Lines Matching +full:sw +full:- +full:managed

17 the kernel through various networking or limited HW-specific exposed
30 classified into different subtypes depending on the SW that is intended
37 CoCo, in the virtualization context, refers to a set of HW and/or SW
38 technologies that allow for stronger security guarantees for the SW running
40 confirm the trustworthiness of all SW pieces to include in its reduced
48 additional mechanisms to control guest-host page mapping. More details on
49 the x86-specific solutions can be found in
51 …https://www.amd.com/system/files/techdocs/sev-snp-strengthening-vm-isolation-with-integrity-protec…
56 that acts as a security manager. The host-side virtual machine monitor
63 In the following diagram, the "<--->" lines represent bi-directional
67 +-------------------+ +-----------------------+
68 | CoCo guest VM |<---->| |
69 +-------------------+ | |
71 +-------------------+ | |
72 | Host VMM |<---->| |
73 +-------------------+ | |
75 +--------------------+ | |
76 | CoCo platform |<--->| |
77 +--------------------+ +-----------------------+
81 while in others it may be pure SW.
88 +-----------------------+ +-------------------+
89 | |<---->| Userspace |
90 | | +-------------------+
92 | vectors | +-------------------+
93 | |<---->| Linux Kernel |
94 | | +-------------------+
95 +-----------------------+ +-------------------+
97 +-------------------+
98 +-------------------+
100 +-------------------+
122 kernel attacks include the vulnerabilities CVE-2019-19524, CVE-2022-0435
123 and CVE-2020-24490.
131 CoCo VM TCB due to its large SW attack surface. It is important to note
139 +------------------------+
141 +-----------------------+ | +-------------------+ |
142 | |<--->| | Userspace | |
143 | | | +-------------------+ |
145 | vectors | | +-------------------+ |
146 | |<--->| | Linux Kernel | |
147 | | | +-------------------+ |
148 +-----------------------+ | +-------------------+ |
150 +-----------------------+ | +-------------------+ |
151 | |<--->+------------------------+
153 | | +------------------------+
154 | CoCo security |<--->| Host/Host-side VMM |
155 | manager | +------------------------+
156 | | +------------------------+
157 | |<--->| CoCo platform |
158 +-----------------------+ +------------------------+
172 While it is true that the host (and host-side VMM) requires some level of
191 CoCo technology SW/HW protection. This includes any possible
192 side-channels, as well as transient execution side channels. Examples of
193 explicit (not side-channel) interfaces include accesses to port I/O, MMIO
194 and DMA interfaces, access to PCI configuration space, VMM-specific
195 hypercalls (towards Host-side VMM), access to shared memory pages,
197 well as CoCo technology-specific hypercalls, if present. Additionally, the
206 CoCo-specific versions of the guest, host and platform.
208 .. list-table:: CoCo Linux guest kernel threat matrix
211 :header-rows: 1
213 * - Threat name
214 - Threat description
216 * - Guest malicious configuration
217 - A misbehaving host modifies one of the following guest's
229 * - CoCo guest data attacks
230 - A misbehaving host retains full control of the CoCo guest's data
231 in-transit between the guest and the host-managed physical or
235 * - Malformed runtime input
236 - A misbehaving host injects malformed input via any communication
239 --> guest kernel privilege escalation. This includes traditional
240 side-channel and/or transient execution attack vectors.
242 * - Malicious runtime input
243 - A misbehaving host injects a specific input value via any
251 kernel action (i.e. processing of a host-injected interrupt).