From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: AMD SEV: confidential autoconf whitelist
To: Stefan Fritsch <sf@sfritsch.de>
Cc: Mark Kettenis <mark.kettenis@xs4all.nl>, Hans-Jörg Höxer <hshoexer@genua.de>, tech@openbsd.org
Date: Tue, 09 Sep 2025 10:30:08 -0600

Stefan Fritsch <sf@sfritsch.de> wrote:

> > >  struct cfdriver acpi_cd = {
> > > -	NULL, "acpi", DV_DULL
> > > +	NULL, "acpi", DV_DULL, CD_COCOVM
> > >  };
> > 
> > I still think that by including acpi(4) in the list of allowed drivers
> > you have included the driver with the largest possible attack surface.
> > And our the AML interpreter code certainly isn't the best quality code
> > in our tree.
> 
> Making ACPI secure will be some big piece of work in the future. For not 
> it is neccessary.

I don't see how that can ever be achieved, because it is a turing-complete
engine.

I'll go back to my suggestion to try to use MPBIOS information if it exists.