Post Syndicated from original https://lwn.net/Articles/865256/rss

The memfd_secret() system call has, in one form or another, been
covered here since February 2020. In the
beginning, it was a flag to memfd_create(),
but its functionality was later moved to a separate system call. There
have been many changes during this feature’s development, but its core
purpose remains the
same: allow a user-space process to create a range of memory that is
inaccessible to anybody else — kernel included. That memory can be used to
store cryptographic keys or any other data that must not be exposed to
others. This new system call was finally merged for the upcoming 5.14
release; what follows is a look at the form this call will take in the
mainline kernel.