Mailing List Archive

From:: "Theo de Raadt" <deraadt@openbsd.org>
Subject:: Re: AMD SEV: confidential autoconf whitelist
To:: Stefan Fritsch <sf@sfritsch.de>
Cc:: Mark Kettenis <mark.kettenis@xs4all.nl>, Hans-Jörg Höxer <hshoexer@genua.de>, tech@openbsd.org
Date:: Tue, 09 Sep 2025 10:30:08 -0600

Download raw body.

Thread

- 2025-09-11 18:23 Alexander Bluhm:
  [EXT] Re: AMD SEV: confidential autoconf whitelist
2025-09-09 16:22 Stefan Fritsch:
AMD SEV: confidential autoconf whitelist
- 2025-09-09 16:30 Theo de Raadt:
  AMD SEV: confidential autoconf whitelist
- - 2025-09-09 19:19 Stefan Fritsch:
    AMD SEV: confidential autoconf whitelist
  - - 2025-09-09 19:23 Theo de Raadt:
      AMD SEV: confidential autoconf whitelist

Stefan Fritsch <sf@sfritsch.de> wrote:

> > >  struct cfdriver acpi_cd = {
> > > -	NULL, "acpi", DV_DULL
> > > +	NULL, "acpi", DV_DULL, CD_COCOVM
> > >  };
> > 
> > I still think that by including acpi(4) in the list of allowed drivers
> > you have included the driver with the largest possible attack surface.
> > And our the AML interpreter code certainly isn't the best quality code
> > in our tree.
> 
> Making ACPI secure will be some big piece of work in the future. For not 
> it is neccessary.

I don't see how that can ever be achieved, because it is a turing-complete
engine.

I'll go back to my suggestion to try to use MPBIOS information if it exists.

- 2025-09-11 18:23 Alexander Bluhm:
  [EXT] Re: AMD SEV: confidential autoconf whitelist
2025-09-09 16:22 Stefan Fritsch:
AMD SEV: confidential autoconf whitelist
- 2025-09-09 16:30 Theo de Raadt:
  AMD SEV: confidential autoconf whitelist
- - 2025-09-09 19:19 Stefan Fritsch:
    AMD SEV: confidential autoconf whitelist
  - - 2025-09-09 19:23 Theo de Raadt:
      AMD SEV: confidential autoconf whitelist