On Wed, Nov 21, 2018 at 09:18:19AM +0200, Jarkko Sakkinen wrote: > On Tue, Nov 20, 2018 at 10:42:01PM -0700, Jason Gunthorpe wrote: > > > Why you wouldn't use DMA to spy the RAM? > > > > The platform has to use IOMMU to prevent improper DMA access from > > places like PCI-E slots if you are using measured boot and want to > > defend against HW tampering. > > Yes. This is what I wanted to point out. Windows 10 has VBS to > achieve something like this. > > https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs Some trials like Qubes are in existence (uses Xen). I've been thinking should Linux have a thin hypervisor solely for VBS like use in order to gain wider adoption. /Jarkko
