Following Linux 5.13, Linux 5.14 will also support
the creation of secret memory areas. This function is implemented by memfd_secret(). memfd_secret() is a specialized system call, not an extension of memfd_create(), its purpose is to allow users to create a more secure memory map, rather than simply allowing file-based memory access. According to the description
, the secret memory area created by memfd_secret() is only visible to the owning process and will not be mapped to other processes or kernel page tables. Therefore, it can be used to store the private key for OpenSSL in the user space on Linux
, and reduce the possibility of the private key being exposed in the system memory when it is not protected by any other hardware encryption.
This work originated from IBM engineer Mike Rapoport. He proposed a “MAP_EXCLUSIVE” flag for the Linux kernel memory management code in 2019 to support the mapping that only the owning process can see. The secret memory support of memfd_secret() is an evolution of the same concept.
Currently, memfd_secret() support was merged as part of Andrew Morton’s patch on Friday. However, this version still disables access to memfd_secret() by default. You need to turn on the secretmem_enable option when you start the kernel to enable this feature.