Re: [PATCH v1 1/8] virtio: Force only split mode with protected guest
From: Andi Kleen
Date: Thu Jun 03 2021 - 19:33:05 EST
We do not need an increasing pile of kludges
Do you mean disabling features is a kludge?
If yes I disagree with that characterization.
to make TDX and SEV “secure”. We need the actual loaded driver to be secure. The virtio architecture is full of legacy nonsense,
and there is no good reason for SEV and TDX to be a giant special case.
I don't know where you see a "giant special case". Except for the
limited feature negotiation all the changes are common, and the
disabling of features (which is not new BTW, but already done e.g. with
forcing DMA API in some cases) can be of course used by all these other
technologies too. But it just cannot be done by default for everything
because it would break compatibility. So every technology with such
requirements has to explicitly opt-in.
As I said before, real PCIe (Thunderbolt/USB-C or anything else) has the exact same problem. The fact that TDX has encrypted memory is, at best, a poor proxy for the actual condition. The actual condition is that the host does not trust the device to implement the virtio protocol correctly.
Right they can do similar limitations of feature sets. But again it
cannot be default.
TDX and SEV use the arch hook to enforce DMA API, so that part is also
solved.
Can you point me to the code you’re referring to?
See 4/8 in this patch kit. It uses an existing hook which is already
used in tree by s390.
-Andi