On 2017-08-07 19:24, Gustavo Lima Chaves wrote: > With the new JAILHOUSE_CELL_CLEAR_MEM (struct jailhouse_cell_desc's) > flag, Jailhouse will cleanup all of the cell's *loadable* memory, on its > destruction, before handing that memory region back to the root cell. > This prevents the latter from accessing data that the former wanted to > keep private. > > One could argue that cells without passive communication > region (no JAILHOUSE_CELL_PASSIVE_COMMREG flag) could use a first > attempt to kill them to do any desired cleanup. This does not cover the > cases in which the cell developer still wants passive communication > region (they don't want to bother adding code to read/write to the comms > region address to their logic) but no data leaks whatsoever. This also > covers the case in which a cell goes to parked state and never has the > chance to do such cleanup: with the new flag, when destroyed the root > cell will still be clueless of what happened there memory-wise.
I would buy the case of leaking data on crash - if you have a concrete use case (I heard a couple of times about potential security use cases, but I'm lacking a confirmation of an implementation). Can you elaborate? However, I do not buy the reason "more convenient for cell developer" because that is against the Jailhouse principle "keep the hypervisor simple" (unless there is a strong reason). Jan -- You received this message because you are subscribed to the Google Groups "Jailhouse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
