Closed rsahita closed 6 months ago
From the perspective of confidential computing, the usage of supervisor domains is described in the intro of this section -
The design describes an isolated (Confidential) Supervisor Domain to enforce TCB and confidentiality properties, while using an isolated (Hosting) Supervisor Domain for the host domain, thus maintaining the OS/VMMs role as the resource manager (for both legacy VMs and TVMs). The resources managed by the hosting supervisor domain (OS/VMM) include memory, CPU, I/O resources and platform capabilities to host the TVM workload.
the main distinction between a supervisor domain used to host confidential workloads, vs the hosting supervisor domain is the function separation between resource management and security management. Other usages may have different functions associated with supervisor domains. hope that addresses the question.
cc @ozkoyunku
Reference: link
It is not clear what differentiates a confidential supervisor domain from the regular supervisor domain from the perspective of the isolation mechanisms (isa and non-isa). Is this distinction only attained for a specific SW implementation and services and flows provided? sounds like it but just want to understand if there is any subtlety