Re: Adding an "Enable Launch Security" checkbox to the Memory Details dialog

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Mar 27, 2020 at 12:13:09PM -0400, Cole Robinson wrote:
> CCing Erik who knows more about that launchSecurity/sev than I do
>
> On 3/27/20 11:44 AM, Charles Arnold wrote:
> > What is the opinion of adding a checkbox called "Enable Launch
> > Security" under the 'Current allocation' and 'Maximum allocation' boxes
> > on the Details->Memory dialog? It would only be enabled if libvirt
> > detected support for it.
> >
>
> Provided libvirt capabilities report everything we need to know to
> whether it's really supported on the host and will actually work, and
> there's a sensible noncontroversial set of defaults we can fill in, then
> a single checkbox is worth considering. It's certainly an advanced
> feature but it's also getting more and more mention these days so maybe
> it's good to get out ahead of any future RFEs.
>
> But if we can boil it down to being that simple I guess the question is
> whether a checkbox in the UI is valuable when users can use 'virt-xml
> VMNAME --edit --launchSecurity sev' to fill in the same default values.
> I guess it depends on who we expect will want to use this option. We
> should think about how it fits the UI philosophy/DESIGN.md:
>
> https://github.com/virt-manager/virt-manager/blob/master/DESIGN.md
>
> - Cole

Apart from what Dan has already mentioned, AMD redesigned SEV and they call it
SEV-SNP now which is supposed to introduce a completely different approach
towards machine attestation  and IIRC there may be more backward incompatibilities. The
reason why I'm mentioning this is that given ^this fact, it would be quite hard
to tell for a normal user what we do and do not support and which of the SEV
revisions we're going to apply and all of that just from a single check-box.
It would be cool, I'd be happy if we could get something like that, but SEV is
fairly complex to be abstracted by a single click, Advanced Security options as
a sub-menu would definitely be my approach in the UI.

https://www.amd.com/system/files/TechDocs/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more.pdf

[1] there was no abstraction library for the attestation in the first revision
of SEV anyway and in order to do that was to construct a request with correct
padding yourself and pass it to /dev/sev

--
Erik Skultety
[Index of Archives]     [Linux Virtualization]     [KVM Development]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux