Linux 5.14 Can Create Secret Memory Areas With memfd_secret

The "memfd_secret" system call is being added to the Linux 5.14 kernel to provide the ability to create memory areas that are visible only in the context of the owning process and these "secret" memory regions are not mapped by other processes or the kernel page tables.

This work originated with the proposed secretmemfd work for secret memory on Linux and over the past year as memfd_secret has been gping through many rounds of review. The intended use-case for these secret memory areas are cases like OpenSSL private keys potentially being stored within these areas to reduce the possibility they are exposed in system memory and not able to be backed up by other hardware encryption methods with modern hardware.

Using memfd_secret means the memory areas will only be mapped in the page table of the processes that have access to the owning file descriptor and is unmapped from the kernel direct map.

Access to memfd_secret is disabled by default but requires using the secretmem_enable boot time option when booting the kernel to enable this secret memory functionality.

The memfd_secret support for Linux 5.14 was merged on Friday as part of Andrew Morton's patches. The secret memory patches were created by IBM's Mike Rapoport.