exactly, the only guarantee is that things are zeroed before handing them out to a different process, but there
is some potential time gap between releasing memory back to
the kernel and it being cleaned, a gap which can outlive the live of a process
> and you can get the contents of memory when you have kernel privileges. This is not so easy [..] as root
yes, root has much less privileges then the kernel, but often can gain kernel privileges.
But this is where e.g. lockdown mode comes in which denies the root users such privilege escalation (oversimplified, it's complicated). Main problem is that lockdown mode is not yet compatible with suspend to disk (hibernation), even through its documentation implies it is, if your have a encrypted hibernation. (This is misleading as it refers to a not yet existing feature where the kernel creates a encrypted image which is also tamper proof even if root tries to tamper. On the other hand suspend to an encrypted partition is possible in Linux, but not enough for lockdown mode to work.)
exactly, the only guarantee is that things are zeroed before handing them out to a different process, but there is some potential time gap between releasing memory back to the kernel and it being cleaned, a gap which can outlive the live of a process
> and you can get the contents of memory when you have kernel privileges. This is not so easy [..] as root
yes, root has much less privileges then the kernel, but often can gain kernel privileges.
But this is where e.g. lockdown mode comes in which denies the root users such privilege escalation (oversimplified, it's complicated). Main problem is that lockdown mode is not yet compatible with suspend to disk (hibernation), even through its documentation implies it is, if your have a encrypted hibernation. (This is misleading as it refers to a not yet existing feature where the kernel creates a encrypted image which is also tamper proof even if root tries to tamper. On the other hand suspend to an encrypted partition is possible in Linux, but not enough for lockdown mode to work.)