From: Dave Hansen <redacted> Sent: Wednesday, February 8, 2023 9:24 AM

On 2/7/23 04:41, Borislav Petkov wrote:

quoted

Or are there no similar TDX solutions planned where the guest runs
unmodified and under a paravisor?

I actually don't think paravisors make *ANY* sense for Linux.  If you
have to modify the guest, then just modify it to talk to the hypervisor
directly.  This code is... modifying the guest.  What does putting a
paravisor in the middle do for you?

One of the original goals of the paravisor was to make fewer
modifications to the guest, especially in areas that aren't directly related
to the hypervisor.  It's arguable as to whether that goal played out in
reality.

But another significant goal is to be able to move some device emulation
from the hypervisor/VMM to the guest context.  In a CoCo VM, this move
is from outside the TCB to inside the TCB.  A great example is a virtual
TPM.  Per the CoCo VM threat model, a guest can't rely on a vTPM
provided by the host.  But a guest *can* rely on a vTPM implemented in
a more privileged layer of the guest context.  With CoCo VMs in the
Azure public cloud, the paravisor also provides other device emulation, like
the IO-APIC to solve some of the ugly interrupt delivery issues.  In a
complete solution, it should be possible for a customer to provide his
own paravisor, or at least to inspect/audit the vendor-provided paravisor
code so that it can be certified against whatever security standards the
customer requires.  For Azure CoCo VMs, this part is a work-in-progress.

This could turn into an extended discussion, and I've given only a
fairly high-level answer.   There are architects at Microsoft who could
probably give a better rendition of why we've pursued the paravisor
approach with SEV-SNP guests.

Michael

It might help with binary drivers, but we don't do upstream kernel work
to make silly binary Linux drivers happy.

So, no, there's no similar TDX solutions planned, at least for Linux
guests.  Unless I missed the memo.  Kirill?