Re: [ANNOUNCEMENT] COCONUT Secure VM Service Module for SEV-SNP

["Jörg Rödel" <jroedel@suse.de>]

Hi Dave,

On Tue, Mar 21, 2023 at 03:06:19PM +0000, Dr. David Alan Gilbert wrote:
> Interesting; it would have been nice to have known about this a little
> earlier, some people have been working on stuff built on top of the AMD
> one for a while.

Sorry for that, we wanted to have it in a state where it could at least
boot an SMP Linux guest. It took us some more time to get the
foundations right and get to that point.

> You mention two things that I wonder how they interact:
> 
>   a) TPMs in the future at a higher ring
>   b) Making (almost) unmodified guests
> 
> What interface do you expect the guest to see from the TPM - would it
> look like an existing TPM hardware interface or would you need some
> changes?

For a) without b) the guest interface will be the SVSM TPM protocol. The
ring-0 code will forward any request to the TPM process and return to
the guest when it is done.

For b), or the paravisor mode, this is the vision, which is probably
more than a year out. The idea behind that is to be able to emulate what
Hyper-V is doing to boot Windows guests under SEV-SNP on an open source
SW stack.

How the TPM interface will look like for that paravisor mode is not
clear yet. In theory we can emulate a real TPM interface to make this
work, but that is not sure yet.

Regards,

-- 
Jörg Rödel
jroedel@suse.de

SUSE Software Solutions Germany GmbH
Frankenstraße 146
90461 Nürnberg
Germany

(HRB 36809, AG Nürnberg)
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman