Question about Ext2FS and Data Encryption in Mystikos

[StanPlatinum]

Dear Mystikos team,

I was reviewing the documentation and noticed that ext2fs is mentioned as the protected filesystem, with integrity ensured by dm-verity. I have a few questions regarding this:

• Does this imply that when using ext2fs, it is not possible to persist encrypted data from memory to disk?
• If I want to persist data from memory to disk during runtime, does that mean hostfs is the only option?

It would be great if you could clarify how Mystikos handles the trade-off between integrity (via dm-verity) and encryption for disk persistence in these cases.

Thanks for your work on this project! Looking forward to your insights.

@ya0guang might also find this topic interesting.

[vtikoo]

Yes ext2fs only supports ephemeral writes, i.e writes are lost when enclave terminates.
The threat model becomes more complicated with supporting persistent writes. For one the on-disk dm-verity roothash and Merkle tree would have to be updated.
ext2fs in Mystikos also comes in the dm-crypt flavor, where it might be easier to support persistent.
cc: @mikbras