Not surprising - even having 2 DDR5 DIMMs on the same channel compromises signal integrity enough to need to drop the frequency by ~30-40%, so perhaps the best mitigation at the moment is to ensure the host is using the fastest DDR5 available.
So - Is the host DRAM/DIMM technology and frequency included in the remote attestation report for the VM?
The mental image I'm getting from your description is a high speed o-scope probe copy-pasted 80 times, which would obviously be insane. But keysight docs show what looks like an entirely normal PCB that literally interposes the BGA with trace wires on every pin, which looks far too simple for a multi GHz signal.
What do they actually look like and are there teardowns that show the analog magic?
I wonder if these are full sampling scopes. In the past we had Equivalent Time Sampling scope(wideband front end, fast sampling slow rate ADC, a variable delay trigger) and many buses have repeatable test patterns that let you trigger that way. They were always a fairly niche device.
The attestation report is signed by a key in the PSP hardware, not accessible by any OS or software, which can then be validated with the vendor's certificate/public-key. If that can be faked, are you saying that those private keys are compromised?
I'm willing to bet if you ran terrorism-as-a-service.com on a protected VM, it wouldn't be secure for long, and if it really came down to it, the keys would be coughed up.
Not surprising - even having 2 DDR5 DIMMs on the same channel compromises signal integrity enough to need to drop the frequency by ~30-40%, so perhaps the best mitigation at the moment is to ensure the host is using the fastest DDR5 available.
So - Is the host DRAM/DIMM technology and frequency included in the remote attestation report for the VM?