On 11/1/24 09:56, Manwaring, Derek wrote: ...
Any software except guest TD or TDX module must not be able to speculatively or non-speculatively access TD private memory,
That's a pretty broad claim and it involves mitigations in hardware and the TDX module.
Thank you, I hadn't seen that. That is a very strong claim as far as preventing speculative access; I didn't realize Intel claimed that about TDX. The comma followed by "to detect if a prior corruption attempt was successful" makes me wonder a bit if the statement is not quite as broad as it sounds, but maybe that's just meant to relate it to the integrity section?
I think it's just relating it to the integrity section.
If the attack is mitigated when the > data is _mapped_, then it's certainly not possible _unmapped_.
So why bother with direct map removal for TDX? A VMM write to TD private data causes machine checks. So any kernel bug that even accidentally writes to kernel memory can bring the whole system down. Not nice.
Fair enough. It hasn't been clear to me if there is a machine check when the host kernel accesses guest memory only transiently. I was assuming there is not.
Previous generations of hardware have had some nastiness in this area. Speculative accesses were (I think) logged in the machine check banks, but wouldn't raise an #MC. I believe TDX-capable hardware won't even log speculative accesses.
But if other mitigations completely prevent even speculative access of TD private memory like you're saying, then agree nothing to gain from direct map removal in the TDX case.
Remember, guest unmapping is done in the VMM. The VMM is not trusted in the TDX (or SEV-SNP) model. If any VMM can harm the protections on guest memory, then we have a big problem.
That isn't to say big problem can't happen. Say some crazy attack comes to light where the VMM can attack TDX if the VMM has mapping for a guest (or TDX module) memory. Crazier things have happened, and guest unmapping _would_ help there, if you trusted the VMM.
Basically, I think guest unmapping only helps system security as a whole if you must _already_ trust the VMM.