Module process_protection

Expand description

Process protection trait — spec LF4.

Per-platform abstraction that lets a Tier-0 software-KEK process protects the memory residency of its key material.

Three-platform implementation:

Linux — mlockall(MCL_CURRENT|MCL_FUTURE) for paging control, prctl(PR_SET_DUMPABLE, 0) for core-dump suppression, and prctl(PR_SET_PTRACER, 0) plus a yama.ptrace_scope advisory check for ptrace hardening.
macOS — setrlimit(RLIMIT_CORE, 0) and ptrace(PT_DENY_ATTACH); lock_memory() surfaces Unsupported because mlockall is absent on Darwin and per-region mlock requires address ranges that are only known to the caller (VM_MAKE_NOMAP is a region-level hint, not a process-global lock).
Windows — SetProcessWorkingSetSizeEx(... HARDWS_MIN_ENABLE) to pin the current working set against paging, SetErrorMode(SEM_NOGPFAULT...) to suppress fault-report dialogs, and an IsDebuggerPresent + CheckRemoteDebuggerPresent probe (Windows has no portable “deny attach” primitive; we detect + surface rather than prevent).

Runtime startup calls ProcessProtection::apply_all(); the per-step syscall failure surfaces as ProtectionError::SyscallFailed and bubbles up to RuntimeInitError::ProcessProtectionUnavailable.

Structs§