|
|
|
|
|
|
by thu2111
2164 days ago
|
|
|
Actually SEV is meant to protect you against Google as an organisation (which would be the same thing as rogue administrators in this case). They don't mention it in the announcement but SEV is meant to be used with a little client side tool that does a remote attestation with the remote hardware. It handshakes with the firmware and you get back a hash as part of the VM boot process. You check that against an OS image you trust, and that's how you know what booted. If you don't do this then it provides no protection. The host can break in by just telling you SEV is in use when it's really not. |
|
|