Re: [RFC 00/16] KVM protected memory extension
From: Jim Mattson
Date: Thu Jun 04 2020 - 17:03:28 EST
On Thu, Jun 4, 2020 at 12:09 PM Nakajima, Jun <jun.nakajima@xxxxxxxxx> wrote:
> We (Intel virtualization team) are also working on a similar thing, prototyping to meet such requirements, i..e "some level of confidentiality to guestsâ. Linux/KVM is the host, and the Kirillâs patches are helpful when removing the mappings from the host to achieve memory isolation of a guest. But, itâs not easy to prove there are no other mappings.
>
> To raise the level of security, our idea is to de-privilege the host kernel just to enforce memory isolation using EPT (Extended Page Table) that virtualizes guest (the host kernel in this case) physical memory; almost everything is passthrough. And the EPT for the host kernel excludes the memory for the guest(s) that has confidential info. So, the host kernel shouldnât cause VM exits as long as itâs behaving well (CPUID still causes a VM exit, though).
You're Intel. Can't you just change the CPUID intercept from required
to optional? It seems like this should be in the realm of a small
microcode patch.