On 4/19/22 00:47, Kai Huang wrote: >>From security's perspective, attestation is an essential part of TDX. That > being said, w/o attestation support in TD guest, I guess nobody will seriously > use TD guest. Are you saying you can't think of a single threat model where there's a benefit to running a TDX guest without attestation? Will TDX only be used in environments where secrets are provisioned to guests on the basis of attestation? >>From this perspective, I am not sure what's the value of having a dedicated > INTEL_TDX_ATTESTATION Kconfig. The attestation support code should be turned on > unconditionally when CONFIG_INTEL_TDX_GUEST is on. The code can also be just > under arch/x86/coco/tdx/ I guess? How much code are we talking about? What's the difference in the size of the binaries with this compiled in?
