New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Just wanted to say that @onidel has been great and we've migrated some of our production off-site stuff over to them.
Just using the Singapore and Amsterdam locations now. Particularly happy that they use @RoyaleHosting as an upstream in Amsterdam since we also use them for for DDoS protection of production stuff. Currently our WAF is hosted there with some backend stuff now with Onidel. Keeps things snappy.
I guess I should have checked this thread for coupons or something now that I've gotten 6 VMs with them and two block storage addons.
Me waiting for a HF-1 in SG
Good morning
I'm happy to announce Onidel now fully supports Measured Direct Boot with SEV-SNP in all locations where SEV-SNP is supported. This allows customers to verify the integrity of core system components (uefi/ovmf, kernel, kernel parameters and initramfs) enabling confidential computing workloads.
To make use of this feature, you'll need to enable SEV-SNP on your VM, then create an Unified Kernel Image (UKI) and upload it to our platform. This way the hash of UKI can be included in special OVMF section and later measured by the trusted AMD Secure Processor.
More details here:
https://kb.onidel.com/hc/kb/articles/1781997293-amd-sev_snp-expected-launch-measurement-verification
If you run into any issues, please ensure your guest OS/kernel supports SEV-SNP and if that doesn't solve the problem, then let us know via ticket.
Feedback regarding this feature is also very welcome
I thought the key was some kind of dildo.
What about implementing UKI upload via API? https://developers.onidel.com/ currently lacks this.
Thansk, I can finally store my goon stash sicurely
Thank you for pointing this out. We will add an API for uploading and managing uki kernel images soon.
This is awesome!
One small suggestion is that you may want to disclaim that it does not protect entirely against physical compromise, which is something a lot of users of confidential computing technology don't fully realize.
I fail to understand if this attack is DDR5-only or researchers just skipped DDR4?
It'll work with DDR4 too. In fact, DDR4 is probably easier since it runs at a lower speed. It'll work as long as the memory can be run with an interposer (which can be done with DDR5 all the way to SDR).
Oh yeah I completely missed the link to https://batteringram.eu/
It works with such a cheap interposer because you can configure even DDR5 to run at very low speeds. The BatteringRAM attack only works on DDR4, but could in theory be modified to support DDR5.
This attack does require cooperation with whoever is running the node, though. You can't just splice an interposer into a running system without interrupting it. But if you do have access to the system and root on the node, it allows you to bypass the protections that are supposed to ostensibly prevent anyone at all from accessing the guests unauthorized.