Secret Memory Areas For Linux Might Finally Be Ready With memfd_secret
In development for more than one year has been the ability to create secret memory areas on Linux that would be visible only to the owning process and is not mapped for other processes or the kernel page tables. That "memfd_secret" system call has finally materialized in Linux-Next and looking like it could be ready for mainline.
The memfd_secret system call is the new interface for creating secret memory areas on Linux for use-cases like OpenSSL in user-space for storing private keys and reducing the chances they are potentially exposed while in system memory and not backed by any other hardware encryption methods.
But in ensuring this memfd_secret functionality isn't abused, this ability to create secret memory areas on the system is disabled by default unless a special option is passed at boot time. The secret memory functionality and memfd_secret system call are hidden behind the "secretmem_enable" option, at least for the time being.
What's new to report on memfd_secret now is that the system call has worked its way into linux-next.git on Monday by way of Andrew Morton's code. Given that, it's possible we might see this new secret memory area system call introduced as part of the upcoming Linux 5.13 cycle but at the very least this feature is moving along and closer to mainline.
More details on the system call and the "secret" memory areas can be found via this patch message.
The memfd_secret system call is the new interface for creating secret memory areas on Linux for use-cases like OpenSSL in user-space for storing private keys and reducing the chances they are potentially exposed while in system memory and not backed by any other hardware encryption methods.
But in ensuring this memfd_secret functionality isn't abused, this ability to create secret memory areas on the system is disabled by default unless a special option is passed at boot time. The secret memory functionality and memfd_secret system call are hidden behind the "secretmem_enable" option, at least for the time being.
What's new to report on memfd_secret now is that the system call has worked its way into linux-next.git on Monday by way of Andrew Morton's code. Given that, it's possible we might see this new secret memory area system call introduced as part of the upcoming Linux 5.13 cycle but at the very least this feature is moving along and closer to mainline.
More details on the system call and the "secret" memory areas can be found via this patch message.
14 Comments