Closed BeataZdunczyk closed 3 months ago
miczyg1
commented
7 months ago Verification of this requirement shall be done on ASUS KGPE-D16. This board has two CPU sockets with each CPU having 2 nodes, which is a good sample hardware to test the DEV protection bits when there are multiple CPUs/nodes.
krystian-hebel
commented
3 months ago This CPU is too old for QubesOS, see https://github.com/QubesOS/qubes-issues/issues/9150.
However, after disabling IBPB I was able to confirm that required bits were set properly on all nodes.
Is your feature request related to a problem? Please describe.
While the TrenchBoot Secure Kernel Loader (SKL) has been extensively tested on System on Chip and single CPU platforms, it has not been tested much on workstation/server segment CPUs which are more complex. For example, one server CPU package may contain two independent CPUs inside called nodes. Each node will enable protection on the SKL during DRTM execution. This protection has to be disabled on each node when TrenchBoot DRTM tasks are done. The task aims to implement the correct support for server CPUs in TrenchBoot SKL.
Is your feature request related to a new idea or technology that would benefit the project? Please describe.
Improvements to the TrenchBoot Secure Kernel Loader (SKL) for AMD server CPUs with multiple nodes would benefit the project by enabling the correct support for server CPUs and improving overall performance and security.
Describe the solution you'd like
Implement the correct support for server CPUs in TrenchBoot SKL.
Describe alternatives you've considered
N/A
Additional context
This feature request is part of Phase 4 in TrenchBoot as Anti Evil Maid project, as outlined in the documentation: https://docs.dasharo.com/projects/trenchboot-aem-v2/.
Relevant documentation you've consulted
N/A