If the TVM does the encryption with the CPU then we don't really need to attest the storage or PCI at all, bounce the encrypted data into untrusted memory and then CPU copy it while crypting it. This minimizes the amount of stuff you have to trust. If the TVM would like to have the storage device do the encryption with something like OPAL then: - Attest and trust the PCI function, this lets you load the HBA driver - Attest and trust the "media" - Use the media attestation to load an encrypted copy of the media key from the secure keyserver into the drive The split view of "media" and PCI function seems appropriate. The keyserver should only release keys to media that has the correct attested ID, while a controller may have many different media attached to it. Attesting the controller is probably not enough to release the keys? Jason
