> ## Documentation Index > Fetch the complete documentation index at: https://docs.thistle.tech/llms.txt > Use this file to discover all available pages before exploring further. # Linux Memory Protection > Keep decrypted AI model weights out of reach of unauthorized processes on Linux On an edge device, we still face an issue when the model is loaded: the plaintext weights live in process memory and can be dumped by anything with sufficient privilege (`/proc/pid/mem`, `ptrace`, `/dev/mem`). Linux memory protection closes that gap by keeping decryption inside ARM TrustZone and gating access to the decrypted buffer on a per-binary signature check. ## How it works Three components cooperate on the device: To leverage this, we use an ARM TrustZone OP-TEE application that will be used to decrypt the binary file that will be useful to the main application (typically an AI model). Once decrypted, payload will be written in a memory slot that will be safeguarded by a kernel module. This module will verify that the application (typically an inference software) will be approved to access this memory space. ## Data flow ``` model.enc ─► loader ─► TA (secure world, AES-256-CTR) v v /dev/secure-mem ◄── mmap(PROT_READ, signed app only) (kernel buffer) v v inference engine ``` ## Hypothetical usage From the inference application's perspective, the secure buffer looks like an ordinary file: ```rust theme={"dark"} let file = fs::File::open("/dev/secure-mem")?; let mmap = unsafe { Mmap::map(&file)? }; let model = load_model(&mmap[..])?; ``` The hardening only holds if the surrounding platform is locked down: `kernel_lockdown=confidentiality`, `yama.ptrace_scope=3`, forced module signing, secure boot, and dm-verity. Without these, a privileged attacker can bypass the signature gate entirely. ## Security properties * Model ciphertext at rest * Decryption key in OP-TEE secure storage * Plaintext never materializes in the loader process * Read access to plaintext limited to binaries carrying a valid signature