Matthew GarrettMay 8, 2024
My annual plea for a thing: I want a type 1 hypervisor that just has a small isolated VM and then passes through the rest of the hardware to the main VM which runs Linux. The small VM is intended to be used to run small pieces of code that the main OS should not be able to interfere with. Does such a thing exist? (Think Xen, but with a Dom0 that can't see into DomUs)
Show threadHoward Chu @ Symas
@mjg59 sounds like something you'd need Secure Encrypted Virtualization for https://www.amd.com/en/developer/sev.html
May 8, 2024 at 7:27pmWeb
Show threadMatthew GarrettMay 8, 2024
@hyc No, once you're in SEV-land you're not really in a good place to do hardware passthrough
Show threadHoward Chu @ SymasMay 8, 2024
@mjg59 hm, that's a tough one then, maintaining isolation.
Show threadMatthew GarrettMay 8, 2024
@hyc I'm fine with the hypervisor being able to see what's happening in arbitrary guests, but there needs to be isolation between the primary VM and the security VM (Hyper-V manages this fine in Windows land)
Show threadFlorian IdelbergerMay 13, 2024
@mjg59 @hyc does one know how it manages this? Does it just pretend?
Show threadMatthew GarrettMay 13, 2024
@fl0_id @hyc it's a hypervisor, it simply imposes a barrier between the resources? This isn't a conceptually complicated situation, modern CPUs support it just fine
Show threadFlorian IdelbergerMay 13, 2024
@mjg59 @hyc sure, but I just meant if the hv can technically see into all guests, who enforces the rules for security vm? The cpu or the hv or both? If the hv, this is likely more easily overridden.
Show threadMatthew GarrettMay 13, 2024
@fl0_id @hyc overridden by whom?
Show threadbalooMay 8, 2024
@mjg59 @hyc
Curious: what kind of hardware should the security VM need to access?
(I can only guess TPM? For state bootstrap or something?)
Show threadMorten LinderudMay 8, 2024

@baloo @mjg59 @hyc

I suspect this is a continuation of the fingerprint issue Matthew was writing about a couple of months(?) ago.

EDIT: This post https://nondeterministic.computer/@mjg59/111456696748600420

Matthew Garrett (@[email protected])

https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/ is some very nice research, with some terrifying takeaways: 1) Microsoft developed a secure communications path between the OS and any biometric devices 2) One vendor used the same backing store for both the secure and insecure path, allowing enrollment of fingerprints via the insecure path that were then trusted in the secure path 3) Another vendor used their own fucked up TLS-based implementation rather than the Microsoft one 4) *Microsoft* didn't use their own protocol

Nondeterministic Computer
Show threadMatthew GarrettMay 8, 2024
@baloo @hyc Potentially the TPM, but otherwise nothing - just CPU, RAM, and some sort of simple intra-VM communication channel.
Show threadbalooMay 8, 2024

@mjg59 @hyc
I know you already dismissed SEV, but https://github.com/project-oak/oak seems vaguely related?

This is a VM inside the main OS, but the binary inside the TEE is available over grpc.

GitHub - project-oak/oak: Meaningful control of data in distributed systems.

Meaningful control of data in distributed systems. - project-oak/oak

GitHub
Show threadMatthew GarrettMay 8, 2024
@baloo @hyc Right, you can do it the other way around with SEV, but that then leaves you with very restricted hardware support at the moment
Show threadbalooMay 8, 2024
@mjg59 @hyc yeah definitely. You will need a piece of code in the main os to make the bridge for any hardware resource you might need.
Show threadJonathan McDowellMay 8, 2024
@mjg59 @hyc Why can you not use SEV-SNP for the security VM, with the main OS running directly on the bare metal?
Show threadJonathan McDowellMay 8, 2024
@mjg59 @hyc Ah, you want to carve the TPM away from the main OS?
Show threadMatthew GarrettMay 8, 2024
@noodles @hyc Some form of secret manager, at least
Show threadMatthew GarrettMay 9, 2024
@noodles @hyc SEV is pretty much exclusive to server parts, and I have a laptop