Linux’s memfd_secret system call has entered the Linux-Next branch, and it may be merged into the Linux 5.13 mainline next.
This feature has been developed for more than a year. The memfd_secret() system call can create a secret memory area on Linux, which is only visible to the owning process and will not be mapped to other processes or kernel page tables. It can be used to create a secret memory area for OpenSSL in userspace on Linux to store the private key and reduce the possibility of exposure in the system memory when the private key is not protected by any other hardware encryption.
However, in order to ensure that the memfd_secret() system call is not abused, the function of creating a secret memory area on the system is disabled by default, unless a special option is passed at startup. Currently, the secret memory function and the memfd_secret() system call need the “secretmem_enable” option to enable.
This work was led by IBM engineer Mike Rapoport, who originally proposed a “MAP_EXCLUSIVE” flag for the
Linux kernel memory management code in 2019 to support the mapping that only the owning process can see. This time the secret memory support for memfd_create() is an evolution of the same concept. memfd_secret() is made into a special system call, not an extension of memfd_create() because its purpose is to allow users to create safer memory mappings, rather than simply allowing file-based memory access.