Interoperable node integrity verification for confidential machines based on AMD SEV-SNP
DOI:
https://doi.org/10.5753/jisa.2024.3905Keywords:
Confidential virtual machines, Confidential Computing, Cloud computing, Attestation, Interoperability, AMD SEV-SNPAbstract
Confidential virtual machines (CVMs) are cloud providers' most recent security offer, providing confidentiality and integrity features. Although confidentiality protects the machine from the host operating system, firmware, and cloud operators, integrity protection is even more useful, enabling protection for a wider range of security issues. Unfortunately, CVM integrity verification depends on remote attestation protocols, which are not trivial for operators and differ largely among cloud providers. We propose an approach for abstracting CVM attestation that leverages an open-source standard, Cloud Native Foundation's Secure Production Identity Framework for Everyone (SPIFFE). Our approach can integrate smoothly even when applications are unaware of CVMs or the SPIFFE standard. Nevertheless, our implementation inherits SPIFFE flexibility for empowering access control when applications support SPIFFE. In terms of performance, CVMs incur an additional 1.3 s to 21.9 s in boot times (it varies with the cloud environment), a marginal degradation for CPU, RAM, and IO workloads (maximum degradation of 2.6%), and low but not imperceptible degradation for database workloads (between 3.6% to 7.13%). Finally, we provide usability mechanisms and a threat analysis to help users navigate cloud providers' different CVM implementations and resulting guarantees.
Downloads
References
Amazon Web Services (2024a). AWS Nitro System. Available online [link] Accessed: 2024-03-06.
Amazon Web Services (2024b). AWS UEFI source code for AMD SEV-SNP Confidential VMs. Available online [link] Accessed: 2024-03-06.
AMD (2020). AMD SEV-SNP: Strengthening VM Isolation with Integrity Protection and More. Technical report. Available online [link].
AMD (2022). SEV Secure Nested Paging Firmware ABI Specification. Technical report. Available online [link].
AMD (2023). AMD SEV-TIO: Trusted I/O for Secure Encrypted Virtualization. Technical report. Available online [link].
AMDESE (2024a). Linux SVSM forked repository to support vTPM. Available online [link] Accessed: 2024-03-06.
AMDESE (2024b). OVMF forked repository to support SVSM-vTPM. Available online [link] Accessed: 2024-03-06.
AMDESE (2024c). QEMU forked repository to support SVSM-vTPM. Available online [link] Accessed: 2024-03-06.
Arthur, W. and Challener, D. (2015). A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security. A practical guide to TPM 2.0 / Arthur, Will. Apress. Available online [link].
Azure (2024). Azure confidential VMs. Available online [link] Accessed: 2024-03-06.
Biden Jr., J. R. (2021). Improving the nation’s cybersecurity. National Archives and Records Administration, College Park, MD, USA, Executive order 14028. Available at: [link]. Accessed: 2023-05-13.
Boeyen, S., Santesson, S., Polk, T., Housley, R., Farrell, S., and Cooper, D. (2008). Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. IETF RFC 5280. Available at: [link]. Accessed: 2023-11-26.
Campbell, M. (2020). Beyond zero trust: Trust is a vulnerability. Computer, 53(10):110-113. DOI: 10.1109/MC.2020.3011081.
Carvalho, C., Almasi, G., Berrangé, D., Narayanan, V., and Buono, D. (2024). Linux SVSM-Based vTPM implementation Proof-of-Concept. Available online [link] Accessed: 2024-03-06.
Cert-Manager Community (2024). Cert-Manager: Cloud native certificate management. Available online [link] Accessed: 2024-03-06.
Cucurull, J. and Guasch, S. (2014). Virtual TPM for a secure cloud: fallacy or reality? Available online [link].
Cybersecurity and Infrastructure Security Agency (2021). Security guidance for 5G cloud infrastructures - part II: Securely isolate network resources. Available at: [link]. Accessed: 2023-05-13.
Cybersecurity and Infrastructure Security Agency (2023). Zero trust maturity model. Available at: [link]. Accessed: 2023-05-13.
Falcão, E., Silva, M., Luz, A., and Brito, A. (2022). Supporting confidential workloads in SPIRE. In 2022 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pages 186-193. DOI: 10.1109/CloudCom55334.2022.00035.
Feldman, D., Fox, E., Gilman, E., Haken, I., Kautz, F., Khan, U., Lambrecht, M., Lum, B., Fayó, A. M., Nesterov, E., Vega, A., and Wardrop, M. (2020). Solving the Bottom Turtle: a SPIFFE way to establish trust in your infrastructure via universal identity. Available online [link].
Galanou, A., Bindlish, K., Preibsch, L., Pignolet, Y.-A., Fetzer, C., and Kapitza, R. (2023). Trustworthy confidential virtual machines for the masses. In Proceedings of the 24th International Middleware Conference, Middleware '23, page 316–328, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/3590140.3629124.
HashiCorp (2024). HashiCorp Vault. Available at: [link] Accessed: 2024-03-06.
ITU-T Study Group 17 (2022). Determined new recommendation ITU-T X.1644 (X.SGDC): Security guidelines for distributed cloud. Available at: [link]. Accessed: 2023-09-06.
Jones, M. B., Bradley, J., and Sakimura, N. (2008). JSON Web Token (JWT). IETF RFC 7519. Available at: [link]. Accessed: 2023-11-26.
Kubernetes Community (2024). Kubernetes. Available at: [link] Accessed: 2024-03-06.
Lauer, H., Sakzad, A., Rudolph, C., and Nepal, S. (2019). Bootstrapping trust in a ``trusted'' virtualized platform. In Proceedings of the 1st ACM Workshop on Workshop on Cyber-Security Arms Race, CYSARM'19, page 11–22, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/3338511.3357347.
Li, M., Wilke, L., Wichelmann, J., Eisenbarth, T., Teodorescu, R., and Zhang, Y. (2022). A systematic look at ciphertext side channels on AMD SEV-SNP. In 2022 IEEE Symposium on Security and Privacy (SP), pages 337-351. DOI: 10.1109/SP46214.2022.9833768.
Li, M., Zhang, Y., Lin, Z., and Solihin, Y. (2019). Exploiting unprotected I/O operations in AMDtextquoterights secure encrypted virtualization. In 28th USENIX Security Symposium (USENIX Security 19), pages 1257-1272, Santa Clara, CA. USENIX Association. Available online [link].
Murik, Dov (2023a). OVMF Patch for AMD SEV-SNP VMs. Available at: [link] Accessed: 2024-03-06.
Murik, Dov (2023b). QEMU Patches for AMD SEV-SNP VMs. Available at: [link] Accessed: 2024-03-06.
Ménétrey, J., Göttel, C., Pasin, M., Felber, P., and Schiavoni, V. (2022). An exploratory study of attestation mechanisms for trusted execution environments. DOI: 10.48550/arXiv.2204.06790.
Narayanan, V., Carvalho, C., Ruocco, A., Almasi, G., Bottomley, J., Ye, M., Feldman-Fitzthum, T., Buono, D., Franke, H., and Burtsev, A. (2023). Remote attestation of confidential VMs using ephemeral VTPMs. In Proceedings of the 39th Annual Computer Security Applications Conference, ACSAC '23, page 732–743, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/3627106.3627112.
Ozga, W., Le Quoc, D., and Fetzer, C. (2021). TRIGLAV: Remote attestation of the virtual machine's runtime integrity in public clouds. In 2021 IEEE 14th International Conference on Cloud Computing (CLOUD), pages 1-12. DOI: 10.1109/CLOUD53861.2021.00013.
Parno, B. (2008). Bootstrapping trust in a ``trusted'' platform. In Proceedings of the 3rd Conference on Hot Topics in Security, HOTSEC'08, USA. USENIX Association. Available online [link].
Pontes, D., Silva, F., Falc ao, E., and Brito, A. (2023). Attesting AMD SEV-SNP virtual machines with SPIRE. In Proceedings of the 12th Latin-American Symposium on Dependable and Secure Computing, LADC '23, page 1–10, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/3615366.3615419.
Rose, S., Borchert, O., Mitchell, S., and Connelly, S. (2020). Zero trust architecture. (NIST Special Publication). DOI: 10.6028/NIST.SP.800-207.
SPIFFE (2023). SPIRE concepts. Available at: [link].
SPIFFE Community (2023). SPIFFE standards. SPIFFE GitHub. Available at: [link]. Accessed: 2023-11-26.
VMware Tanzu (2024). VMware Secrets Manager for Cloud-Native Apps. Available at: [link] Accessed: 2024-03-06.
Wang, W., Song, L., Mei, B., Liu, S., Zhao, S., Yan, S., Wang, X., Meng, D., and Hou, R. (2024). NestedSGX: Bootstrapping trust to enclaves within confidential VMs. Available online [link].
Ward, R. and Beyer, B. (2014). BeyondCorp: A new approach to enterprise security. Available at: [link].
