Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: FYI: vm.swap_encrypt



> Date: Mon, 11 May 2020 21:12:16 +0100
> From: Alexander Nasonov <alnsn%yandex.ru@localhost>
> 
> Taylor R Campbell wrote:
> > I just added a vm.swap_encrypt sysctl knob to enable or disable
> > encrypting data when written out to swap space.
> 
> A couple of notes related to swapctl(2):
> 
>  1) SWAP_STATS can be modified to return a status of encryption in
>     the se_flags member.

What would the status be?  That encryption was once enabled and at
least one page was written out encrypted?

At any given time, some pages may be encrypted while others are not.
We don't keep track of how many pages are encrypted and how many pages
are not, and it might be tricky to do so.  All that is easy to do,
without adding a lot more bookkeeping, is ascertain whether we have
generated an encryption key at all, meaning that at least one page was
swapped out while vm.swap_encrypt=1.

>  2) The encyption bit can be passed to SWAP_ON/SWAP_CTL but they
>     currently take an integer agrument and it's reserved for a priority.

I thought about that but a vm.swap_encrypt sysctl knob was quicker to
implement without needing further thought or ABI compatibility work.

If you find a compelling reason to make it per-swapdev and want to
implement that, fine by me!


Home | Main Index | Thread Index | Old Index