Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/share/man/man7 Document vm.swap_encrypt.
details: https://anonhg.NetBSD.org/src/rev/b3f262907b65
branches: trunk
changeset: 1009972:b3f262907b65
user: riastradh <riastradh%NetBSD.org@localhost>
date: Sun May 10 02:31:29 2020 +0000
description:
Document vm.swap_encrypt.
diffstat:
share/man/man7/sysctl.7 | 26 +++++++++++++++++++++++++-
1 files changed, 25 insertions(+), 1 deletions(-)
diffs (47 lines):
diff -r 853fcd8d350a -r b3f262907b65 share/man/man7/sysctl.7
--- a/share/man/man7/sysctl.7 Sun May 10 02:30:33 2020 +0000
+++ b/share/man/man7/sysctl.7 Sun May 10 02:31:29 2020 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: sysctl.7,v 1.144 2020/05/10 02:30:33 riastradh Exp $
+.\" $NetBSD: sysctl.7,v 1.145 2020/05/10 02:31:29 riastradh Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
@@ -2493,6 +2493,7 @@
.It vm.proc.map struct kinfo_vmentry no
.It vm.guard_size unsigned int no
.It vm.thread_guard_size unsigned int yes
+.It vm.swap_encrypt bool yes
.El
.Bl -tag -width "123456"
.It Li vm.anonmax ( Dv VM_ANONMAX )
@@ -2566,6 +2567,29 @@
.It Li vm.thread_guard_size
Return system wide default size for the guard area of all other threads
of a program.
+.It Li vm.swap_encrypt
+If true, encrypt data while swapped out to disk.
+.Pp
+Each swap device maintains an independent AES-256 key, generated when
+the first page is swapped to that device.
+Each page is swapped independently using AES-CBC, with an
+initialization vector chosen by the encryption under the AES-256 key of
+the little-endian swap slot number padded to 128 bits with zeros.
+(This is essentially the
+.Xr cgd 4
+.Sq encblkno1
+method.)
+.Pp
+Changes to
+.Li vm.swap_encrypt
+only affect pages of swap newly written out.
+To force encrypting or decrypting all existing swap, or to rekey
+previously encrypted swap, you can remove the swap devices and re-add
+them with
+.Xr swapctl 8 ,
+with the caveat that whatever pages were already written to disk
+unencrypted or encrypted with a compromised key may still be written to
+disk afterward.
.\" XXX vm.idlezero
.El
.Ss The ddb.* subtree ( Dv CTL_DDB )
Home |
Main Index |
Thread Index |
Old Index