5.10 Merge window, part 1

You could encrypt logs within the enclave and send them back to the parent VM that immediately sends them somewhere for storage. This doesn't guarantee that logs are actually forwarded and stored but it does guarantee confidentiality and integrity; in case of an attack this means that the attacker cannot wipe all of its traces. And at least it's more interesting than DRM. :-)

The enclave only gets a vsock connection to the outer would. One interesting feature would be the ability for the parent to configure (at enclave startup) a mapping from a vsock port to a remote TCP address/port, with the forwarding being done by the host so that the link cannot be broken.