undefined | Better HN

0 pointssomanytta2y ago0 comments

It's not really a matter of need, more a matter of good hygiene.

Do you trust any modern OS not to accidently include sensitive information when it generates a crash report for an app and sends it off the some remote server in the background?

Isolation is a useful tool. In an ideal world it can be done perfectly at the OS level, but we don't live in that world.

0 comments

saagarjha2y ago

I agree that being able to isolate things that have different security domains is a useful tool. That said, I am not really seeing how pKVM provides useful primitives for much other than DRM, which has historically been the primary usecase for trusted execution that isolated VMs seem to provide.

somanyttaOP2y ago

Consider that, I want to be able to use a regular android OS, but I don't completely trust it, either its purposely malicious or just accidently going to leak info. So isolation is good in this case, its much easier to audit the mechanism of isolation rather than the whole OS.

The problem with DRM and "trusted computing" part is that it's under someone else's control, some central authority etc. From my reading of the docs on this, this is not the case with pVM, from https://source.android.com/docs/core/virtualization/security

> Data is tied to instances of a pVM, and secure boot ensures that access to an instance’s data can be controlled

> When a device is unlocked with fastboot oem unlock, user data is wiped.

> Once unlocked, the owner of the device is free to reflash partitions that are usually protected by verified boot, including partitions containing the pKVM implementation. Therefore, pKVM on an unlocked device won't be trusted to uphold the security model.

So my reading of this is that that it is under the users control, as long as they have the ability to unlock the bootloader, and reflash the device with their own images.

I'd love someone who is more knowledgeable to weigh in, but this tech, to me, doesn't seem that close to TPM/DRM type chips where there is no possibility of user control.

saagarjha2y ago

It is control in the sense that you can run your own applets I guess, but it is not control in the sense that you can necessarily inspect what the programs are doing, because once you reflash the device I'm sure the DRM programs will refuse to run.

nl2y ago

As I said in my other response, I make heavy use of trusted (confidential) VMs for machine learning in cloud environments.

There are also vendors that are doing smart contract execution in trusted computing devices so you can get the benefits of trusted execution without the overhead of everyone executing the same code.

saagarjha2y ago

There are a handful of potential uses for confidential VMs, but not many of them really seem to make sense on phones?

nl2y ago

The issue here isn't the technology though, it's imagination.

Think about gaming in VR. You might want to make a game where the ML can adapt to the physical peculiarities of a person (think like personalized audio for airpods) but want to guarantee it isn't giving the person an advantage. Even simple things like setting up a VR system (or any physical computing device) can give an advantage to someone if corruptible.

At the moment there are lots of "anti-cheat" technologies that attempt to solve this, but really it needs trusted execution.

sangnoir2y ago

I'd love for my banking app to be completely isolated from the rest of my phone OS, in case I get malware. I'm sure journalists at risk of targeting by NSO and its ilk would appreciate isolation or their messaging apps

saagarjha2y ago

This is an interesting usecase (basically Qubes) but it has high overhead and I don't really see the framework as being designed to support this, at least yet. You'd need to move all sorts of services into the VM to support the app (like, for example, someone needs to pass touch input and network traffic into the VM) and at this begins to look like an entire OS running in there.

rfoo2y ago

Qualcomm does have similar architecture deployed, here is their hypervisor: https://github.com/quic/gunyah-hypervisor.

AFAIK Qualcomm's implementation does include passing touch input / display into the VM and is marketed in similar term ("Trusted User Interface") to TEE-based techs, except they are not in S-EL0/1.

I've only seen this used in some really obscure scenario (cryptocurrency wallet) though.

j / k navigate · click thread line to collapse

0 comments

saagarjha2y ago

somanyttaOP2y ago

> Data is tied to instances of a pVM, and secure boot ensures that access to an instance’s data can be controlled

> When a device is unlocked with fastboot oem unlock, user data is wiped.

So my reading of this is that that it is under the users control, as long as they have the ability to unlock the bootloader, and reflash the device with their own images.

I'd love someone who is more knowledgeable to weigh in, but this tech, to me, doesn't seem that close to TPM/DRM type chips where there is no possibility of user control.

saagarjha2y ago

nl2y ago

As I said in my other response, I make heavy use of trusted (confidential) VMs for machine learning in cloud environments.

There are also vendors that are doing smart contract execution in trusted computing devices so you can get the benefits of trusted execution without the overhead of everyone executing the same code.

saagarjha2y ago

There are a handful of potential uses for confidential VMs, but not many of them really seem to make sense on phones?

nl2y ago

The issue here isn't the technology though, it's imagination.

At the moment there are lots of "anti-cheat" technologies that attempt to solve this, but really it needs trusted execution.

sangnoir2y ago

saagarjha2y ago

rfoo2y ago

Qualcomm does have similar architecture deployed, here is their hypervisor: https://github.com/quic/gunyah-hypervisor.

AFAIK Qualcomm's implementation does include passing touch input / display into the VM and is marketed in similar term ("Trusted User Interface") to TEE-based techs, except they are not in S-EL0/1.

I've only seen this used in some really obscure scenario (cryptocurrency wallet) though.

j / k navigate · click thread line to collapse