Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/sys/unix: add memfd_secret systemcall #51547

Closed
awnumar opened this issue Mar 8, 2022 · 13 comments
Closed

x/sys/unix: add memfd_secret systemcall #51547

awnumar opened this issue Mar 8, 2022 · 13 comments
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@awnumar
Copy link
Contributor

awnumar commented Mar 8, 2022

Linux kernel version 5.14 added the memfd_secret syscall to allow processes to create memory regions that even the kernel itself cannot access. It'd be very useful to have this system-call available in sys/unix.

I see that there's currently a SYS_MEMFD_SECRET = 447 signal defined here, but I'm not sure how this is related to the system-call

@gopherbot gopherbot added this to the Proposal milestone Mar 8, 2022
@ianlancetaylor
Copy link
Contributor

In general we don't require a proposal for adding a simple system call to x/sys/unix, and memfd_create is a simple system call. Taking this out of the proposal process.

@ianlancetaylor ianlancetaylor added help wanted NeedsFix The path to resolution is known, but the work has not been done. and removed Proposal labels Mar 8, 2022
@ianlancetaylor ianlancetaylor modified the milestones: Proposal, Backlog Mar 8, 2022
@awnumar
Copy link
Contributor Author

awnumar commented Mar 8, 2022

My apologies. I thought it fit more than the other issue options

and memfd_create is a simple system call

memfd_create is already in x/sys/unix. This issue is about adding memfd_secret

@awnumar awnumar changed the title proposal: x/sys/unix: add memfd_secret systemcall x/sys/unix: add memfd_secret systemcall Mar 8, 2022
@ianlancetaylor
Copy link
Contributor

Sorry, I meant to write memfd_secret.

@ericlagergren
Copy link
Contributor

ericlagergren commented Apr 3, 2022

I see that there's currently a SYS_MEMFD_SECRET = 447 signal defined here, but I'm not sure how this is related to the system-call

FYI, until a MemfdSecret gets added: https://go.dev/play/p/Lv9D8pg-5mt

@ericlagergren
Copy link
Contributor

I think @gopherbot is taking the day off. Solved by CL 397774 (golang/sys@b1e9470).

@nadoo
Copy link

nadoo commented Apr 5, 2022

Hi @ericlagergren , there's no SYS_MEMFD_SECRET defined in zsysnum_linux_riscv64.go, so we'll get error when building for riscv64:

../../../go/pkg/mod/golang.org/x/sys@v0.0.0-20220405052023-b1e9470b6e64/unix/zsyscall_linux_riscv64.go:184:23: undefined: SYS_MEMFD_SECRET

@ericlagergren
Copy link
Contributor

@nadoo thanks, sorry about that.

@ianlancetaylor I’ll send a new CL limiting this to just arm64 and amd64 Linux, then.

@ericlagergren
Copy link
Contributor

Sent https://go-review.googlesource.com/c/sys/+/398514

@awnumar
Copy link
Contributor Author

awnumar commented Apr 5, 2022

@ericlagergren thanks for adding this.

Sent https://go-review.googlesource.com/c/sys/+/398514

Is the right solution here to remove memfd_secret from riscv64, or can SYS_MEMFD_SECRET be added to zsysnum_linux_riscv64.go instead?

I think that would require a riscv64 system (perhaps emulated) to generate the updated file though, so could be left as a future enhancement

@ianlancetaylor
Copy link
Contributor

We don't require a riscv64 system to regenerate the files. They are generated for all Linux architectures at once as outlined in x/sys/unix/README. If there isn't a SYS_MEMFD_SECRET system call for riscv64 then it works in some other way on that platform, or doesn't exist at all.

@tklauser
Copy link
Member

tklauser commented May 5, 2022

SYS_MEMFD_SECRET is currently not generated for riscv64 because it looks like __NR_memfd_secret is not defined in the kernel's uapi headers for riscv. This was possibly an oversight when adding the syscall and I've sent a patch to add it. Once the patch is accepted upstream and in a released version, we should be able to generate SYS_MEMFD_SECRET on riscv64 as well.

@gopherbot
Copy link

Change https://go.dev/cl/411375 mentions this issue: unix/linux: update to Linux kernel 5.19-rc1

@gopherbot
Copy link

Change https://go.dev/cl/411376 mentions this issue: unix: add MemfdSecret on linux/riscv64

gopherbot pushed a commit to golang/sys that referenced this issue Jun 15, 2022
Update to 5.19-rc2 instead of 5.18 for the following reasons:

- Support for LoongArch has been merged upstream. This allows to drop
  the loong64 specific kernel patches.
- Fixes [1] an issue encountered with when generating the
  SOCK_TXREHASH_DEFAULT constant from linux/socket.h on 5.18
- Contains a fix [2] to provide SYS_MEMFD_SECRET on linux/riscv64 as
  well, The underlying syscall was already available in earlier kernel
  versions. Also see golang/go#51547.

[1] https://lore.kernel.org/r/20220531094345.13801-1-tklauser@distanz.ch
[2] https://lore.kernel.org/r/20220505081815.22808-1-tklauser@distanz.ch

Change-Id: I6c3ec30a067eae339c443ee55962d94c84feffd9
Reviewed-on: https://go-review.googlesource.com/c/sys/+/411375
Auto-Submit: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
@golang golang locked and limited conversation to collaborators Jun 15, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge help wanted NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

6 participants