On 14/09/2016 21:24, Michael S. Tsirkin wrote: > Well limited protection is of a limited use :) Seriously, the point of > mitigation should be blocking classes of vulenrabilities not making > things more complex.
No, not at all. The point of _mitigation_ is to _mitigate_ the danger from classes of vulnerabilities, i.e. make the attack harder though perhaps not ultimately impossible. >> If the adversary is passive and cannot ask anything is it even an >> adversary? Why do you need encryption at all if you can't even ptrace QEMU? > > The cover letter mentioned a read everything adversary. > How do you read everything? Well, you probably don't but > there could be attacks that cause kernel to leak > contents of random memory to an attacker. Ok, it doesn't seem too useful. > On the software side, we should try to > push for enabling features independently, this way more > hardware can benefit. We can have an "unencrypted" sev-policy that only has limited functionality such as disabling debug. So you could disable debug with -object sev-policy-unencrypted,debug=false,id=mypolicy \ -machine ...,sev-policy=mypolicy Paolo
