mberry
commented
1 year ago Will put this in the "nice things to have" basket, end users should probably be more holistic about memfd usage if they are already utilising it.
Closing for lack of interest. Happy to reopen if someone is keen.
So this is an investigative issue looking into a feature that implements memfd support for Linux and Android platforms. This can offer additional side-channel protection, though it isn't immune to kernel exploits.
Essentially returning a file descriptor instead of a keypair and then running the encapsulation/encapsulation on that is the preliminary starting point here.
Additional reading:
https://lwn.net/Articles/812325/
https://lwn.net/Articles/918106/