On Tuesday, 5 July 2022 17:26:40 BST Sharpened Blade via devel wrote:
How can you know if this interface is not emulated, and you never
talk to
the real cpu
The TDX white papers address how this is meant to work - it's based around the
same "measurement" concept as TPM measured boot (see
https://bootlin.com/blog/
measured-boot-with-a-tpm-2-0-in-u-boot/ for an explanation).
While the VM itself cannot avoid being compromised by the hoster, if you
emulate the TDX interface, you'll not be able to send the "correct"
measurements with an Intel signature - the measurements that can be sent have
either the wrong hash, or the wrong signature (similar applies to AMD's
version, but with an AMD signature).
In turn, this means that you reduce your trust chain down to the CPU maker,
because if the VM platform tampers with TDX trust chains, you can observe this
and refuse to (e.g.) send the VM platform the encryption key it needs to
unlock private data.
--
Simon Farnsworth