On 11/12/21 13:16, Marc Orr wrote:
So cloud providers should have an interest to prevent such random stray
accesses if they wanna have guests. :)
Yes, but IMO inducing a fault in the guest because of _host_ bug is wrong.
I want to push back on "inducing a fault in the guest because of
_host_ bug is wrong.". The guest is _required_ to be robust against
the host maliciously (or accidentally) writing its memory. SNP
security depends on the guest detecting such writes. Therefore, why is
leveraging this system property that the guest will detect when its
private memory has been written wrong?
>
Especially when its orders or
magnitudes simpler than the alternative to have everything in the
system -- kernel, user-space, and guest -- all coordinate to agree
what's private and what's shared. Such a complex approach is likely to
bring a lot of bugs, vulnerabilities, and limitations on future design
into the picture.
SEV-SNP, TDX, and any reasonable software solution all require that the
host know which pages are private and which pages are shared. Sure, the
old SEV-ES Linux host implementation was very simple, but it's nasty and
fundamentally can't support migration.