From: Joerg Roedel <joro@8bytes.org>
To: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: "Joerg Roedel" <jroedel@suse.de>,
"Alexey Gladkov" <legion@kernel.org>,
"Borislav Petkov" <bp@alien8.de>, "Jürgen Groß" <jgross@suse.com>,
"Alexey Gladkov (Intel)" <alexey.gladkov@intel.com>,
"Dave Hansen" <dave.hansen@intel.com>,
"Ingo Molnar" <mingo@kernel.org>,
x86@kernel.org, hpa@zytor.com,
"Tom Lendacky" <thomas.lendacky@amd.com>,
"Nikunj A Dadhania" <nikunj@amd.com>,
linux-kernel@vger.kernel.org, Larry.Dewey@amd.com
Subject: Re: [PATCH] x86/sev: Make SEV_STATUS available via SYSFS
Date: Wed, 12 Mar 2025 10:07:32 +0100 [thread overview]
Message-ID: <Z9FO1CefzO89syGg@8bytes.org> (raw)
In-Reply-To: <pskj4f5fitd5ytb7gq4negloioihl2rfbpfwa47fnw74gxmlvh@vpoijhxcee64>
On Wed, Mar 12, 2025 at 10:48:37AM +0200, Kirill A. Shutemov wrote:
> There might be a value to have consistent structure for host and guest
> information in sysfs, even if they are presented in different places under
> /sys. There's subset of information that is common for both guest and
> host, like version.
I agree for the host side, but for the guest side I am less convinced.
Any information exposed via sysfs on the guest side can not be trusted.
The only trusted way to get this information in the guest is a
successfully verified attestation report.
The same is true for exposing SEV_STATUS, btw. This can also only be
trusted together with a verified attestation. But the difference is that
SEV_STATUS is not part of the attestation report.
One might say that this does not matter much for debugging purposes, but
the question stands whether it helps the security posture of the TEE to
expose an untrusted interface which tooling then uses instead of the
trusted variant.
Regards,
Joerg
next prev parent reply other threads:[~2025-03-12 9:07 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-05 10:52 [PATCH] x86/sev: Make SEV_STATUS available via SYSFS Joerg Roedel
2025-03-05 11:11 ` [tip: x86/sev] " tip-bot2 for Joerg Roedel
2025-03-05 11:12 ` [PATCH] " Borislav Petkov
2025-03-05 11:26 ` Ingo Molnar
2025-03-05 11:31 ` Borislav Petkov
2025-03-05 11:35 ` Juergen Gross
2025-03-05 11:41 ` Borislav Petkov
2025-03-05 11:48 ` Jürgen Groß
2025-03-05 11:53 ` Borislav Petkov
2025-03-05 11:42 ` Ingo Molnar
2025-03-05 11:50 ` Borislav Petkov
2025-03-05 13:56 ` Joerg Roedel
2025-03-05 15:37 ` Borislav Petkov
2025-03-05 16:37 ` Dave Hansen
2025-03-05 16:40 ` Dave Hansen
2025-03-05 16:55 ` Borislav Petkov
2025-03-05 17:09 ` Dave Hansen
2025-03-05 17:51 ` Joerg Roedel
2025-03-05 20:07 ` Borislav Petkov
2025-03-06 8:01 ` Kirill A. Shutemov
2025-03-06 8:38 ` Joerg Roedel
2025-03-06 10:31 ` Borislav Petkov
2025-03-06 13:36 ` Kirill A. Shutemov
2025-03-06 13:56 ` Borislav Petkov
2025-03-06 10:37 ` Alexey Gladkov (Intel)
2025-03-10 10:28 ` Joerg Roedel
2025-03-10 11:02 ` Borislav Petkov
2025-03-10 12:46 ` Joerg Roedel
2025-03-10 13:36 ` Borislav Petkov
2025-03-10 11:24 ` Alexey Gladkov
2025-03-10 12:28 ` Juergen Gross
2025-03-10 12:35 ` Joerg Roedel
2025-03-10 12:49 ` Juergen Gross
2025-03-10 13:38 ` Borislav Petkov
2025-03-10 14:39 ` Tom Lendacky
2025-03-10 14:50 ` Alexey Gladkov
2025-03-10 15:11 ` Borislav Petkov
2025-03-10 15:33 ` Jürgen Groß
2025-03-10 15:41 ` Borislav Petkov
2025-03-10 15:50 ` Alexey Gladkov
2025-03-10 15:43 ` Alexey Gladkov
2025-03-10 15:52 ` Juergen Gross
2025-03-10 15:55 ` Borislav Petkov
2025-03-10 16:00 ` Juergen Gross
2025-03-10 16:06 ` Borislav Petkov
2025-03-10 16:23 ` Jürgen Groß
2025-03-10 16:05 ` Alexey Gladkov
2025-03-11 9:43 ` Joerg Roedel
2025-03-11 10:22 ` Jürgen Groß
2025-03-11 11:07 ` Borislav Petkov
2025-03-11 11:14 ` Juergen Gross
2025-03-11 18:24 ` Alexey Gladkov
2025-03-11 18:40 ` Joerg Roedel
2025-03-11 20:37 ` Alexey Gladkov
2025-03-12 7:19 ` Kirill A. Shutemov
2025-03-12 8:23 ` Joerg Roedel
2025-03-12 8:48 ` Kirill A. Shutemov
2025-03-12 9:07 ` Joerg Roedel [this message]
2025-03-12 10:59 ` Kirill A. Shutemov
2025-03-12 11:44 ` Joerg Roedel
2025-03-11 18:13 ` Alexey Gladkov
2025-03-05 13:50 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9FO1CefzO89syGg@8bytes.org \
--to=joro@8bytes.org \
--cc=Larry.Dewey@amd.com \
--cc=alexey.gladkov@intel.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=hpa@zytor.com \
--cc=jgross@suse.com \
--cc=jroedel@suse.de \
--cc=kirill.shutemov@linux.intel.com \
--cc=legion@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=nikunj@amd.com \
--cc=thomas.lendacky@amd.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox