A two-way isolation between Realm and RMM #165
Labels
question
Further information is requested
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A modern secure hypervisor offers a capability to isolate VM (Realm) from VMM (RMM) (i.e., host hyp can't corrupt guest) I think this capability gets really important in confidential computing.
If with memory encryption, it's trivial to get this capability, because, in AMD for example, all confidential VMs are encrypted with per-VM key that only hardware knows. And when the host hypervisor tries to access other VM's page, it's going to get decrypted by a mismatched key (host has a different key), achieving that kind of isolation.
However, when it comes to the CCA spec without memory encryption, it's still unclear to me how CCA offers this isolation at the platform level. (Maybe, without memory encryption, it doesn't offer such isolation? RMM spec doesn't state that clearly.)
For example, through RSI_REALM_CONFIG, RMM can write something into Realm memory space, which can be viewed as breaking VM<->VMM isolation. (Actually, not that good example though)
The text was updated successfully, but these errors were encountered: