[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real m
From: |
Paolo Bonzini |
Subject: |
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode |
Date: |
Wed, 14 Sep 2016 10:58:08 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
On 14/09/2016 04:33, Michael S. Tsirkin wrote:
> Frankly I don't understand why do you need to mess with boot at all.
> Quoting the cover letter:
>
> SEV is designed to protect guest VMs from a benign but vulnerable
> (i.e. not fully malicious) hypervisor. In particular, it reduces the
> attack
> surface of guest VMs and can prevent certain types of VM-escape bugs
> (e.g. hypervisor read-anywhere) from being used to steal guest data.
>
> it seems highly unlikely that any secret data is used during boot.
> So just let guest boot normally, and encrypt afterwards.
>
> Even assuming there are some guests that have secret data during boot,
> I would first upstream the main part of the feature for normal guests,
> then weight the extra security if any against the features and
> performance lost (like slower boot times).
If you can't trust boot, any encryption done afterwards is totally
pointless.
Paolo
- Re: [Qemu-devel] [RFC PATCH v1 10/22] sev: add SEV debug decrypt command, (continued)
[Qemu-devel] [RFC PATCH v1 08/22] sev: add SEV launch update command, Brijesh Singh, 2016/09/13
[Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Brijesh Singh, 2016/09/13
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Paolo Bonzini, 2016/09/13
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Eduardo Habkost, 2016/09/14
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Paolo Bonzini, 2016/09/14
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Michael S. Tsirkin, 2016/09/14
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Eduardo Habkost, 2016/09/14
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Michael S. Tsirkin, 2016/09/14
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Eduardo Habkost, 2016/09/14
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Michael S. Tsirkin, 2016/09/21
Re: [Qemu-devel] [RFC PATCH v1 20/22] fw_cfg: sev: disable dma in real mode, Brijesh Singh, 2016/09/21
[Qemu-devel] [RFC PATCH v1 06/22] sev: add initial SEV support, Brijesh Singh, 2016/09/13