On Wed, Sep 14, 2016 at 03:07:58PM +0200, Paolo Bonzini wrote: > > > On 14/09/2016 15:05, Michael S. Tsirkin wrote: > > I assumed that with debug on, memory is still encrypted but the > > hypervisor can break encryption, and as the cover letter states, the > > hypervisor is assumed benign. If true I don't see a need to > > give users more rope. > > The hypervisor is assumed benign but vulnerable.
Vulnerable to information leaks, yes. > So, if somebody breaks the hypervisor, you would like to make it as hard > as possible We don't just do this at random. Need some proof it's actually making things harder. > for the attacker to do evil stuff to the guests. Break as in make it do things? This is a possible model, but this is not what the cover letter states. As far as I can tell, encrypting memory does not protect against an attacker that can execute code in the hypervisor, if only for the reason that a lot of guest info is not in memory as CPU always accesses memory through registers. > If the > attacker can just ask the secure processor "decrypt some memory for me", > then the encryption is effectively broken. > > Paolo Not at all, if all you have is hypervisor read-anywhere access, then that is not broken. This seems to be the threat model that the patchset targets, again based on the cover letter. -- MST
