Blindfold: Confidential Memory Management by Untrusted Operating System

TL;DR

Blindfold introduces a confidential memory management system that enables untrusted operating systems to handle confidential data securely without encryption, maintaining performance and minimal trusted computing base on ARMv8-A/Linux.

Contribution

It proposes a novel design with a Guardian component, mediating memory access, using capabilities, and providing a secure ABI, enabling confidential memory management with minimal kernel modifications.

Findings

Blindfold has a smaller runtime TCB than related systems.

It enables Linux kernel to manage confidential memory with minimal modifications.

Achieves competitive performance while maintaining confidentiality.

Abstract

Confidential Computing (CC) has received increasing attention in recent years as a mechanism to protect user data from untrusted operating systems (OSes). Existing CC solutions hide confidential memory from the OS and/or encrypt it to achieve confidentiality. In doing so, they render OS memory optimization unusable or complicate the trusted computing base (TCB) required for optimization. This paper presents our results toward overcoming these limitations, synthesized in a CC design named Blindfold. Like many other CC solutions, Blindfold relies on a small trusted software component running at a higher privilege level than the kernel, called Guardian. It features three techniques that can enhance existing CC solutions. First, instead of nesting page tables, Guardian mediates how the OS accesses memory and handles exceptions by switching page and interrupt tables. Second, Blindfold employs a lightweight capability system to regulate the kernel semantic access to user memory, unifying case-by-case approaches in previous work. Finally, Blindfold provides carefully designed secure ABI for confidential memory management without encryption. We report an implementation of Blindfold that works on ARMv8-A/Linux. Using Blindfold prototype, we are able to evaluate the cost of enabling confidential memory management by the untrusted Linux kernel. We show Blindfold has a smaller runtime TCB than related systems and enjoys competitive performance. More importantly, we show that the Linux kernel, including all of its memory optimizations except memory compression, can function properly for confidential memory. This requires only about 400 lines of kernel modifications.