[Qualcomm feedback] Chapter 4: Clarify Figure 1 and description

Question

[Qualcomm feedback] Chapter 4: Clarify Figure 1 and description

Closed this issue 4 months ago · 2 comments

Reference: link

Confidential VMs (under a VMM) are shown in figure 1 and Confidential applications (managed by
an untrusted host OS) are shown in the architecture figure 2. As evident from the architecture, the
difference between these two scenarios is the software TCB (owned by the tenant within the TVM)
for the tenant workload - in the application TEE case, a minimal guest runtime may be used;
whereas in the VM TEE case, an enlightened guest OS is expected in the TVM TCB.

The statement "under a VMM" may be misleading, as figure 1 depicts 3 non-confidential VMs on top of the host VMM.
Suggestion to use "managed by VMM", similar to second part of sentence (managed by an untrusted host OS).

Figure 1 does not show that. The TVM appears as grey box without any TCB component.

Answer 1 · 2024-03-10T22:44:00.000Z

making updates to the figure to reflect clarifications in a combined PR

Answer 2 · 2024-03-11T03:19:57.000Z

address in PR #71

cc @ozkoyuncu