Jason Gunthorpe wrote:
[..]
> If the TVM would like to have the storage device do the encryption
> with something like OPAL then:
> - Attest and trust the PCI function, this lets you load the HBA driver
> - Attest and trust the "media"
> - Use the media attestation to load an encrypted copy of the media
> key from the secure keyserver into the drive
>
> The split view of "media" and PCI function seems appropriate. The
> keyserver should only release keys to media that has the correct
> attested ID, while a controller may have many different media attached
> to it.
>
> Attesting the controller is probably not enough to release the keys?
Right, I think key release is going to be based on measurement of the
entire VM and accepted device topology state.
Also, if the storage volume itself is accessed through dm-{crypt,verity}
it is not clear that the storage controller needs be attested to ensure
confidentiality of those transfers.
