Hello, In my system, sel4 is loaded by u-boot from an sd card that contains only an ELF image. I would like to store some sensitive data in plaintext for use in a non-vm component, but I worry that it can be read from the ELF image. Can this sd card data be accessed from within a linux vm instance? Or otherwise, is it certain that the vm cannot access this data? Best, Michael Neises
Sorry for the delayed response. The only way I can think your Linux VM can access the ELF image is if you configure the instance with pass-through access to the reader device. You can prevent the VM instance from having access to the SD card by ensuring you aren't passing through the untyped mmio's and irqs that correspond to the SD card reader device e.g. ensuring its not in either of the 'dtb', 'untyped_mmio' and 'irqs' fields in the vm component configuration (https://bitbucket.ts.data61.csiro.au/projects/SEL4PROJ/repos/camkes-arm-vm/b...). ________________________________ From: Devel <devel-bounces@sel4.systems> on behalf of Michael Neises <neisesmichael@gmail.com> Sent: Saturday, October 12, 2019 3:48 AM To: devel@sel4.systems <devel@sel4.systems> Subject: [seL4] Fwd: camkes vm question Hello, In my system, sel4 is loaded by u-boot from an sd card that contains only an ELF image. I would like to store some sensitive data in plaintext for use in a non-vm component, but I worry that it can be read from the ELF image. Can this sd card data be accessed from within a linux vm instance? Or otherwise, is it certain that the vm cannot access this data? Best, Michael Neises
Apologies, I attached an invalid link. Updated link - https://github.com/SEL4PROJ/camkes-arm-vm/blob/master/apps/vm_minimal/exynos... ________________________________ From: Felizzi, Alison (Data61, Kensington NSW) <Alison.Felizzi@data61.csiro.au> Sent: Friday, November 15, 2019 3:11 PM To: Michael Neises <neisesmichael@gmail.com>; devel@sel4.systems <devel@sel4.systems> Subject: Re: [seL4] Fwd: camkes vm question Sorry for the delayed response. The only way I can think your Linux VM can access the ELF image is if you configure the instance with pass-through access to the reader device. You can prevent the VM instance from having access to the SD card by ensuring you aren't passing through the untyped mmio's and irqs that correspond to the SD card reader device e.g. ensuring its not in either of the 'dtb', 'untyped_mmio' and 'irqs' fields in the vm component configuration (https://bitbucket.ts.data61.csiro.au/projects/SEL4PROJ/repos/camkes-arm-vm/b...). ________________________________ From: Devel <devel-bounces@sel4.systems> on behalf of Michael Neises <neisesmichael@gmail.com> Sent: Saturday, October 12, 2019 3:48 AM To: devel@sel4.systems <devel@sel4.systems> Subject: [seL4] Fwd: camkes vm question Hello, In my system, sel4 is loaded by u-boot from an sd card that contains only an ELF image. I would like to store some sensitive data in plaintext for use in a non-vm component, but I worry that it can be read from the ELF image. Can this sd card data be accessed from within a linux vm instance? Or otherwise, is it certain that the vm cannot access this data? Best, Michael Neises
participants (2)
-
Felizzi, Alison (Data61, Kensington NSW) -
Michael Neises