On 07/17/2018 04:20 AM, Kirill A. Shutemov wrote: > Zero page is not encrypted and putting it into encrypted VMA produces > garbage. > > We can map zero page with KeyID-0 into an encrypted VMA, but this would > be violation security boundary between encryption domains.
Why? How is it a violation? It only matters if they write secrets. They can't write secrets to the zero page. Is this only because you accidentally inherited ->vm_page_prot on the zero page PTE?
