On 04/06/2021 11:43, Michael Brown wrote:
On 04/06/2021 11:11, Laszlo Ersek wrote:
And, to reiterate, just because Confidential Computing is the
new hot thing, the use cases for OvmfPkgIa32, OvmfPkgIa32X64, OvmfPkgX64
do not disappear. Regressing them, or making them unmaintainable due to
skyrocketing complexity, is not acceptable.
Totally agree with this. Confidential Computing is a very niche use
case, and there is no justification for exploding the complexity of the
standard OVMF build.
If, several years from now, it ever reaches the point that the majority
of real-world workloads are using TDX, then there would be an argument
that the complexity cost has to be paid and that the standard OVMF build
should include TDX features. But that's several years away and may
never happen.
Out of interest: does Intel TDX provide any security benefits beyond the
(much simpler) Intel SGX?
As far as I can tell from the various papers, the fundamental difference
between TDX and SGX seems to be that TDX deliberately increases the
attack surface from "just the application code" to "entire guest VM,
including OS kernel, runtime libraries, etc". Increasing the attack
surface while adding complexity is a huge cost so I'm assuming that
there must be some commensurate benefit, but nothing in the
documentation I've seen seems to describe what this benefit actually is.
Thanks,
Michael
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#76079): https://edk2.groups.io/g/devel/message/76079
Mute This Topic: https://groups.io/mt/83283616/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
