[svsm-devel] Development Plan Document

Jörg Rödel joro at 8bytes.org
Thu May 23 11:52:32 CEST 2024 

Hi Elena,

On Fri, May 17, 2024 at 10:01:01AM +0000, Reshetova, Elena wrote:
> Coconut as a service VM closely relates to the concept of service TDs that
> we have in TDX (for example a Migration TD is an example of a such a service TD).
> However, in my understanding there was not enough general
> interest in this model (due to complexities of managing separate service VM
> in addition to the guest OS VM) but looks like I had a wrong impression.

Service VMs might be a niche use-case in the end. But since there is not
much effort needed to make them work I see no reason to not support
them.

> We are affected by a double accept albeit differently. Since every page
> that is accepted by a guest starts as a zero page, host/vmm can turn any
> private page into a zero page (with potential security consequences) at
> any time if acceptance status for the page is not tracked.

Okay, right. Seems like the attacks work on Intel as well, just with a
different outcome. Anyway, the mitigation should work on TDX as well.

> Yes, anything that can affect coconut-svsm itself and which can be
> security-relevant but at the same time stays stable over different boots.
> Memory map is likely not stable, so i dont think we can measure it, 
> Coconut-svsm just should sanitize the values. ACPI tables is a candidate.
> I know that currently coconut-svsm takes very little of such inputs/configurations,
> but it will probably grow in the future, so having a guidance on what configuration
> must be measured or not is good to have imo.

We briefly touched that topic in yesterdays development call, it seems
there are diverging requirements for different platforms. Some platforms
do not want to measure any configuration data while others want to
measure at least parts of it.

Currently IGVM is used to pass any configuration data to the SVSM and
the specification requires this data to be unmeasured. So an IGVM
extension would be needed as well to pass measured configuration data.

Regards,

	Joerg

More information about the Svsm-devel mailing list