OpenBSD 7.8

(cdn.openbsd.org)

282 points paulnpace | 3 comments | 22 Oct 25 02:02 UTC | HN request time: 0s | source

Show context

avadodin ◴[22 Oct 25 04:30 UTC] No.45664894[source]▶

SEV and CC in general looks interesting seeing the slides. I hadn't heard of it yet. Someone more knowledgeable than me will say if these encrypted VMs are also protected from bugged modules within the SoC or on the bus besides being protected from the hypervisor.

It also seems that they are adding inter-core features but I don't know whether they are related to removing locks within the kernel, embedded applications, or if they are moving to micro-kernel internally.

replies(1): >>45665035 #

1. libroot ◴[22 Oct 25 04:59 UTC] No.45665035[source]▶

>>45664894 #

No, these encrypted VMs are not protected from buggy or malicious on-die components. SEV assumes that the SoC hardware is trusted.[1] And we don't even have to go that deep: both AMD SEV and Intel's equivalent, Intel SGX, have historically been vulnerable to side-channel and speculative-execution attacks, among others, that can undermine their isolation guarantees.[2]

[1]: "As with the previous SEV and SEV-ES features, under SEV-SNP the AMD System-on-Chip (SOC) hardware, the AMD Secure Processor (AMD-SP), and the VM itself are all treated as fully trusted." https://www.amd.com/content/dam/amd/en/documents/epyc-busine...

[2]: https://libroot.org/posts/trusted-execution-environments/

replies(1): >>45665265 #

2. avadodin ◴[22 Oct 25 05:42 UTC] No.45665265[source]▶

>>45665035 (TP) #

bummer

nice overview article btw

backdoors in the supply chain are always hard to avoid but if it can't even protect against third-party attackers including any of the hardware attached what's the point

replies(1): >>45665312 #

3. all2 ◴[22 Oct 25 05:50 UTC] No.45665312[source]▶

>>45665265 #

Rip-packs and drill guards are designed for running system protection. Those don't protect against compromised components, though, so select your hardware with care?

↑