https://lwn.net/Articles/890224/ This is a special feed containing comments posted to the individual LWN article titled "Private memory for KVM guests". en-us Sun, 31 Aug 2025 12:28:19 +0000 Sun, 31 Aug 2025 12:28:19 +0000 https://www.rssboard.org/rss-specification lwn@lwn.net https://lwn.net/Articles/890882/ https://lwn.net/Articles/890882/ farnz <p>No, it can't, because you're doing a remote attestation protocol. <p>The protocol described for <a href="https://courses.cs.washington.edu/courses/csep590/06wi/finalprojects/bare.pdf">TPM-based remote attestation in this PDF</a> is the sort of thing that's going on, with the TPM role being taken by the processor. The core to stopping the hypervisor from playing silly games is that you don't directly send back the attested value - instead, you use the processor's security enclave as the equivalent of a client certificate in a TLS type protocol. <p>Because the processor mixes in various details of the guest to the final secret it generates, you know that the guest hasn't been modified - modification would result in a guest certificate that didn't match what you were expecting - and thus you're protected against the hypervisor replacing instructions. In the event that the hypervisor <em>does</em> replace instructions, you end up sending the remote server the "wrong" certificate, and it can identify that you're not a trusted code version - either a known code version that's got security bugs, or an unknown locally modified version of code. <p>This all, of course, assumes that Intel and AMD have implemented the security parts of their processor correctly, such that attacks like the Spectre family don't work against a secure VM. Mon, 11 Apr 2022 08:06:59 +0000 https://lwn.net/Articles/890877/ https://lwn.net/Articles/890877/ LtWorf <div class="FormattedComment"> But for 2) the hypervisor could just replace the instructions to perform the check with whatever else places the wanted value into the wanted register no?<br> </div> Mon, 11 Apr 2022 07:11:06 +0000 https://lwn.net/Articles/890856/ https://lwn.net/Articles/890856/ excors <div class="FormattedComment"> I think the simplified version is: The host can&#x27;t emulate the TDX/etc hardware, because that contains a private key known only to Intel/etc. The host could trick its guest into accepting a fake TDX attestation by cleverly patching the guest&#x27;s verification code, but that doesn&#x27;t matter because it&#x27;s meant for *remote* attestation: the guest sends the signed attestation report over the network to some already-trusted machine, which verifies it against Intel&#x27;s public key and checks that the TDX hardware says the hypervisor has properly enabled memory encryption etc, before sending sensitive information (e.g. encryption keys for the guest&#x27;s disks) back to the now-trusted guest.<br> </div> Sun, 10 Apr 2022 19:35:15 +0000 https://lwn.net/Articles/890850/ https://lwn.net/Articles/890850/ ssmith32 <div class="FormattedComment"> For (2) , doesn&#x27;t it still assume some guest instructions are allowed to run on the processor directly by the host?<br> <p> What prevents the host from loading guest programs into an entirely virtualized CPU?<br> <p> Other than the complexity involved in emulating an entire set of CPU behaviours..<br> </div> Sun, 10 Apr 2022 17:42:13 +0000 https://lwn.net/Articles/890798/ https://lwn.net/Articles/890798/ jhoblitt <div class="FormattedComment"> The same issue applies to memfd in general as there is no protection against a malicious kernel. Does it make things more difficult for an attacker? Smart people seem to think so. As a user of public cloud, I would not consider this to mitigate any risk from the hypervisor. I would consider hardware support for encrypted memory a risk reduction. However, that would only be for the case where you assume the hypervisor was not comprised before the guest booted. I don&#x27;t see anyway to provide concrete security guarantees against a malicious hypervisor that could be trapping on any special security enclave instructions.<br> </div> Sat, 09 Apr 2022 02:20:24 +0000 https://lwn.net/Articles/890681/ https://lwn.net/Articles/890681/ pbonzini <div class="FormattedComment"> There are two parts in this:<br> <p> 1) for pKVM (the Arm one) yes, you are. In that case the idea is just that the vendor can see the hypervisor&#x27;s code and trusts it to protect the precious DRM&#x27;d movies<br> <p> 2) for TDX (Intel) and SEV-SNP (AMD) the guest gets an attestation signed by the processor vendor, and can check that the contents of the memory are as intended and that any debug mode is not enabled. In that case the hypervisor can mess with encrypted memory but that will result in either the host or the guest crashing. That&#x27;s fine because these confidential virtualization mechanisms don&#x27;t promise availability (the host can just decide not to run the guest at all).<br> <p> For devices (block, network) the solution is to encrypt all the things and keep keys for the encrypted disk in the initramfs (which is included in the above-mentioned attestation).<br> </div> Fri, 08 Apr 2022 06:23:52 +0000 https://lwn.net/Articles/890675/ https://lwn.net/Articles/890675/ ras <div class="FormattedComment"> I don&#x27;t know, but my guess is &quot;yes&quot;. It reminds me a polices forces assurances they will police their own wrong doings.<br> <p> I was hoping for a discussion on AMD&#x27;s Secure Encrypted Virtualization.<br> </div> Fri, 08 Apr 2022 03:17:31 +0000 https://lwn.net/Articles/890665/ https://lwn.net/Articles/890665/ bartoc <div class="FormattedComment"> Even here you&#x27;re still trusting the host not to be malicious right? As it could just .... not do all this stuff and tell you (the guest) that it did.<br> <p> Seems useful to defend against bugs though.<br> </div> Fri, 08 Apr 2022 00:45:55 +0000