On Wed, 5 Nov 2014 15:45:14 +0500
Valentine Sinitsyn <
valentine...@gmail.com> wrote:
> Hi Henning
>
> On 05.11.2014 15:24, Henning Schild wrote:
> > I think that this behaviour breaks isolation. After a "cell destroy"
> > Linux is probably able to read back whatever the cell left in its
> IIRC Linux can do this anytime, as inmates memory is mapped to root
> cell (otherwise the root cell won't be able to load inmate binary).
> Could probably be worked around with JAILHOUSE_MEM_WRITE-only
> permissions.
I also thought about write-only for solving parts of the problem. But
not every architecture allows you to model that.
> Otherwise I agree that looking after sensitive data is data owner
> (i.e. inmate) job. It's a bit of problem that Linux can read inmate
> memory anytime though.
While the cell is running Linux does not have access to the loadable
area anymore (see cell_start() in control.c). All the other memory
regions you assign to non-root cells should not be assigned to Linux in
the first place.
Henning