On Thu, Jul 19, 2018 at 06:58:14AM -0700, Dave Hansen wrote: > On 07/19/2018 12:16 AM, Kirill A. Shutemov wrote: > > On Wed, Jul 18, 2018 at 10:36:24AM -0700, Dave Hansen wrote: > >> On 07/17/2018 04:20 AM, Kirill A. Shutemov wrote: > >>> Zero page is not encrypted and putting it into encrypted VMA produces > >>> garbage. > >>> > >>> We can map zero page with KeyID-0 into an encrypted VMA, but this would > >>> be violation security boundary between encryption domains. > >> Why? How is it a violation? > >> > >> It only matters if they write secrets. They can't write secrets to the > >> zero page. > > I believe usage of zero page is wrong here. It would indirectly reveal > > content of supposedly encrypted memory region. > > > > I can see argument why it should be okay and I don't have very strong > > opinion on this. > > I think we should make the zero page work. If folks are > security-sensitive, they need to write to guarantee it isn't being > shared. That's a pretty low bar. > > I'm struggling to think of a case where an attacker has access to the > encrypted data, the virt->phys mapping, *and* can glean something > valuable from the presence of the zero page. Okay. > Please spend some time and focus on your patch descriptions. Use facts > that are backed up and are *precise* or tell the story of how your patch > was developed. In this case, citing the "security boundary" is not > precise enough without explaining what the boundary is and how it is > violated. Fair enough. I'll go though all commit messages once again. Sorry. -- Kirill A. Shutemov
