On 11/19/21 05:47, Chao Peng wrote:
From: "Kirill A. Shutemov" <kirill.shute...@linux.intel.com>
The new seal type provides semantics required for KVM guest private
memory support. A file descriptor with the seal set is going to be used
as source of guest memory in confidential computing environments such as
Intel TDX and AMD SEV.
F_SEAL_GUEST can only be set on empty memfd. After the seal is set
userspace cannot read, write or mmap the memfd.
I don't have a strong objection here, but, given that you're only
supporting it for memfd, would a memfd_create() flag be more
straightforward? If nothing else, it would avoid any possible locking
issue.
I'm also very very slightly nervous about a situation in which one
program sends a memfd to an untrusted other process and that process
truncates the memfd and then F_SEAL_GUESTs it. This could be mostly
mitigated by also requiring that no other seals be set when F_SEAL_GUEST
happens, but the alternative MFD_GUEST would eliminate this issue too.