| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43ae1b15-c911-4ecd-aaaa-15bc23ec6192@citrix.com> Date: Tue, 6 Jan 2026 22:39:08 +0000 From: Andrew Cooper <andrew.cooper3@...rix.com> To: Jon Lange <jlange@...rosoft.com>, Dave Hansen <dave.hansen@...el.com> Cc: Andrew Cooper <andrew.cooper3@...rix.com>, "Williams, Dan J" <dan.j.williams@...el.com>, Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>, John Starks <John.Starks@...rosoft.com>, Will Deacon <will@...nel.org>, Mark Rutland <mark.rutland@....com>, "linux-coco@...ts.linux.dev" <linux-coco@...ts.linux.dev>, LKML <linux-kernel@...r.kernel.org>, "Edgecombe, Rick P" <rick.p.edgecombe@...el.com> Subject: Re: [EXTERNAL] Re: "Paravisor" Feature Enumeration On 06/01/2026 2:12 am, Jon Lange wrote: > Andrew wrote: > >> Are we saying that, inside an opaque blob that a customer provides to a CSP to run we might have: >> * a paravisor and an unaware OS, or >> * svsm and a fully-aware OS, or >> * something in-between these two. >> and we're looking a way to describe which piece of the interior stack owns which capability/service? >> I think the discussion would benefit greatly from having a couple of concrete examples of data this wants to hold, >> and how it is to be used at different levels of the interior software stack. > Here are two examples. In both examples, the OS is running behind a paravisor but I wouldn't term it an "unaware OS". Rather, the paravisor is present because of the set of services it provides, and it is running in paravisor mode (not SVSM mode) because the implementation benefits from taking full management responsibility for the confidential trust boundary (e.g. determination of when/how to validate/accept pages). In such a configuration, where the paravisor has management responsibility for the confidential trust boundary, all of the enlightenments in the guest OS for managing confidentiality state must be suppressed. The straightforward way to do this is for the paravisor to suppress the confidential VM enumeration information visible to the guest OS (the "SNP available" CPUID bit, or the "TDX active" bit, for example). > > Note that this occurs out of necessity because we can't have the paravisor and the guest OS fighting over who has the right/responsibility to execute PVALIDATE, or TDG.MEM.PAGE.ACCEPT, or whatever. The kernel today only has two concepts of its execution mode: either it is a confidential VM, in which case it takes full responsibility, or it is not a confidential VM, in which case it ignores the responsibility. When a paravisor (not SVSM) is active, we have to operate in the second mode because the first mode would provoke precisely the conflict we're trying to avoid. > > First example: a confidential VM running under a paravisor wants to obtain an attestation report for itself to pass to a third party to vouch for the fact that it is a confidential VM. Assume in this example that the relying party is aware of the paravisor and the paravisor's measurements, so the evidence provided in such an attestation report can successfully be verified as authentic. In order for this to be possible, the kernel has to know that it's running in a confidential VM in a mode where attestation reports are available but where the responsibility for confidential memory state management is suppressed. This is a third state beyond the two states described above. This isn't just a userspace problem because access to the attestation service is mediated by a kernel-mode driver that needs to know how to configure itself (such configuration today is based on CPUID and not on ACPI). > > Second example: a confidential VM running under a paravisor determines that one of the devices available to it is a TDISP device that requires the OS - not the paravisor - to perform the operations required to configure the device, to obtain and verify its attestation information, and to consent to activating the device in the TDISP RUN state. In order for the OS to be able to execute that sequence, the device has to know that it is running as a confidential VM so it knows that TDISP configuration may be necessary. Thankyou - that is helpful. So overall, we're wanting the paravisor to be able to express "You're in a confidential VM, but you're not in charge" to the OS. Hiding the SNP / TDX bit is of course necessary. They have well defined meanings which the OS cannot use when it's not in charge. In your first example, when you say "attestation report", do you mean of the whole encrypted VM, or only the "OS" part of it? After all, a paravisor could be running multiple OSes. Whichever it is, this is clearly a service provided by the paravisor, with some kind of API that's going to be of the from "execute VM(M)CALL/etc with these regs". TDISP is also CPU-initiated actions, some of which may need a paravisor API. What you're really describing is "just another hypervisor". So really, on x86, the paravisor (which does control CPUID in this scenario) ought to hide the outer data, advertise itself at 0x4000_0000, and Linux wants a new paravirt mode for this new kind of virtual platform, which is probably not going to be very different from a typical KVM/XenHVM/HyperV guest today. Anything else, and it seems like you're just re-inventing the wheel but a little more square. Do you foresee a need to pass anything other than "here's a handful of services that are available to you"? An ACPI table might be an approach, but this seems like it could be a leaf or two and nothing more. There's no common enumeration scheme between different architectures, but I'm a firm believer that things ought to be enumerated in the typical way for the architecture/platform. This means CPUID on x86, and things like devicetree on ARM. It's slightly ugly duplicating information, but it's less ugly than shoehorning a non-typical enumeration scheme in to an existing infrastructure. ~Andrew
Powered by blists - more mailing lists