[svsm-devel] About integrating Coconut-SVSM in the cloud

Carlos Bilbao carlos.bilbao.osdev at gmail.com
Mon Mar 31 21:50:59 CEST 2025 

Hey folks,

It looks like the Coconut-SVSM project has grown significantly since I last
checked the repo -- kudos to all!

I've been thinking about the practicality of integrating CoCo into the
cloud. I'd love to help in that direction and, from my experience working
for a cloud provider, several questions come to mind. I'd love to hear your
thoughts on these, both from the perspective of Coconut-SVSM and more
broadly.

1. I'm worried about the latency of encrypting guest pages, particularly at
   VM creation. Have you measured the impact on VM boot time, using a
   non-Coconut baseline? I’d be happy to run tests and share findings. That
   said, at this stage of development, my understanding is that we wouldn't
   yet see the full impact of the attestation phase -- please correct me if
   I'm wrong, maybe with vTPM that's well understood.

2. Beyond the time penalty of bringing up the CoCo guest, do you foresee
   any bottlenecks in VM creation? For example, if 200 users attempt to
   launch confidential guests simultaneously, would this be a scalability
   challenge? I also plan to give that a try.

3. Also, how would that time penalty during VM creation translate to VM
   live migration? For example, once keys are exchanged and the CoCo guest
   is ready to go, I wonder if the entire process need to be repeated
   while/after migrating nodes -- assuming an encrypted network is used?

   My guess is that only a subset of those tests _need_ to be done but that
   a more concerned guest may want to check its memory again? Now that I
   think about it, is there a requirement for destination node to match fw?

4. In some cases, customers experience guest VM crashes and request
   debugging support. Would it even be possible to analyze a core dump from
   a CoCo guest? If the guest kernel has crashed, I’m unsure whether the
   necessary keys could still be retrieved.

5. I'm very interested in this question: As a CoCo dev, is there a feature
   you wish cloud providers would offer?

6. More generally, what concerns you about enabling CoCo in the cloud? Are
   there any major challenges you anticipate? I'm probably missing stuff.

I plan to attend LSS NA and would love to better understand your stance on
these questions, so I can ask for potential answers and gather opinions on
any unresolved aspects.

Thanks so much folks!!

Cheers,
Carlos Bilbao

More information about the Svsm-devel mailing list