On 3 Jul 2020, at 4:04, Jann Horn wrote:
- Provides a simple mechanism to avoid RAM exfiltration during
traditional sleep/hibernate on a laptop or desktop when memory,
and thus secrets, are vulnerable to offline tampering or
inspection.
For the first usecase, I wonder which way around this would work
better - do the wiping when a VM is saved, or do it when the VM is
restored? I guess that at least in some scenarios, doing it on restore
would be nicer because that way the hypervisor can always instantly
save a VM without having to wait for the guest to say "alright, I'm
ready" - especially if someone e.g. wants to take a snapshot of a
running VM while keeping it running? Or do hypervisors inject such
ACPI transitions every time they snapshot/save/restore a VM anyway?
Just to answer this - I’d expect wipe-after-save rather than
wipe-on-restore to be common for some. That provides the most defense
against secrets ending up on disk or some other durable medium when the
VM images are being saved.
-
Colm
