From: <dan.j.williams@intel.com>
To: Roman Kisel <romank@linux.microsoft.com>, <dan.j.williams@intel.com>
Cc: <Tianyu.Lan@microsoft.com>, <alok.a.tiwari@oracle.com>,
<apais@microsoft.com>, <arnd@arndb.de>, <benhill@microsoft.com>,
<bp@alien8.de>, <bperkins@microsoft.com>, <corbet@lwn.net>,
<dave.hansen@linux.intel.com>, <decui@microsoft.com>,
<haiyangz@microsoft.com>, <hpa@zytor.com>, <kys@microsoft.com>,
<linux-arch@vger.kernel.org>, <linux-coco@lists.linux.dev>
Subject: Re: [PATCH hyperv-next v4 15/16] Drivers: hv: Support establishing the confidential VMBus connection
Date: Mon, 25 Aug 2025 16:00:42 -0700 [thread overview]
Message-ID: <68aceb1ad6569_75e310067@dwillia2-mobl4.notmuch> (raw)
In-Reply-To: <20250825222126.356372-1-romank@linux.microsoft.com>
Roman Kisel wrote:
[..]
> This doesn't replace TDISP, I'll do a better job of supplementing the code changes
> with documentation and comments! Any suggestions are greatly appreciated.
No, I am not asking for documentation and comments and I am asking how
any of the security claims are validated by this partially enabled L2
guest?
> A fully-enlightened Linux guest could just use TDISP once support for that is available
> in the Linux kernel. Before it is, the non-fully enlightened Linux guests (they can only deal
> with accepting memory and sharing memory with the host) could rely on the paravisor to talk
> to such devices. The TDISP device will be connected to the paravisor, and the paravisor will
> provide the paravirtualized storage and network over the VMBus channels to the Linux guest.
Yes, that is understood, again that is not the question.
> The patch set is a building block for building a confidential I/O path for the non-fully
> enlightened Linux guests. It would be great to have the Linux storage and network stack not
> to share pages with the host (and not bounce-buffer) if the storage and network are
> paravirtualized && use the Confidential VMBus. In the first version of the patchset I had
> patches for that, yet that was considered too naive to be merged in the main line kernel so
> I dropped them. But even without that, this patch series protects the control plane and the
> data plane from the host with the exception of the pages the guest might use for bounce-buffering
> although it could've avoided that in this case.
The question is what protects against the paravisor lying about its
identity? If the L2 guest is partially aware that a paravisor is
providing confidentiality then it needs some interaction with a relying
party to say "yes, this paravisor is indeed what it claims to be". Is
that some indicator passed over an established / trusted channel that I
overlooked?
> I mentioned that the paravisor will be handling the TDISP device for such guests.
> As folks might know, we use the OpenHCL paravisor which is a Linux kernel with the VTL
> mode patches we've been upstreaming (links to the repos are in the cover letter), and
> the OpenVMM running in the user land. The question would be if TDISP isn't available
> in the Linux kernel, how one would get it working in the OpenHCL paravisor that itself
> runs Linux? The SEV guest device in the paravisor kernel is being extended to handle
> TIO. Once TDISP support is available in the mainline kernel, the paravisor will switch
> to using the mainline implementation.
Either the L2 is unenlightened and has all its mapping attempts trapped
and redirected to be encrypted, or the L2 is partially enlightened and
at a minimum validates the identity of the paravisor.
next prev parent reply other threads:[~2025-08-25 23:01 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-14 22:15 [PATCH hyperv-next v4 00/16] Confidential VMBus Roman Kisel
2025-07-14 22:15 ` [PATCH hyperv-next v4 01/16] Documentation: hyperv: " Roman Kisel
2025-07-22 17:43 ` Michael Kelley
2025-07-14 22:15 ` [PATCH hyperv-next v4 02/16] drivers: hv: VMBus protocol version 6.0 Roman Kisel
2025-07-22 17:43 ` Michael Kelley
2025-07-14 22:15 ` [PATCH hyperv-next v4 03/16] arch: hyperv: Get/set SynIC synth.registers via paravisor Roman Kisel
2025-07-15 12:46 ` kernel test robot
2025-07-22 17:43 ` Michael Kelley
2025-07-14 22:15 ` [PATCH hyperv-next v4 04/16] arch/x86: mshyperv: Trap on access for some synthetic MSRs Roman Kisel
2025-07-15 17:58 ` kernel test robot
2025-07-22 17:43 ` Michael Kelley
2025-07-25 8:04 ` Tianyu Lan
2025-07-14 22:15 ` [PATCH hyperv-next v4 05/16] Drivers: hv: Rename fields for SynIC message and event pages Roman Kisel
2025-07-15 21:46 ` kernel test robot
2025-07-22 17:44 ` Michael Kelley
2025-07-25 8:18 ` Tianyu Lan
2025-07-14 22:15 ` [PATCH hyperv-next v4 06/16] Drivers: hv: Allocate the paravisor SynIC pages when required Roman Kisel
2025-07-22 17:44 ` Michael Kelley
2025-07-25 8:23 ` Tianyu Lan
2025-07-14 22:15 ` [PATCH hyperv-next v4 07/16] Drivers: hv: Post messages through the confidential VMBus if available Roman Kisel
2025-07-22 17:44 ` Michael Kelley
2025-07-25 11:07 ` Tianyu Lan
2025-07-14 22:15 ` [PATCH hyperv-next v4 08/16] Drivers: hv: remove stale comment Roman Kisel
2025-07-22 17:44 ` Michael Kelley
2025-07-25 11:08 ` Tianyu Lan
2025-07-14 22:15 ` [PATCH hyperv-next v4 09/16] Drivers: hv: Check message and event pages for non-NULL before iounmap() Roman Kisel
2025-07-22 17:44 ` Michael Kelley
2025-07-25 11:14 ` Tianyu Lan
2025-07-14 22:15 ` [PATCH hyperv-next v4 10/16] Drivers: hv: Rename the SynIC enable and disable routines Roman Kisel
2025-07-22 17:44 ` Michael Kelley
2025-07-25 11:21 ` Tianyu Lan
2025-07-14 22:15 ` [PATCH hyperv-next v4 11/16] Drivers: hv: Functions for setting up and tearing down the paravisor SynIC Roman Kisel
2025-07-22 17:44 ` Michael Kelley
2025-07-14 22:15 ` [PATCH hyperv-next v4 12/16] Drivers: hv: Allocate encrypted buffers when requested Roman Kisel
2025-07-22 17:44 ` Michael Kelley
2025-07-25 14:40 ` Tianyu Lan
2025-07-14 22:15 ` [PATCH hyperv-next v4 13/16] Drivers: hv: Free msginfo when the buffer fails to decrypt Roman Kisel
2025-07-22 17:45 ` Michael Kelley
2025-07-14 22:15 ` [PATCH hyperv-next v4 14/16] Drivers: hv: Support confidential VMBus channels Roman Kisel
2025-07-22 17:45 ` Michael Kelley
2025-07-14 22:15 ` [PATCH hyperv-next v4 15/16] Drivers: hv: Support establishing the confidential VMBus connection Roman Kisel
2025-07-22 17:45 ` Michael Kelley
2025-08-19 20:26 ` dan.j.williams
2025-08-25 22:21 ` Roman Kisel
2025-08-25 23:00 ` dan.j.williams [this message]
2025-08-25 23:34 ` Roman Kisel
2025-08-25 23:57 ` dan.j.williams
2025-08-25 22:41 ` Roman Kisel
2025-07-14 22:15 ` [PATCH hyperv-next v4 16/16] Drivers: hv: Set the default VMBus version to 6.0 Roman Kisel
2025-07-22 17:45 ` Michael Kelley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68aceb1ad6569_75e310067@dwillia2-mobl4.notmuch \
--to=dan.j.williams@intel.com \
--cc=Tianyu.Lan@microsoft.com \
--cc=alok.a.tiwari@oracle.com \
--cc=apais@microsoft.com \
--cc=arnd@arndb.de \
--cc=benhill@microsoft.com \
--cc=bp@alien8.de \
--cc=bperkins@microsoft.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=decui@microsoft.com \
--cc=haiyangz@microsoft.com \
--cc=hpa@zytor.com \
--cc=kys@microsoft.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-coco@lists.linux.dev \
--cc=romank@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).