Re: FYI: vm.swap_encrypt

[Taylor R Campbell <riastradh%NetBSD.org@localhost>]

> Date: Mon, 11 May 2020 21:37:12 +0100
> From: Alexander Nasonov <alnsn%yandex.ru@localhost>
> 
> Taylor R Campbell wrote:
> > At any given time, some pages may be encrypted while others are not.
> > We don't keep track of how many pages are encrypted and how many pages
> > are not, and it might be tricky to do so.  All that is easy to do,
> > without adding a lot more bookkeeping, is ascertain whether we have
> > generated an encryption key at all, meaning that at least one page was
> > swapped out while vm.swap_encrypt=1.
> 
> I didn't realise that it can be a mix.

When you do `sysctl -w vm.swap_encrypt=1', there may be a lot of pages
already written out in plaintext -- only pages newly swapped out will
be encrypted.  And if you later do `sysctl -w vm.swap_encrypt=0',
there may be a lot of pages already written out in ciphertext for the
same reason.

Setting the sysctl knob does nothing to the pages that are already
written out -- that would be a lot of work to implement and it's not
clear it's worthwhile to do so; you can always just `swapctl -d /swap
&& swapctl -a /swap' bring everything back into RAM and start over.
Or set it and forget it by putting `vm.swap_encrypt=1' in
/etc/sysctl.conf and rebooting.

> > If you find a compelling reason to make it per-swapdev and want to
> > implement that, fine by me!
> 
> I have no strong preference but if it was per-swapdev I could
> use existing KAUTH_SYSTEM_SWAPCTL instead of introducing a new
> KAUTH_SYSTEM_SWAP_ENCRYPT.

I figure the value of making it easy to implement and set up in the
first place outweighs the value of not having to introduce a new kauth
frobnozzle.

If anything, I would want any new swapctl option to _override_ the
global default in vm.swap_encrypt if specified, and to inherit it if
omitted -- which would require both kauth gizmos anyway.