Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/uvm uvm(9): Enable swap encryption by default.
details: https://anonhg.NetBSD.org/src/rev/b1709570712e
branches: trunk
changeset: 1021538:b1709570712e
user: riastradh <riastradh%NetBSD.org@localhost>
date: Thu Jun 03 20:18:06 2021 +0000
description:
uvm(9): Enable swap encryption by default.
For machines where the performance impact of swapping before the
system has an opportunity to process `vm.swap_encrypt=0' in
/etc/sysctl.conf, you can disable it again by adding
options VMSWAP_DEFAULT_PLAINTEXT
to the kernel config.
diffstat:
share/man/man4/options.4 | 12 +++++++++++-
sys/uvm/files.uvm | 3 ++-
sys/uvm/uvm_swap.c | 9 +++++++--
3 files changed, 20 insertions(+), 4 deletions(-)
diffs (78 lines):
diff -r 9a7cf4a7f802 -r b1709570712e share/man/man4/options.4
--- a/share/man/man4/options.4 Thu Jun 03 20:17:37 2021 +0000
+++ b/share/man/man4/options.4 Thu Jun 03 20:18:06 2021 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: options.4,v 1.518 2021/03/14 02:56:07 rin Exp $
+.\" $NetBSD: options.4,v 1.519 2021/06/03 20:18:06 riastradh Exp $
.\"
.\" Copyright (c) 1996
.\" Perry E. Metzger. All rights reserved.
@@ -2203,6 +2203,16 @@
.It Cd options VMSWAP
Enable paging device/file support.
This option is on by default.
+.It Cd options VMSWAP_DEFAULT_PLAINTEXT
+Store swap in plaintext, not encrypted, which may expose secrets if the
+underlying nonvolatile medium is disclosed.
+This option is off by default; it is available only for extremely slow
+machines where the performance impact of swapping early at boot
+outweighs the security risks.
+Swap encryption can still be turned on dynamically with the
+.Em vm.swap_encrypt
+.Xr sysctl 7
+knob.
.It Cd options PDPOLICY_CLOCKPRO
Use CLOCK-Pro, an alternative page replace policy.
.El
diff -r 9a7cf4a7f802 -r b1709570712e sys/uvm/files.uvm
--- a/sys/uvm/files.uvm Thu Jun 03 20:17:37 2021 +0000
+++ b/sys/uvm/files.uvm Thu Jun 03 20:18:06 2021 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: files.uvm,v 1.36 2020/08/04 06:10:27 skrll Exp $
+# $NetBSD: files.uvm,v 1.37 2021/06/03 20:18:06 riastradh Exp $
#
# UVM options
@@ -8,6 +8,7 @@
defparam opt_uvmhist.h UVMHIST_MAPHIST_SIZE UVMHIST_PDHIST_SIZE
defflag opt_uvm.h UVMMAP_COUNTERS
defparam opt_uvm.h UVM_RESERVED_PAGES_PER_CPU
+defflag opt_vmswap.h VMSWAP_DEFAULT_PLAINTEXT
defflag opt_vmswap.h VMSWAP : aes
defflag opt_readahead.h READAHEAD_STATS
defflag opt_ubc.h UBC_STATS
diff -r 9a7cf4a7f802 -r b1709570712e sys/uvm/uvm_swap.c
--- a/sys/uvm/uvm_swap.c Thu Jun 03 20:17:37 2021 +0000
+++ b/sys/uvm/uvm_swap.c Thu Jun 03 20:18:06 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: uvm_swap.c,v 1.204 2021/05/23 00:36:36 mrg Exp $ */
+/* $NetBSD: uvm_swap.c,v 1.205 2021/06/03 20:18:06 riastradh Exp $ */
/*
* Copyright (c) 1995, 1996, 1997, 2009 Matthew R. Green
@@ -30,11 +30,12 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_swap.c,v 1.204 2021/05/23 00:36:36 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_swap.c,v 1.205 2021/06/03 20:18:06 riastradh Exp $");
#include "opt_uvmhist.h"
#include "opt_compat_netbsd.h"
#include "opt_ddb.h"
+#include "opt_vmswap.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -210,7 +211,11 @@
/* tuneables */
u_int uvm_swapisfull_factor = 99;
+#if VMSWAP_DEFAULT_PLAINTEXT
bool uvm_swap_encrypt = false;
+#else
+bool uvm_swap_encrypt = true;
+#endif
/*
* prototypes
Home |
Main Index |
Thread Index |
Old Index