Re: [PATCH] docs: security: Confidential computing intro and threat model

From: Randy Dunlap
Date: Thu Apr 27 2023 - 12:46:56 EST

Next message: Bjorn Helgaas: "Re: [PATCH 1/2] amd_nb: Add PCI ID for family 19h model 78h"
Previous message: Luck, Tony: "RE: [PATCH v2] mm: hwpoison: coredump: support recovery from dump_user_range()"
In reply to: James Bottomley: "Re: [PATCH] docs: security: Confidential computing intro and threat model"
Next in thread: Michael S. Tsirkin: "Re: [PATCH] docs: security: Confidential computing intro and threat model"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/27/23 09:16, James Bottomley wrote:
> Public but not open source is still a problem. The federal government
> has walked into several cloud accounts demanding a source code security
> review, which means the code was made public to them but not generally.

Apparently we have different definitions of "public".
I don't call that public.

> Without all customers or some third party being able to build the code
> and verify it (or ideally supply it ... think something like Red Hat
> built the OVMF code this cloud is using and you can prove it using
> their build signatures) how do you know the source you're given
> corresponds to the binary the signature verifies.

--
~Randy

Next message: Bjorn Helgaas: "Re: [PATCH 1/2] amd_nb: Add PCI ID for family 19h model 78h"
Previous message: Luck, Tony: "RE: [PATCH v2] mm: hwpoison: coredump: support recovery from dump_user_range()"
In reply to: James Bottomley: "Re: [PATCH] docs: security: Confidential computing intro and threat model"
Next in thread: Michael S. Tsirkin: "Re: [PATCH] docs: security: Confidential computing intro and threat model"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]