This is interesting, but how do you bootstrap it? How does this little software ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		robmccoll 13 days ago \| parent \| context \| favorite \| on: Go Proposal: Secret Mode This is interesting, but how do you bootstrap it? How does this little software enclave get key material in that doesn't transit untrusted memory? From a file? I guess the attacker this is guarding against can read parts of memory remotely but doesn't have RCE. Seems like a better approach would be an explicitly separate allocator and message passing boundaries. Maybe a new way to launch an isolated go routine with limited copying channels.

cyberax 13 days ago [–]

> How does this little software enclave get key material in that doesn't transit untrusted memory?

Linux has memfd_secret ( https://man7.org/linux/man-pages/man2/memfd_secret.2.html ), that allow you to create a secure memory region that can't be directly mapped into regular RAM.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact