Matthew GarrettMay 8, 2024
My annual plea for a thing: I want a type 1 hypervisor that just has a small isolated VM and then passes through the rest of the hardware to the main VM which runs Linux. The small VM is intended to be used to run small pieces of code that the main OS should not be able to interfere with. Does such a thing exist? (Think Xen, but with a Dom0 that can't see into DomUs)
Show threadHoward Chu @ SymasMay 8, 2024
@mjg59 sounds like something you'd need Secure Encrypted Virtualization for https://www.amd.com/en/developer/sev.html
Show threadMatthew GarrettMay 8, 2024
@hyc No, once you're in SEV-land you're not really in a good place to do hardware passthrough
Show threadMatthew GarrettMay 8, 2024
@hyc I'm fine with the hypervisor being able to see what's happening in arbitrary guests, but there needs to be isolation between the primary VM and the security VM (Hyper-V manages this fine in Windows land)
Show threadFlorian IdelbergerMay 13, 2024
@mjg59 @hyc does one know how it manages this? Does it just pretend?
Show threadMatthew GarrettMay 13, 2024
@fl0_id @hyc it's a hypervisor, it simply imposes a barrier between the resources? This isn't a conceptually complicated situation, modern CPUs support it just fine
Show threadFlorian IdelbergerMay 13, 2024
@mjg59 @hyc sure, but I just meant if the hv can technically see into all guests, who enforces the rules for security vm? The cpu or the hv or both? If the hv, this is likely more easily overridden.
Show threadMatthew Garrett
@fl0_id @hyc overridden by whom?
May 13, 2024 at 5:35pmWeb