Linux Kernel Seeing Work To Implement MEMFD "Secret Memory Areas"

There is experimental work pending that plumbs support into MEMFD for creating "secret" memory areas. This secret memory support would then be exposed to user-space for different use-cases.

This MEMFD "secret memory" support is about allowing memfd_create() to create memory areas from user-space only visible in the context of the owning process and is not mapped for other processes nor the kernel page tables. After using a new secret flag for memfd_create, the developer can then use an ioctl on the file descriptor to specify the desired protection mode.

This work is being led by IBM engineer Mike Rapoport who last year originally proposed a "MAP_EXCLUSIVE" flag for the Linux kernel memory management code to allow mappings that are visible only to the owning process. This secret memory support for memfd_create is an evolution to the same concept.

One of the intended use-case features for the secret memory areas would be wiring it up for OpenSSL's existing secure heap feature that can be used for storing private keys in more protected memory areas along with similar possibilities in other applications.

More details on this experimental "secret memory" support via this kernel mailing list patch.