A Security-Enhanced vTPM 2.0 for Cloud Computing

Virtual Trusted Platform Module is required in cloud due to the scalability and migration of virtual machine. Through allocating a vTPM (Virtual Trusted Platform Module) to a VM (Virtual Machine), users of VM can use the vTPM’s crypto and measurement function, like using the physical TPM. However, current vTPM still faces some key challenges, such as lacking runtime protection for the vTPM keys and code, lacking the mechanism of vTPM keys management, and lacking the support for the new TPM 2.0 specification. To address these limitations, we design vTPM 2.0 system and then propose a runtime protection approach for vTPM 2.0 based on SGX. Furthermore, we present vTPM key distribution and protection mechanism. We have implemented vTPM 2.0 system and the security-enhanced protection mechanism. As far as we know, the vTPM 2.0 system based on KVM and its security-enhanced mechanism are designed and implemented for the first time.

[1]  Sanjit A. Seshia,et al.  Moat: Verifying Confidentiality of Enclave Programs , 2015, CCS.

[2]  Carlos V. Rozas,et al.  Innovative instructions and software model for isolated execution , 2013, HASP '13.

[3]  Kenneth A. Goldman,et al.  A Practical Guide to TPM 2.0 , 2015, Apress.

[4]  Scott A. Rotondo Trusted Computing Group , 2011, Encyclopedia of Cryptography and Security.

[5]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[6]  Dhananjay S. Phatak,et al.  Introducing the Trusted Virtual Environment Module: A New Mechanism for Rooting Trust in Cloud Computing , 2010, TRUST.

[7]  Ahmad-Reza Sadeghi,et al.  Property-Based TPM Virtualization , 2008, ISC.

[8]  Ghassan O. Karame,et al.  Enabling secure VM-vTPM migration in private clouds , 2011, ACSAC '11.

[9]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[10]  Dengguo Feng,et al.  Formal analysis of TPM2.0 key management APIs , 2014 .

[11]  Paul England,et al.  Para-Virtualized TPM Sharing , 2008, TRUST.

[12]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[13]  Thomas Moyer,et al.  Trustworthy Whole-System Provenance for the Linux Kernel , 2015, USENIX Security Symposium.

[14]  Krishna P. Gummadi,et al.  Policy-Sealed Data: A New Abstraction for Building Trusted Cloud Services , 2012, USENIX Security Symposium.

[15]  Claire Vishik,et al.  TPM Virtualization: Building a General Framework , 2008 .

[16]  Alec Wolman,et al.  cTPM: A Cloud TPM for Cross-Device Trusted Applications , 2014, NSDI.