Comment 4 for bug 1793159

The image cache is intended to be immutable. We assume this implicitly everywhere, and any alteration to it would certainly cause errors. It is not exposed externally anywhere.

If we assume that an attacker is able to write to modify host storage, how often do you propose we should check the image cache? Only at instance creation as proposed here? What if it is modified after that? Given that the instance storage uses the same storage as the image cache, how should we protect the instance itself against modification?