Re: [PATCH 1/2] x86/random: Retry on RDSEED failure

From: Nikolay Borisov
Date: Wed Feb 14 2024 - 03:35:07 EST

On 14.02.24 г. 6:32 ч., Theodore Ts'o wrote:
On Tue, Feb 13, 2024 at 04:53:06PM -0800, Dan Williams wrote:

Indeed it is. Typically when you have x86, riscv, arm, and s390 folks
all show up at a Linux Plumbers session [1] to talk about their approach
to handling a new platform paradigm, that is a decent indication that
the technology is more real than not. Point taken that it is not here
today, but it is also not multiple hardware generations away as the
Plumbers participation indicated.

My big concerns with TDISP which make me believe it may not be a
silver bullet is that (a) it's hyper-complex (although to be fair
Confidential Compute isn't exactly simple, and (b) it's one thing to
digitally sign software so you know that it comes from a trusted
source; but it's a **lot** harder to prove that hardware hasn't been
tampered with --- a digital siganture can't tell you much about
whether or not the hardware is in an as-built state coming from the
factory --- this requires things like wrapping the device with
resistive wire in multiple directions with a whetstone bridge to
detect if the wire has gotten cut or shorted, then dunking the whole
thing in epoxy, so that any attempt to tamper with the hardware will
result it self-destructing (via a thermite charge or equivalent :-)

This really reminds me of the engineering that goes into the omnipresent POS terminals ate every store, since they store certificates from the card (Visa/Master) operators. So I wonder if at somepoint we'll have a pos-like device (by merit of its engineering) in every server....

Remember, the whole conceit of Confidential Compute is that you don't
trust the cloud provider --- but if that entity controls the PCI cards
installed in their servers, and and that entity has the ability to
*modify* the PCI cards in the server, all of the digital signatures
and fancy-schmancy TDISP complexity isn't necessarily going to save

Can't the same argument go for the CPU, though it's a lot more "integrated" into the silicong substrate, yet we somehow believe CoCo ascertains that a vm is running on trusted hardware? But ultimately the CPU is still a part that comes from the untrusted CSP.