Am 11. August 2025 11:01:53 UTC schrieb Bernhard Beschow <shen...@gmail.com>:
>
>
>Am 8. Juli 2025 16:36:03 UTC schrieb Bernhard Beschow <shen...@gmail.com>:
>>
>>
>>Am 30. Juni 2025 21:03:06 UTC schrieb Peter Maydell
>><peter.mayd...@linaro.org>:
>>>On Mon, 30 Jun 2025 at 21:22, Bernhard Beschow <shen...@gmail.com> wrote:
>>>>
>>>>
>>>>
>>>> Am 30. Juni 2025 09:09:31 UTC schrieb Peter Maydell
>>>> <peter.mayd...@linaro.org>:
>>>> >On Sun, 29 Jun 2025 at 21:49, Bernhard Beschow <shen...@gmail.com> wrote:
>>>> >>
>>>> >> Allows the imx8mp-evk machine to be run with KVM acceleration as a
>>>> >> guest.
>>>> >>
>>>> >> Signed-off-by: Bernhard Beschow <shen...@gmail.com>
>>>> >> ---
>>>> >> docs/system/arm/imx8mp-evk.rst | 7 +++++++
>>>> >> hw/arm/fsl-imx8mp.c | 33 ++++++++++++++++++++++++++++-----
>>>> >> hw/arm/imx8mp-evk.c | 11 +++++++++++
>>>> >> hw/arm/Kconfig | 3 ++-
>>>> >> hw/arm/meson.build | 2 +-
>>>> >> 5 files changed, 49 insertions(+), 7 deletions(-)
>>>> >
>>>> >This puts a lot of IMX device models onto our security boundary,
>>>> >which makes me a bit nervous -- that's a lot of code which
>>>> >wasn't really written or reviewed carefully to ensure it
>>>> >can't be exploited by a malicious guest.
>>>>
>>>> Hi Peter,
>>>>
>>>> Does KVM increase the attack surface compared to TCG?
>>>
>>>Yes, because our security policy says that TCG is not considered
>>>a security boundary, whereas KVM is:
>>>
>>>https://qemu-project.gitlab.io/qemu/system/security.html
>>>
>>>(It would move from "non-virtualization use case" to
>>>"virtualization use case".)
>>
>>Thanks, that document nails my question.
>>
>>If KVM requires the imx devices to be inside the security boundary, what
>>needs to be done to lift them there?
>
>Ping
Ping^2
>
>>
>>Best regards,
>>Bernhard
>>
>>>
>>>thanks
>>>-- PMM
