-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add threat model documentation #122
Comments
I'm not sure there is a written up threat model for KVM. The closest thing I can think of is Andrew Honig's KVM Forum talk (related). Since this talk was in 2014, it does not cover more recent changes to the threat model (e.g. l1tf/speculation, confidential compute, nested). A summary (ignoring SEV/TDX/...) would be something like: The VM cannot:
The VMM will ensure the VM:
Users of KVM cannot:
For this crate, the "normal" Linux threat model is probably the one to take on. At that, this crate should likely ignore the implications of speculation issues. This crate probably shouldn't have to think about which CPU it's on and if you have hyperthreading enabled. That's the job of the caller. |
@stevenrutherford thanks for the information. I'll be taking a look at the talk you mentioned! |
Adding a threat model should be pretty straight forward for this repository, and should follow the KVM threat model (is there such a thing generally available? ping @bonzini).
Since this is just a proxy repository that forwards calls to KVM, we should talk about:
Another interesting thing is to call out the unsafe function and use of raw pointers as these might lead to undefined behaviors.
The text was updated successfully, but these errors were encountered: