Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers

From: Borislav Petkov
Date: Fri Jan 28 2022 - 17:58:45 EST

Next message: Fox Chen: "RE: [PATCH 5.16 0/9] 5.16.4-rc1 review"
Previous message: Dave Hansen: "Re: [PATCH V8 06/44] mm/pkeys: Add Kconfig options for PKS"
In reply to: Michael Roth: "Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Jan 19, 2022 at 10:27:47AM -0600, Michael Roth wrote:
> At that point it's much easier for the guest owner to just check the
> CPUID values directly against known good values for a particular
> configuration as part of their attestation process and leave the
> untrusted cloud vendor out of it completely. So not measuring the
> CPUID page as part of SNP attestation allows for that flexibility.

Well, in that case, I guess you don't need the sanity-checking in the
guest either - you simply add it to the attestation TODO-list for the
guest owner to go through:

Upon booting, the guest owner should compare the CPUID leafs the guest
sees with the ones supplied during boot.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Next message: Fox Chen: "RE: [PATCH 5.16 0/9] 5.16.4-rc1 review"
Previous message: Dave Hansen: "Re: [PATCH V8 06/44] mm/pkeys: Add Kconfig options for PKS"
In reply to: Michael Roth: "Re: [PATCH v8 29/40] x86/compressed/64: add support for SEV-SNP CPUID table in #VC handlers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]