Comment 6 for bug 1793159

Seems this is about the case where:

* image cache is shared between hypervisors and remote
* ... but local ephemeral disks are encrypted

Generally if you have access to modify the image cache, all bets are off, so you get little protection from re-checking the image cache. Seems less clear cut in the above use case.

Feel like I need someone who understands the security aspects of this to comment on what extra protection we get here.

Would having the image cache encrypted with a separate key, shared with all the hypervisors, be better than a signature recheck? I am unsure.