On 2017-08-07 19:24, Gustavo Lima Chaves wrote:
> With the new JAILHOUSE_CELL_CLEAR_MEM (struct jailhouse_cell_desc's)
> flag, Jailhouse will cleanup all of the cell's *loadable* memory, on its
> destruction, before handing that memory region back to the root cell.
> This prevents the latter from accessing data that the former wanted to
> keep private.
> 
> One could argue that cells without passive communication
> region (no JAILHOUSE_CELL_PASSIVE_COMMREG flag) could use a first
> attempt to kill them to do any desired cleanup. This does not cover the
> cases in which the cell developer still wants passive communication
> region (they don't want to bother adding code to read/write to the comms
> region address to their logic) but no data leaks whatsoever. This also
> covers the case in which a cell goes to parked state and never has the
> chance to do such cleanup: with the new flag, when destroyed the root
> cell will still be clueless of what happened there memory-wise.

I would buy the case of leaking data on crash - if you have a concrete
use case (I heard a couple of times about potential security use cases,
but I'm lacking a confirmation of an implementation). Can you elaborate?

However, I do not buy the reason "more convenient for cell developer"
because that is against the Jailhouse principle "keep the hypervisor
simple" (unless there is a strong reason).

Jan

-- 
You received this message because you are subscribed to the Google Groups 
"Jailhouse" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jailhouse-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to