From: Dave Hansen <dave.hansen@xxxxxxxxx> Sent: Wednesday, February 8, 2023 9:24 AM > > On 2/7/23 04:41, Borislav Petkov wrote: > > Or are there no similar TDX solutions planned where the guest runs > > unmodified and under a paravisor? > > I actually don't think paravisors make *ANY* sense for Linux. If you > have to modify the guest, then just modify it to talk to the hypervisor > directly. This code is... modifying the guest. What does putting a > paravisor in the middle do for you? One of the original goals of the paravisor was to make fewer modifications to the guest, especially in areas that aren't directly related to the hypervisor. It's arguable as to whether that goal played out in reality. But another significant goal is to be able to move some device emulation from the hypervisor/VMM to the guest context. In a CoCo VM, this move is from outside the TCB to inside the TCB. A great example is a virtual TPM. Per the CoCo VM threat model, a guest can't rely on a vTPM provided by the host. But a guest *can* rely on a vTPM implemented in a more privileged layer of the guest context. With CoCo VMs in the Azure public cloud, the paravisor also provides other device emulation, like the IO-APIC to solve some of the ugly interrupt delivery issues. In a complete solution, it should be possible for a customer to provide his own paravisor, or at least to inspect/audit the vendor-provided paravisor code so that it can be certified against whatever security standards the customer requires. For Azure CoCo VMs, this part is a work-in-progress. This could turn into an extended discussion, and I've given only a fairly high-level answer. There are architects at Microsoft who could probably give a better rendition of why we've pursued the paravisor approach with SEV-SNP guests. Michael > > It might help with binary drivers, but we don't do upstream kernel work > to make silly binary Linux drivers happy. > > So, no, there's no similar TDX solutions planned, at least for Linux > guests. Unless I missed the memo. Kirill?
