@mjg59 To be sure I understand, you want a small VM and a big VM. The big VM gets all the hardware minus what’s needed to run the hypervisor and the small VM. Communications between the big VM and the small VM are strictly controlled in both directions such that neither can interfere with the other.

What sort of thing are you trying to do with this small VM?

This sounds kind of like what a TPM is for, or maybe a BMC/SMC/LOM.

@mjg59 So the small VM would own the physical link to the biometric reader, then provide its own attestation about the biometric reader’s attestation it was presented an authentic biometric?

Hmm. I’m not sure I know of a way to do that in software. Decent biometric readers should already use asymmetric keys, though. It should be possible to get a secure element like a TPM or smart card to only unlock a stored key when presented with a valid signature from the reader’s private key.

@mjg59 That’s what I’m getting at: decent biometric readers should already use asymmetric keys. You may not be able to hook that directly to an off-the-shelf TPM, though I thought some had firmware allowing them to trust external public keys for exactly this reason. Might require writing custom RoT firmware like Oxide has done.

A guest can never keep a secret from the hypervisor under which it runs. The host always has full control over the guest, including the ability to inspect and change stack frames. At that point, you’re guaranteed to have a single piece of software which can get at both the clear key material from the small VM’s RAM and the data the key controls from the big VM.

Assuming that’s what you’re trying to prevent, I don’t know of any software system I would trust to provide sufficient isolation between the guests, even at a theoretical level. Computer-in-a-computer stuff like a TPM is it.