I'm struggling to think of a case where an attacker has access to the encrypted data, the virt->phys mapping, *and* can glean something valuable from the presence of the zero page. Please spend some time and focus on your patch descriptions. Use facts that are backed up and are *precise* or tell the story of how your patch was developed. In this case, citing the "security boundary" is not precise enough without explaining what the boundary is and how it is violated.