On 20.10.17 19:57, Tamas K Lengyel wrote:
Hello Tamas,
In previous discussion we considered only two variants: in XEN or outside
XEN. Stubdomain approach looks more secure, but I'm not sure that it is
true.
Such stubdomain will need access to all guests memory. If you managed to
gain control on mediator stubdomain, you can do anything you want with all
guests.
That's slightly untrue. The stubdomain will only be able to mess with
domains using TEE.
Would it be feasible to have multiple TEE stubdoms providing the
interface for select domUs (with XSM)? IMHO that would provide the
greatest disaggregation and thus the most security.
If we wanted to provide every DomU with own instance of virtual TEE -
that would work. But we want to allow DomUs to work with real a TEE.
Thus we need TEE mediator, and mediator will need to have a shared
state. So we can't split it among multiple stubdoms.
WBR Volodymyr Babchuk
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
