Add memory wipe on allocation/deallocation#1530
Conversation
8a35409 to
ceff12d
Compare
ceff12d to
b2eda36
Compare
b2eda36 to
71f5937
Compare
71f5937 to
243fdd2
Compare
243fdd2 to
5ab4c4b
Compare
5ab4c4b to
087a062
Compare
|
we may have an issue with this. kexec is usually one of those features that should be restricted. We will have to make sure that the target of the kexec is signed itself. along with using the correct kexec commands that force the loading of a signed image. all doable, but has to be considered. the next question is it just on shutdown? or do we want it on the shutdown of a particular vm? so is there something in the vmm that will cause the memory of the vm to be wiped. Do we need sdmem, swap clearing (swap on/off) forced sync and maybe even drop caches? Just to flush the memory pipeline for any residuals. in an individual vm? |
well, requirements says "zero on shutdown" :-) we can just enable init_on_free on host kernel, and it will solve this task complitely for the price of 5-10% performance degradation, so every memory deallocation on the host kernel level will trigger zeroing of deallocated block. for security reasons this option can't be controlled in runtime, so kexec is the only option to trigger it when needed. ps the best way to solve this is to enable memory encryption, so there will be no need for memory zeroing, but intel processors on thinkpads and system76 doesn't support it unfortunately. |
087a062 to
28dd04d
Compare
28dd04d to
724d4a8
Compare
724d4a8 to
a0fe82e
Compare
|
Images from the automated pre-merge were already cleaned away. I managed to launch performance tests for Dell-7330 and Darter-Pro early enough (yesterday). Results didn't show clear regression when comparing to the last measurements in |
|
I ran performance tests locally on Lenovo-X1 too. Didn't find significant regression compared to current mainline. Few apps failed first boot time tests but afterwards in manual check they launched fast. |
a0fe82e to
a13b916
Compare
|
By default Tested on [ghaf@ghaf-host:/tmp]$ stress-ng --vm 4 --vm-bytes 1G --vm-method all --verify -t 30s --metrics-brief
stress-ng: info: [4354] setting to a 30 secs run per stressor
stress-ng: info: [4354] dispatching hogs: 4 vm
stress-ng: info: [4354] note: 16 cpus have scaling governors set to powersave and this may impact performance; setting /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor to 'performance' may improve performance
stress-ng: info: [4355] vm: using 256M per stressor instance (total 1G of 69.40G available memory)
stress-ng: metrc: [4354] stressor bogo ops real time usr time sys time bogo ops/s bogo ops/s
stress-ng: metrc: [4354] (secs) (secs) (secs) (real time) (usr+sys time)
stress-ng: metrc: [4354] vm 5846934 30.00 84.94 13.20 194888.92 59579.51
stress-ng: info: [4354] skipped: 0
stress-ng: info: [4354] passed: 4: vm (4)
stress-ng: info: [4354] failed: 0
stress-ng: info: [4354] metrics untrustworthy: 0
stress-ng: info: [4354] successful run completed in 30.00 secsTested on [ghaf@ghaf-host:/tmp]$ stress-ng --vm 4 --vm-bytes 1G --vm-method all --verify -t 30s --metrics-brief
stress-ng: info: [4738] setting to a 30 secs run per stressor
stress-ng: info: [4738] dispatching hogs: 4 vm
stress-ng: info: [4738] note: 16 cpus have scaling governors set to powersave and this may impact performance; setting /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor to 'performance' may improve performance
stress-ng: info: [4739] vm: using 256M per stressor instance (total 1G of 68.71G available memory)
stress-ng: metrc: [4738] stressor bogo ops real time usr time sys time bogo ops/s bogo ops/s
stress-ng: metrc: [4738] (secs) (secs) (secs) (real time) (usr+sys time)
stress-ng: metrc: [4738] vm 5847321 30.00 87.61 13.47 194904.28 57850.66
stress-ng: info: [4738] skipped: 0
stress-ng: info: [4738] passed: 4: vm (4)
stress-ng: info: [4738] failed: 0
stress-ng: info: [4738] metrics untrustworthy: 0
stress-ng: info: [4738] successful run completed in 30.00 secsThere is not big difference in |
So impact is visible but very low IMO? Talking about options -- need to define explicitly, defaults may be different in different configurations. |
In my minimal testing, I haven't observed any notable differences so far. |
a13b916 to
250cea4
Compare
- Enable PAGE_POISONING, INIT_ON_ALLOC_DEFAULT_ON, INIT_ON_FREE_DEFAULT_ON - Enable by default for all x86_64 platforms via hardware module - Update documentation to reflect build-time kernel configuration approach This provides runtime memory protection against information disclosure throughout system operation. Signed-off-by: vadik likholetov <vadikas@gmail.com>
250cea4 to
9d24bac
Compare
Summary
This PR implements secure memory wiping.
Usage