| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z9Fzkbc-5JmOOa_N@8bytes.org> Date: Wed, 12 Mar 2025 12:44:17 +0100 From: Joerg Roedel <joro@...tes.org> To: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com> Cc: Joerg Roedel <jroedel@...e.de>, Alexey Gladkov <legion@...nel.org>, Borislav Petkov <bp@...en8.de>, Jürgen Groß <jgross@...e.com>, "Alexey Gladkov (Intel)" <alexey.gladkov@...el.com>, Dave Hansen <dave.hansen@...el.com>, Ingo Molnar <mingo@...nel.org>, x86@...nel.org, hpa@...or.com, Tom Lendacky <thomas.lendacky@....com>, Nikunj A Dadhania <nikunj@....com>, linux-kernel@...r.kernel.org, Larry.Dewey@....com Subject: Re: [PATCH] x86/sev: Make SEV_STATUS available via SYSFS On Wed, Mar 12, 2025 at 12:59:50PM +0200, Kirill A. Shutemov wrote: > I am not sure I understand your point. > > In TDX case it is as trusted as the kernel itself. If the system is > attested, this info is going to accurate too as kernel gets information > from trusted TDX module. > > But nobody suggested to use this information to judge the security of the > system. Version information about the TDX module is required for the security evaluation at the verifier. The question is whether it makes sense to expose this information in an untrusted way in the guest (even alongside a trusted way), or if that makes tooling prefer the untrusted source because it is easier. The guest kernel is also only trusted after (runtime) verification. Regards, Joerg
Powered by blists - more mailing lists