Remote attestation of SEV-SNP confidential VMs using e-vTPMs

Departing from"your data is safe with us"model where the cloud infrastructure is trusted, cloud tenants are shifting towards a model in which the cloud provider is not part of the trust domain. Both silicon and cloud vendors are trying to address this shift by introducing confidential computing - an umbrella term that provides mechanisms for protecting the data in-use through encryption below the hardware boundary of the CPU, e.g., Intel Software Guard Extensions (SGX), AMD secure encrypted virtualization (SEV), Intel trust domain extensions (TDX), etc. In this work, we design and implement a virtual trusted platform module (vTPM) that virtualizes the hardware root-of-trust without requiring to trust the cloud provider. To ensure the security of a vTPM in a provider-controlled environment, we leverage unique isolation properties of the SEV-SNP hardware and a novel approach to ephemeral TPM state management. Specifically, we develop a stateless ephemeral vTPM that supports remote attestation without persistent state. This allows us to pair each confidential VM with a private instance of a vTPM that is completely isolated from the provider-controlled environment and other VMs. We built our prototype entirely on open-source components - Qemu, Linux, and Keylime. Though our work is AMD-specific, a similar approach could be used to build remote attestation protocol on other trusted execution environments (TEE).

[1]  Sascha Wessel,et al.  CoCoTPM: Trusted Platform Modules for Virtual Machines in Confidential Computing Environments , 2022, Asia-Pacific Computer Systems Architecture Conference.

[2]  T. Eisenbarth,et al.  A Systematic Look at Ciphertext Side Channels on AMD SEV-SNP , 2022, 2022 IEEE Symposium on Security and Privacy (SP).

[3]  M. Morii,et al.  Extracting the Secrets of OpenSSL with RAMBleed , 2022, Sensors.

[4]  Christof Fetzer,et al.  TRIGLAV: Remote Attestation of the Virtual Machine's Runtime Integrity in Public Clouds , 2021, 2021 IEEE 14th International Conference on Cloud Computing (CLOUD).

[5]  Hani Jamjoom,et al.  Confidential computing for OpenPOWER , 2021, EuroSys.

[6]  Yinqian Zhang,et al.  CIPHERLEAKS: Breaking Constant-time Cryptography on AMD SEV via the Ciphertext Side Channel , 2021, USENIX Security Symposium.

[7]  Michael Eckel,et al.  Subverting Linux' integrity measurement architecture , 2020, ARES.

[8]  Yuval Yarom,et al.  RAMBleed: Reading Bits in Memory Without Accessing Them , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[9]  Alexander Nilsson,et al.  A Survey of Published Attacks on Intel SGX , 2020, ArXiv.

[10]  Jie Wang,et al.  SvTPM: A Secure and Efficient vTPM in the Cloud , 2019, ArXiv.

[11]  Andrew W. H. Ip,et al.  eTPM: A Trusted Cloud Platform Enclave TPM Scheme Based on Intel SGX Technology , 2018, Sensors.

[12]  Thomas F. Wenisch,et al.  Foreshadow: Extracting the Keys to the Intel SGX Kingdom with Transient Out-of-Order Execution , 2018, USENIX Security Symposium.

[13]  Feng Xiao,et al.  A Security-Enhanced vTPM 2.0 for Cloud Computing , 2017, ICICS.

[14]  Donald E. Porter,et al.  Graphene-SGX: A Practical Library OS for Unmodified Applications on SGX , 2017, USENIX Annual Technical Conference.

[15]  Alec Wolman,et al.  fTPM: A Software-Only Implementation of a TPM Chip , 2016, USENIX Security Symposium.

[16]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[17]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[18]  Eugene D. Myers Using the Intel STM for Protected Execution , 2014 .

[19]  Eric Eide,et al.  Introducing CloudLab: Scientific Infrastructure for Advancing Cloud Architectures and Applications , 2014, login Usenix Mag..

[20]  Stephen A. Weis,et al.  Protecting Data In-Use from Firmware and Physical Attacks , 2014 .

[21]  Brian R. Richardson Uefi Secure Boot in Modern Computer Security Solutions , 2013 .

[22]  Xi Wang,et al.  Linux kernel vulnerabilities: state-of-the-art defenses and open problems , 2011, APSys.

[23]  Jonathan K. Millen,et al.  Principles of remote attestation , 2011, International Journal of Information Security.

[24]  Peng Kou,et al.  Administrative Domain: Security Enhancement for Virtual TPM , 2010, 2010 International Conference on Multimedia Information Networking and Security.

[25]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[26]  Claudia Eckert,et al.  Enhancing Trusted Platform Modules with Hardware-Based Virtualization Techniques , 2008, 2008 Second International Conference on Emerging Security Information, Systems and Technologies.

[27]  Steven Hand,et al.  Improving Xen security through disaggregation , 2008, VEE '08.

[28]  Claire Vishik,et al.  TPM Virtualization: Building a General Framework , 2008 .

[29]  Chris I. Dalton,et al.  Towards Trustworthy Virtualisation Environments : Xen Library OS Security Service Infrastructure , 2007 .

[30]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[31]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[32]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[33]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[34]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[35]  Bruce Schneier,et al.  Cryptanalytic Attacks on Pseudorandom Number Generators , 1998, FSE.

[36]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.