On 2017-08-07 19:24, Gustavo Lima Chaves wrote:
> With the new JAILHOUSE_CELL_CLEAR_MEM (struct jailhouse_cell_desc's)
> flag, Jailhouse will cleanup all of the cell's *loadable* memory, on its
> destruction, before handing that memory region back to the root cell.
> This prevents the latter from accessing data that the former wanted to
> keep private.
> One could argue that cells without passive communication
> region (no JAILHOUSE_CELL_PASSIVE_COMMREG flag) could use a first
> attempt to kill them to do any desired cleanup. This does not cover the
> cases in which the cell developer still wants passive communication
> region (they don't want to bother adding code to read/write to the comms
> region address to their logic) but no data leaks whatsoever. This also
> covers the case in which a cell goes to parked state and never has the
> chance to do such cleanup: with the new flag, when destroyed the root
> cell will still be clueless of what happened there memory-wise.
I would buy the case of leaking data on crash - if you have a concrete
use case (I heard a couple of times about potential security use cases,
but I'm lacking a confirmation of an implementation). Can you elaborate?
However, I do not buy the reason "more convenient for cell developer"
because that is against the Jailhouse principle "keep the hypervisor
simple" (unless there is a strong reason).
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.