On 14/09/2016 15:48, Michael S. Tsirkin wrote: >> One of the bit in policy field is "debugging", if this bit is set then >> hypervisor can use SEV commands to decrypt a guest memory > > That is my point. Arbitrary code execution in hypervisor means game over > anyway, at least with the hardware we have today.
Game is over if you assume the attacker has infinite power. In practice the attacker may be limited by other security features (SELinux, seccomp, external firewalls, whatever), by the money and time they can spend on the attack. So anything that makes things harder for the attacker is a security improvement. > My suggestion is to merge the support for encrypting memory first, > then make extras like disabling debugging on top. Sorry but I concur with others that this makes no sense at all. If anything, it's *enabling* debugging that can be done on top. That said... > I can't say I understand how does guest measuring help prevent > leaks in any way. Looks like a separate feature - why not split it > out? ... the patch series seems to be pretty small and self contained. I don't see any point in splitting it further. Paolo
