Preventing the misuse of add-secret requests

There are two types of attacks against the secure use of add-secret requests:

• Theft of an add-secret request, which can then be used in a secure-guest instance that is controlled by an attacker.
• Deception, where attackers substitute their own add-secret request for the one you intended to use.

To counter the first attack, add-secret requests are bound to a secure-execution image. However, if the secure-execution image is generic, like an appliance from a software vendor, this defense is less effective, requiring further safeguards, such as an extension secret.

An extension secret can be the null secret (default), it can be derived from the CCK, or you can provide a specific extension secret to the add-secret request.

After you prime the ultravisor with an extension secret, all subsequent add-secret requests must include the same extension secret.