On Tue, 2022-04-19 at 15:49 -0700, Dave Hansen wrote: > On 4/19/22 15:21, Kai Huang wrote: > > On Tue, 2022-04-19 at 07:13 -0700, Dave Hansen wrote: > > > On 4/19/22 00:47, Kai Huang wrote: > > > > > From security's perspective, attestation is an essential part of TDX. That > > > > being said, w/o attestation support in TD guest, I guess nobody will seriously > > > > use TD guest. > > > Are you saying you can't think of a single threat model where there's a > > > benefit to running a TDX guest without attestation? Will TDX only be > > > used in environments where secrets are provisioned to guests on the > > > basis of attestation? > > > > > I don't think anyone should provision secret to a TD before it get attested that > > it is a genuine TD that he/she expected. If someone does that, he/she takes the > > risk of losing the secret. Of course if someone just want to try a TD then w/o > > attestation is totally fine. > > Yeah, but you said: > > w/o attestation support in TD guest, I guess nobody will > seriously use TD guest. > > I'm trying to get to the bottom of that. That's a much more broad > statement than something about when it's safe to deploy secrets. > > There are lots of secrets deployed in (serious) VMs today. There are > lots of secrets deployed in (serious) SEV VMs that don't have > attestation. Yet, the world somehow hasn't come crashing down. > > I think it's crazy to say that nobody will deploy secrets to TDX VMs > without attestation. I think it's a step father into crazy land to say > that no one will "seriously" use TDX guests without attestation. > > Let's be honest about this and not live in some fantasy world, please. OK agree. No argument about this. -- Thanks, -Kai
