Matthew GarrettMay 8, 2024
My annual plea for a thing: I want a type 1 hypervisor that just has a small isolated VM and then passes through the rest of the hardware to the main VM which runs Linux. The small VM is intended to be used to run small pieces of code that the main OS should not be able to interfere with. Does such a thing exist? (Think Xen, but with a Dom0 that can't see into DomUs)
Show threadHoward Chu @ SymasMay 8, 2024
@mjg59 sounds like something you'd need Secure Encrypted Virtualization for https://www.amd.com/en/developer/sev.html
Show threadMatthew GarrettMay 8, 2024
@hyc No, once you're in SEV-land you're not really in a good place to do hardware passthrough
Show threadJonathan McDowellMay 8, 2024
@mjg59 @hyc Why can you not use SEV-SNP for the security VM, with the main OS running directly on the bare metal?
Show threadJonathan McDowellMay 8, 2024
@mjg59 @hyc Ah, you want to carve the TPM away from the main OS?
Show threadMatthew Garrett
@noodles @hyc Some form of secret manager, at least
May 8, 2024 at 9:39pmWeb