Many modern confidential computing systems rely on RAM (memory) encryption to protect sensitive data.
Research such as BadRAM and Battering RAM shows that DRAM attacks can bypass certain protections.
Why doesn’t PlugOS support RAM encryption? Isn’t it necessary against advanced physical attacks?
Short answer:
RAM encryption does not provide meaningful security benefits under the PlugOS threat model.
This is a deliberate design decision, not a missing feature.
DRAM attacks such as BadRAM or Battering RAM fundamentally assume that an attacker can manipulate the memory subsystem after the system has already booted.
In PlugOS, this state is not reachable.
For any DRAM-based attack to be applicable, an attacker must first:
Possess the physical PlugOS device
Pass device authentication
Pass user authentication
Complete the PlugOS secure boot sequence
Only after these steps does DRAM contain meaningful runtime state.
If an attacker has already passed device authentication, user authentication, and verified boot, they effectively own the device and the operating system.
At that stage:
The attacker does not need a DRAM attack
RAM encryption provides no additional protection
System state can already be observed or manipulated through legitimate execution paths
This is not unique to PlugOS.
It is a well-known limitation of memory encryption in confidential computing:
memory encryption protects against certain host-level threats, but not against attackers who control the system at boot.
PlugOS intentionally focuses on pre-boot security guarantees, including:
Pre-boot device authentication
User authentication before OS startup
Verified and measured boot
Immediate teardown when unplugged
These measures ensure that:
Supply-chain and memory-bus attacks are invalidated before DRAM ever holds sensitive data
The attack surface is eliminated early, rather than patched later
Enabling RAM encryption on a full Android system would:
Significantly degrade performance
Increase power consumption and latency
Add complexity without improving real security
Security features that do not align with the threat model often create false confidence, not real protection.
PlugOS is designed to protect user data against very strong adversaries, including advanced physical attacks.
Our philosophy is simple:
Eliminate attack classes early, instead of encrypting everything after the system is already compromised.
RAM encryption does not meaningfully raise the security bar in PlugOS’s architecture — therefore, we do not rely on it.
Got it. Looks like everything is spot on with PlugOS.