Hi, > One issue with that is that the contents of the CPUID page are not part > of guest measurement that will be checked later during attestation (only > the metadata such as page type/location is recorded in the measurement). > > [ more details snipped ]
Thanks, that makes sense. > That said, for the !SNP case, additional handling *could* be added to make > use of the CPUID page, but in that case it wouldn't be validated by firmware, > so isn't much better security-wise than asking KVM. Well, the intention would be more to (a) be able to test the code without SNP hardware (for example in public CI) and (b) avoid trapping into kvm if we don't have to. It is clearly not a priority though, we can look into that once all the SNP bits are merged in edk2 and qemu. take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#81017): https://edk2.groups.io/g/devel/message/81017 Mute This Topic: https://groups.io/mt/85749022/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
