Matthew GarrettMy annual plea for a thing: I want a type 1 hypervisor that just has a small isolated VM and then passes through the rest of the hardware to the main VM which runs Linux. The small VM is intended to be used to run small pieces of code that the main OS should not be able to interfere with. Does such a thing exist? (Think Xen, but with a Dom0 that can't see into DomUs)
Howard Chu @ Symas@mjg59 sounds like something you'd need Secure Encrypted Virtualization for https://www.amd.com/en/developer/sev.html
@hyc No, once you're in SEV-land you're not really in a good place to do hardware passthrough
baloo
Morten LinderudI suspect this is a continuation of the fingerprint issue Matthew was writing about a couple of months(?) ago.
EDIT: This post https://nondeterministic.computer/@mjg59/111456696748600420
Matthew Garrett (@[email protected])
https://blackwinghq.com/blog/posts/a-touch-of-pwn-part-i/ is some very nice research, with some terrifying takeaways: 1) Microsoft developed a secure communications path between the OS and any biometric devices 2) One vendor used the same backing store for both the secure and insecure path, allowing enrollment of fingerprints via the insecure path that were then trusted in the secure path 3) Another vendor used their own fucked up TLS-based implementation rather than the Microsoft one 4) *Microsoft* didn't use their own protocol
@mjg59 @hyc
I know you already dismissed SEV, but https://github.com/project-oak/oak seems vaguely related?
This is a VM inside the main OS, but the binary inside the TEE is available over grpc.
