ccc-linux-guest-hardening
ccc-linux-guest-hardening copied to clipboard
intel
Linux Security Hardening for Confidential Compute
add required SECURITY.md file for OSSF Scorecard compliance
Bumps [tqdm](https://github.com/tqdm/tqdm) from 4.64.1 to 4.66.3. Release notes Sourced from tqdm's releases. tqdm v4.66.3 stable cli: eval safety (fixes CVE-2024-34062, GHSA-g7vv-2v7x-gj9p) tqdm v4.66.2 stable pandas: add DataFrame.progress_map (#1549) notebook: fix...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
The following hardening fixes around MSIX table size/offset handling, aiming to prevent a malicious device or VMM from triggering bugs by supplying bogus values were discovered by a fuzzer and...
The CoCo guest kernel can be attacked by the host/VMM through CoCo-specific hypercalls (to get values of PIO, MMIO, PCI config space, etc.) or shared memory communication interfaces. The static...
**Problem** **The below is TDX specific**: Untrusted VMM can inject both non-NMI interrupts (via posted-interrupt mechanism) or NMI interrupts. However, TDX module does not allow VMM injecting interrupt vectors in...
**Problem** For a CoCo guest a malicious host/VMM can prevent IPIs to be delivered across vCPUs. We need to ensure that all missing IPIs can be detected or force waiting...
**Problem** ACPI tables are (mostly) controlled by the host and only passed through the TDVF (see TDX guest virtual firmware for more information). They are measured into TDX attestation registers,...
**Problem** A read from a PIO inside a CoCo guest can result in consumption of malicious data from host/VMM and if the code is not ready to handle such input,...
**Problem** The core PCI subsystem in a CoCo guest performs a lot of activity (mainly consuming data from host-controlled pci config space) where it can receive malicious input from untrusted...
**Problem** If a CoCo guest is booted using drivers/firmware/efi/libstub, this code needs to be audited, fuzzed and hardened to withstand malicious inputs from host/VMM. In particular some components of efi...