Module Name: src
Committed By: riastradh
Date: Thu Jun 3 20:18:06 UTC 2021
Modified Files:
src/share/man/man4: options.4
src/sys/uvm: files.uvm uvm_swap.c
Log Message:
uvm(9): Enable swap encryption by default.
For machines where the performance impact of swapping before the
system has an opportunity to process `vm.swap_encrypt=0' in
/etc/sysctl.conf, you can disable it again by adding
options VMSWAP_DEFAULT_PLAINTEXT
to the kernel config.
To generate a diff of this commit:
cvs rdiff -u -r1.518 -r1.519 src/share/man/man4/options.4
cvs rdiff -u -r1.36 -r1.37 src/sys/uvm/files.uvm
cvs rdiff -u -r1.204 -r1.205 src/sys/uvm/uvm_swap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/man/man4/options.4
diff -u src/share/man/man4/options.4:1.518 src/share/man/man4/options.4:1.519
--- src/share/man/man4/options.4:1.518 Sun Mar 14 02:56:07 2021
+++ src/share/man/man4/options.4 Thu Jun 3 20:18:06 2021
@@ -1,4 +1,4 @@
-.\" $NetBSD: options.4,v 1.518 2021/03/14 02:56:07 rin Exp $
+.\" $NetBSD: options.4,v 1.519 2021/06/03 20:18:06 riastradh Exp $
.\"
.\" Copyright (c) 1996
.\" Perry E. Metzger. All rights reserved.
@@ -2203,6 +2203,16 @@ for details.
.It Cd options VMSWAP
Enable paging device/file support.
This option is on by default.
+.It Cd options VMSWAP_DEFAULT_PLAINTEXT
+Store swap in plaintext, not encrypted, which may expose secrets if the
+underlying nonvolatile medium is disclosed.
+This option is off by default; it is available only for extremely slow
+machines where the performance impact of swapping early at boot
+outweighs the security risks.
+Swap encryption can still be turned on dynamically with the
+.Em vm.swap_encrypt
+.Xr sysctl 7
+knob.
.It Cd options PDPOLICY_CLOCKPRO
Use CLOCK-Pro, an alternative page replace policy.
.El
Index: src/sys/uvm/files.uvm
diff -u src/sys/uvm/files.uvm:1.36 src/sys/uvm/files.uvm:1.37
--- src/sys/uvm/files.uvm:1.36 Tue Aug 4 06:10:27 2020
+++ src/sys/uvm/files.uvm Thu Jun 3 20:18:06 2021
@@ -1,4 +1,4 @@
-# $NetBSD: files.uvm,v 1.36 2020/08/04 06:10:27 skrll Exp $
+# $NetBSD: files.uvm,v 1.37 2021/06/03 20:18:06 riastradh Exp $
#
# UVM options
@@ -8,6 +8,7 @@ defflag opt_uvmhist.h UVMHIST_PRINT: KE
defparam opt_uvmhist.h UVMHIST_MAPHIST_SIZE UVMHIST_PDHIST_SIZE
defflag opt_uvm.h UVMMAP_COUNTERS
defparam opt_uvm.h UVM_RESERVED_PAGES_PER_CPU
+defflag opt_vmswap.h VMSWAP_DEFAULT_PLAINTEXT
defflag opt_vmswap.h VMSWAP : aes
defflag opt_readahead.h READAHEAD_STATS
defflag opt_ubc.h UBC_STATS
Index: src/sys/uvm/uvm_swap.c
diff -u src/sys/uvm/uvm_swap.c:1.204 src/sys/uvm/uvm_swap.c:1.205
--- src/sys/uvm/uvm_swap.c:1.204 Sun May 23 00:36:36 2021
+++ src/sys/uvm/uvm_swap.c Thu Jun 3 20:18:06 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_swap.c,v 1.204 2021/05/23 00:36:36 mrg Exp $ */
+/* $NetBSD: uvm_swap.c,v 1.205 2021/06/03 20:18:06 riastradh Exp $ */
/*
* Copyright (c) 1995, 1996, 1997, 2009 Matthew R. Green
@@ -30,11 +30,12 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_swap.c,v 1.204 2021/05/23 00:36:36 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_swap.c,v 1.205 2021/06/03 20:18:06 riastradh Exp $");
#include "opt_uvmhist.h"
#include "opt_compat_netbsd.h"
#include "opt_ddb.h"
+#include "opt_vmswap.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -210,7 +211,11 @@ static struct workqueue *sw_reg_workqueu
/* tuneables */
u_int uvm_swapisfull_factor = 99;
+#if VMSWAP_DEFAULT_PLAINTEXT
bool uvm_swap_encrypt = false;
+#else
+bool uvm_swap_encrypt = true;
+#endif
/*
* prototypes
