Announcement

Collapse
No announcement yet.

Intel Posts New TDX Guest Attestation Patches To Verify Trustworthiness From 3rd Party Servers

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Intel Posts New TDX Guest Attestation Patches To Verify Trustworthiness From 3rd Party Servers

    Phoronix: Intel Posts New TDX Guest Attestation Patches To Verify Trustworthiness From 3rd Party Servers

    Intel's open-source Linux engineers have been working a lot recently on the kernel's support for Trust Domain Extensions (TDX). Intel TDX has similarities to AMD's Secure Encrypted Virtualization (SEV) and is ultimately about better protecting virtual machines. The latest patch series published for Linux is the Intel TDX Guest Attestation support for being able to verify a TDX VM's trustworthiness via a third-party server...

    Intel Posts New TDX Guest Attestation Patches To Verify Trustworthiness From 3rd Party Servers - Phoronix
    https://www.phoronix.com/scan.php?page=news_item&px=TDX-Guest-Attestation-v1
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    I hope Bhyve and VMM get this too and not just KVM.

    Comment

    • #3
      Protecting VM's from host will become more and more important to everyone. not just high risk people. and encrypted VM on a phone for instance is a prime example of something that everyone could benefit from. People trade security for convenience every day. stuff like this will go a long way, as it allows someone to maintain security without compromising on convenience too largely.
      • Likes 1

      Comment

      • #4
        It's glad to see Intel finally catch up on this feature (and, knowing AMD, it'll likely be mainlined before AMD SVM too) - These features allow us to trust VMs running on cloud hosters like AWS!

        Comment

        • #5
          Can somebody point me to an article on how this works?
          I am specifically interested in the harddisk. So if I can verify I booted a signed kernel with initrd (merged in efistub), why cant the host not tamper the harddisk data?
          • Likes 1

          Comment

          • #6
            Originally posted by CTTY View Post
            Can somebody point me to an article on how this works?
            I am specifically interested in the harddisk. So if I can verify I booted a signed kernel with initrd (merged in efistub), why cant the host not tamper the harddisk data?
            The host can just take a snapshot of the running system with everything unlocked (like live migration, just without the actual migration) and then it's just a matter of peeking/poking the right memory address to either read off the keys or break in. qemu has quite sophisticated debugging built in. Well, id's mostly just gdb, but once you're at that point it's not that hard, there might even be a script for it.
            If you could encrypt RAM also in a way the host couldn't read thad would plug that hole...

            Comment

            • #7
              @binarybanana: I think the encrypted VM-memory support is already there?
              • Likes 1

              Comment

              • #8
                Originally posted by CTTY View Post
                @binarybanana: I think the encrypted VM-memory support is already there?
                this is correct, there already exist multiple forms of VM security this is AMD SEV
                • Likes 1

                Comment

                Previous template Next
                Working...
                X