Strengthening Trust in vTPMs: Integrity-Based Anchoring Mechanism
Abstract
This work introduces a new mechanism for secure anchoring of virtual TPMs. The proposed approach focuses on fully protecting the states of vTPMs, which collectively represent all essential resources and data of a vTPM. The central objective of the solution is to establish a robust hardware-based proof of integrity, thus facilitating the verification of a vTPM by a remote attester. We implemented a prototype of the solution and conducted evaluations to analyze the overhead imposed on the system. The results show that the proposed approach does not compromise vTPM performance and introduces a slight operational overhead of 4 percentage points for CPU and 0.05 percentage points for system memory.References
Amazon Web Services. AWS Nitro Enclaves - Nitro TPM. [link]. Accessed on: March 28, 2024.
Arthur, W. and Challener, D. (2015). A practical guide to TPM 2.0: Using the new trusted platform module in the new age of security. Springer Nature.
Berger, S. (Acessado em 9 de janeiro de 2024). swtpm - software-based tpm emulator. [link].
Cloud, G. (2023). Virtual trusted platform module for shielded vms: security in plaintext. Acesso em: 18 de janeiro de 2024.
CVE (2023a). Cve-2020-28407. [link]. Acessado em 9 de janeiro de 2024.
CVE (2023b). Cve-2023-1017. [link]. Acessado em 9 de janeiro de 2024.
De Benedictis, M., Jacquin, L., Pedone, I., Atzeni, A., and Lioy, A. (2024). A novel architecture to virtualise a hardware-bound trusted platform module. Future Generation Computer Systems, 150:21–36.
Du, R., Pan, W., and Tian, J. (2018). Dynamic integrity measurement model based on vtpm. China Communications, 15(2):88–99.
Jha, D. N., Lenton, G., Asker, J., Blundell, D., and Wallom, D. (2022). Trusted platform module-based privacy in the public cloud: Challenges and future perspective. IT Professional, 24(3):81–87.
Kucab, M., Boryło, P., and Chołda, P. (2021). Remote attestation and integrity measurements with intel sgx for virtual machines. Computers & Security, 106:102300.
Lowe, Piscaer, G. M. C. T. (2019). The gorilla guide to hyperconvergence infrastructure foundations.
Luo, W., Shen, Q., Xia, Y., and Wu, Z. (2019). Container-ima: a privacy-preserving integrity measurement architecture for containers. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), pages 487–500.
Microsoft (2023). Azure attestation - overview. [link]. Acesso em: 18 de janeiro de 2024.
Microsoft Azure. Trusted launch for azure virtual machines. [link]. Accessed on: March 28, 2024.
Narayanan, V., Carvalho, C., Ruocco, A., Almási, G., Bottomley, J., Ye, M., Feldman-Fitzthum, T., Buono, D., Franke, H., and Burtsev, A. (2023). Remote attestation of sev-snp confidential vms using e-vtpms. arXiv preprint arXiv:2303.16463.
Pecholt, J. and Wessel, S. (2022). Cocotpm: Trusted platform modules for virtual machines in confidential computing environments. In Proceedings of the 38th Annual Computer Security Applications Conference, pages 989–998.
Perez, R., Sailer, R., van Doorn, L., et al. (2006). vtpm: virtualizing the trusted platform module. In Proc. 15th Conf. on USENIX Security Symposium, pages 305–320.
Sun, H., He, R., Zhang, Y., Wang, R., Ip, W. H., and Yung, K. L. (2018). etpm: A trusted cloud platform enclave tpm scheme based on intel sgx technology. Sensors, 18(11):3807.
Tassyany, M., Sarmento, R., Falcao, E., Gomes, R., and Brito, A. (2021). Um mecanismo de aprovisionamento de identidades para microsserviços baseado na integridade do ambiente de execução. In Anais do XXXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 714–727. SBC.
Ubuntu Manpage (2019a). tpm2 evictcontrol - manages entries in the tpm2 persistent storage (eps) index. [link]. Acessado em 17 de janeiro de 2024.
Ubuntu Manpage (2019b). tpm2 pcrextend - extend pcr values. [link]. Acessado em 17 de janeiro de 2024.
VMware (2018). vsphere 6.7 virtual trusted platform modules. [link]. Acesso em: 18 de janeiro de 2024.
Wang, J., Wang, J., Fan, C., Yan, F., Cheng, Y., Zhang, Y., Zhang, W., Yang, M., and Hu, H. (2023). Svtpm: Sgx-based virtual trusted platform modules for cloud computing. IEEE Transactions on Cloud Computing.
Arthur, W. and Challener, D. (2015). A practical guide to TPM 2.0: Using the new trusted platform module in the new age of security. Springer Nature.
Berger, S. (Acessado em 9 de janeiro de 2024). swtpm - software-based tpm emulator. [link].
Cloud, G. (2023). Virtual trusted platform module for shielded vms: security in plaintext. Acesso em: 18 de janeiro de 2024.
CVE (2023a). Cve-2020-28407. [link]. Acessado em 9 de janeiro de 2024.
CVE (2023b). Cve-2023-1017. [link]. Acessado em 9 de janeiro de 2024.
De Benedictis, M., Jacquin, L., Pedone, I., Atzeni, A., and Lioy, A. (2024). A novel architecture to virtualise a hardware-bound trusted platform module. Future Generation Computer Systems, 150:21–36.
Du, R., Pan, W., and Tian, J. (2018). Dynamic integrity measurement model based on vtpm. China Communications, 15(2):88–99.
Jha, D. N., Lenton, G., Asker, J., Blundell, D., and Wallom, D. (2022). Trusted platform module-based privacy in the public cloud: Challenges and future perspective. IT Professional, 24(3):81–87.
Kucab, M., Boryło, P., and Chołda, P. (2021). Remote attestation and integrity measurements with intel sgx for virtual machines. Computers & Security, 106:102300.
Lowe, Piscaer, G. M. C. T. (2019). The gorilla guide to hyperconvergence infrastructure foundations.
Luo, W., Shen, Q., Xia, Y., and Wu, Z. (2019). Container-ima: a privacy-preserving integrity measurement architecture for containers. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019), pages 487–500.
Microsoft (2023). Azure attestation - overview. [link]. Acesso em: 18 de janeiro de 2024.
Microsoft Azure. Trusted launch for azure virtual machines. [link]. Accessed on: March 28, 2024.
Narayanan, V., Carvalho, C., Ruocco, A., Almási, G., Bottomley, J., Ye, M., Feldman-Fitzthum, T., Buono, D., Franke, H., and Burtsev, A. (2023). Remote attestation of sev-snp confidential vms using e-vtpms. arXiv preprint arXiv:2303.16463.
Pecholt, J. and Wessel, S. (2022). Cocotpm: Trusted platform modules for virtual machines in confidential computing environments. In Proceedings of the 38th Annual Computer Security Applications Conference, pages 989–998.
Perez, R., Sailer, R., van Doorn, L., et al. (2006). vtpm: virtualizing the trusted platform module. In Proc. 15th Conf. on USENIX Security Symposium, pages 305–320.
Sun, H., He, R., Zhang, Y., Wang, R., Ip, W. H., and Yung, K. L. (2018). etpm: A trusted cloud platform enclave tpm scheme based on intel sgx technology. Sensors, 18(11):3807.
Tassyany, M., Sarmento, R., Falcao, E., Gomes, R., and Brito, A. (2021). Um mecanismo de aprovisionamento de identidades para microsserviços baseado na integridade do ambiente de execução. In Anais do XXXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 714–727. SBC.
Ubuntu Manpage (2019a). tpm2 evictcontrol - manages entries in the tpm2 persistent storage (eps) index. [link]. Acessado em 17 de janeiro de 2024.
Ubuntu Manpage (2019b). tpm2 pcrextend - extend pcr values. [link]. Acessado em 17 de janeiro de 2024.
VMware (2018). vsphere 6.7 virtual trusted platform modules. [link]. Acesso em: 18 de janeiro de 2024.
Wang, J., Wang, J., Fan, C., Yan, F., Cheng, Y., Zhang, Y., Zhang, W., Yang, M., and Hu, H. (2023). Svtpm: Sgx-based virtual trusted platform modules for cloud computing. IEEE Transactions on Cloud Computing.
Published
2024-05-20
How to Cite
TASSYANY, Marcela; MEDEIROS, Ronaldo; SARMENTO, Ramon; GOMES, Reinaldo.
Strengthening Trust in vTPMs: Integrity-Based Anchoring Mechanism. In: BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 42. , 2024, Niterói/RJ.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 517-530.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc.2024.1432.
