On Wed, 2021-09-01 at 08:59 +0000, Yao, Jiewen wrote:
Hi MinIt's not just that: even if you can ensure nothing in the host changed
the variables, how do you know *your* code inside the guest is updating
them? In ordinary OVMF we try to ensure that by having the variables
SMM protected so the only update path available to the kernel is via
the setVariable interface, but we can't do that in the confidential
computing case because SMM isn't supported. That means a random kernel
attacker in the guest can potentially write to the var store too.
At least for the first SEV prototype I had to make the var store part
of the first firmware volume firstly so it got measured but secondly so
it couldn't be used as a source of configuration attacks.
I have a nasty feeling that configuration attacks are going to be the
bane of all confidential computing solutions because they give the
untrusted VMM a wide attack surface.