SlideShare a Scribd company logo

Property-Based Virtual TPM Enables Secure Virtualization

Marcel Winandy
Marcel Winandy

The document proposes a new design for virtual Trusted Platform Modules (vTPMs) that addresses shortcomings of existing solutions. The key aspects of the new design are: 1) It uses property providers that store vTPM measurements differently, allowing flexible attestation and migration. 2) It includes key and property management components for flexible key handling and attestation. 3) Each vTPM has a user-defined policy that determines which property provider to use for different operations.

1 of 21
Download to read offline
Property­Based TPM Virtualization Ahmad­Reza Sadeghi, Christian Stüble*, Marcel Winandy Horst Görtz Institute for IT Security Ruhr­University Bochum, Germany * Sirrix AG security technologies Bochum, Germany ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 1
Introduction: Virtualization ● Features – Standardized operating systems on various hardware platforms – Virtual machines: suspend & resume, migration – Security: isolation of virtual machines – Application scenario: corporate/private computing ● Isolated work loads for private and corporate working ● Isolated work loads for different security levels Linux Linux Windows Linux Windows Hypervisor Hypervisor Hardware Hardware ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 2
Introduction: Trusted Computing (TPM) – TPM: cheap, tamper­evident hardware security module ● Cryptographic functions (RSA, SHA­1, key generation, RNG) ● Protected storage for small data (e.g. keys) ● Special keys: Endorsement Key (EK) and Storage Root Key (SRK) – Authenticated Boot (recording integrity measurements) ● Measurements stored in Platform Configuration Registers (PCRs) ● Each component measures next component (chain of trust) hash Apps store hash hash OS TPM Boot Loader store hash hash PCRs BIOS store hash SRK hash store hash EK CRTM – Attestation and Sealing ● Attestation Identity Key (AIK) signs PCRs for (remote) attestation ● Binding key is used to encrypt data to the current PCR values (decrypting only  possible with same PCR states) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 3
Introduction: Virtual TPM (vTPM) ● Each VM should be able to use TPM – Providing protected storage and crypto coprocessor – Assurance about the booted hypervisor and virtual machines – Support for migration Private Working Unclassified Corporate Classified Corporate Environment Environment Environment VM VM VM Hypervisor TPM Hardware ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 4
Introduction: Virtual TPM (vTPM) ● Each VM should be able to use TPM – Providing protected storage and crypto coprocessor – Assurance about the booted hypervisor and virtual machines – Support for migration ● Virtualization of the TPM – Emulation in software, but binding to VM and hardware TPM Private Working Unclassified Corporate Classified Corporate Environment Environment Environment VM VM VM TPM Driver TPM Driver TPM Driver vTPM vTPM vTPM Hypervisor TPM Hardware ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 5
Shortcomings of Existing vTPM Solutions ● Migration – Protected data bound to binary representation of hypervisor ● VM's data may be unavailable after migration to another platform ● Keys – Differentiated strategies for key generation missing ● some IT environments demand hardware­protected keys ● wheras others would benefit from flexibility of software keys ● Privacy – Revealing information about system configuration ● (v)TPM reveals information during remote attestation of PCR values ● Profiling (security risk) and discrimination possible ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 6
New vTPM Design ● Adding new components to internal vTPM design: ● Property Management – Representation of virtual PCRs – Different mechanisms to store and read values – Realizing property­based attestation and sealing ● Key Management – Creating and loading cryptographic keys – Supports software keys or keys of physical TPM ● vTPM Policy – User­defined policy of the vTPM instance ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 7
Flexible vTPM Architecture VM TPM Driver TPM_CreateWrapKey() TPM_Extend(i, m) TPM_PCRRead(i) vTPM Interface Management Interface CreateKey() Extend(i, m) PCRRead(i) crypto... migrate() Key Property Cryptographic Migration Management Management Functions Controller PropertyFilter Software Key PropertyProvider 1 Hardware Key PropertyProvider 2 vTPM ... ... ... PropertyProvider N vTPM Policy Hypervisor TPM Key TPM Novel components for vTPM ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 8
Property Providers ● Each property provider has its own PCR vector – How to store values is up to each implementation – This results in a matrix of vPCRs – vTPM Policy decides which vector to use on which operation vTPM Instance  PropertyProvider 1 PropertyProvider j PropertyProvider N vPCR[0] ... ... vPCR[1] ... ... Mapping ... ... ... vPCR[n] ... ... – Initialization TPM ● Applying all property providers to build the vPCR matrix PCRs ● Each Property Provider can implement a different mapping ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 9
Changing the Measurement Function ● PCR extension function of the TPM: Extend(i, m): PCRi ← SHA1(PCRi || m) ● Generalizing this for each Providerj: Providerj.Extend(i,m): vPCRi,j← translatej(vPCRi,j,m) ● Examples: – translatehash() is hashing like in hardware TPM – translatecert() looks for a certificate and stores the public key ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 10
PCR Extension: Example VM­OS measures a file and wants to extend the measurement in PCR 10 of the vTPM  TPM_Extend(10, f572d396fae9206628714fb2ce00f72e94f2258f)                                                                                Property Management of vTPM instance calls each Property Provider vPCR10,hash of Providerhash vPCR10,cert of Providercert 09d2af8dd22201dd8d48e5dcfcaed281ff9422c7 PKcertA                                                                                 vPCR10,hash := SHA1(vPCR10,hash ||  Look for cert for hash f572d.... f572d396fae9206628714fb2ce00f72e94f2258f) If found one (e.g., certB), add its PK vPCR10,hash : vPCR10,cert : 3a2fdfb2e10d4286a56715952340177c508b173c PKcertA , PKcertB                                                             ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 11
Property­Based Attestation with vTPM ● Providercert is one example to use property certificates – Certificates describe the properties for a particular measurement – Issued by a Trusted Third Party 1. attest(nonce,i,...,j) VM 6. (pcrData, nonce) Verifier 2. quote(vAIKID,nonce,i,...,j) 5. (pcrData, nonce) vTPM 3. prov = policy.askForProvider(i,...,j) 4. sign[vAIKID](nonce,vPCRi,prov,...,vPCRj,prov) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 12
Migration of VM and vTPM ● Secure migration needed (confidentiality, integrity, authenticity) ● Example: move private working environment to home PC Private Working Classified Corporate Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Hardware (Office PC) TPM TPM Hardware (Home PC) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 13
Trusted Channel based Migration ● Source platform requests trusted channel to destination – Creates secret encryption key bound to TPM and configuration of  destination platform (assurance about integrity of end points) – Configuration can also be property­based – Re­usable for several migrations Private Working Classified Corporate Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Trusted Channel Hardware (Office PC) TPM TPM Hardware (Home PC) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 14
Trusted Channel based Migration ● Source platform requests trusted channel to destination – Creates secret encryption key bound to TPM and configuration of  destination platform (assurance about integrity of end points) – Configuration can also be property­based – Re­usable for several migrations Private Working Classified Corporate Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Trusted Channel Hardware (Office PC) TPM TPM Hardware (Home PC) Transfer encrypted TPM state via Trusted Channel No re­mapping of PCRs necessary (because of property providers) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 15
Trusted Channel based Migration ● Source platform requests trusted channel to destination – Creates secret encryption key bound to TPM and configuration of  destination platform (assurance about integrity of end points) – Configuration can also be property­based – Re­usable for several migrations Classified Corporate Private Working Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Trusted Channel Hardware (Office PC) TPM TPM Hardware (Home PC) Transfer encrypted TPM state via Trusted Channel No re­mapping of PCRs necessary (because of property providers) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 16
Summary VM New vTPM Design TPM Driver TPM_CreateWrapKey() TPM_Extend(i, m) TPM_PCRRead(i) vTPM Interface Management Interface CreateKey() Extend(i, m) PCRRead(i) crypto... migrate() Key Property Cryptographic Migration Management Management Functions Controller ­ Property Providers PropertyFilter Software Key PropertyProvider 1 vTPM ­ Key Management Hardware Key PropertyProvider 2 ... ... ... PropertyProvider N vTPM Policy ­ vTPM Policy TPM Key TPM Novel components for vTPM ● Allows to link hypervisor to vTPM based on properties – Data availability after migration or software updates – Trusted Migration protocol ensures binding to trustworthy platform ● More flexibility in key usage – Key Management can delegate key requests to hardware TPM ● User­defined policy decides which information to reveal – Policy defines which Property Provider to use on attestation ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 17
Thank you for your attention! Questions? Contact: Marcel Winandy Horst Görtz Institute for IT Security Ruhr­University Bochum, Germany marcel.winandy@trust.rub.de ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 18
BACKUP ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 19
Property­Based Sealing ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 20
Migration Protocol Source platform Destination platform vTPM Migration Controlling Process Migration Controlling Process ' initiateMigration() create() vTPM ' migrate() requestTrustedChannel() (PKBind, certBind) verify(PKBind, certBind) sk := createKey() esk := bind[PKBind](sk) s := getState() es := encrypt[sk](s) deleteKey(sk), deleteState() transfer(es,esk) destroy() sk := unbind[PKBind](esk) s := decrypt[sk](es) X setState(s) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 21

Recommended

Practical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) ProgrammingPractical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) ProgrammingBrandon Arvanaghi
 
Bootloaders
BootloadersBootloaders
BootloadersAnil Kumar Pugalia
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Board Bringup
Board BringupBoard Bringup
Board BringupAnil Kumar Pugalia
 
Using portainer at open suse leap 15.1
Using portainer at open suse leap 15.1Using portainer at open suse leap 15.1
Using portainer at open suse leap 15.1Darian Rizaludin
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part IEmertxe Information Technologies Pvt Ltd
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARMEmertxe Information Technologies Pvt Ltd
 
Embedded Linux from Scratch to Yocto
Embedded Linux from Scratch to YoctoEmbedded Linux from Scratch to Yocto
Embedded Linux from Scratch to YoctoSherif Mousa
 

Recommended

Practical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) ProgrammingPractical Trusted Platform Module (TPM2) Programming
Practical Trusted Platform Module (TPM2) ProgrammingBrandon Arvanaghi
 
Bootloaders
BootloadersBootloaders
BootloadersAnil Kumar Pugalia
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Board Bringup
Board BringupBoard Bringup
Board BringupAnil Kumar Pugalia
 
Using portainer at open suse leap 15.1
Using portainer at open suse leap 15.1Using portainer at open suse leap 15.1
Using portainer at open suse leap 15.1Darian Rizaludin
 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part IEmertxe Information Technologies Pvt Ltd
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARMEmertxe Information Technologies Pvt Ltd
 
Embedded Linux from Scratch to Yocto
Embedded Linux from Scratch to YoctoEmbedded Linux from Scratch to Yocto
Embedded Linux from Scratch to YoctoSherif Mousa
 
Yocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerYocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerSherif Mousa
 
Understanding The Boot Process
Understanding The Boot ProcessUnderstanding The Boot Process
Understanding The Boot ProcessDominique Cimafranca
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmertxe Information Technologies Pvt Ltd
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARMEmertxe Information Technologies Pvt Ltd
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBshimosawa
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Intro to Embedded OS, RTOS and Communication Protocols
Intro to Embedded OS, RTOS and Communication ProtocolsIntro to Embedded OS, RTOS and Communication Protocols
Intro to Embedded OS, RTOS and Communication ProtocolsEmertxe Information Technologies Pvt Ltd
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel SourceMotaz Saad
 
Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Tushar B Kute
 
What is Bootloader???
What is Bootloader???What is Bootloader???
What is Bootloader???Dinesh Damodar
 
Boost UDP Transaction Performance
Boost UDP Transaction PerformanceBoost UDP Transaction Performance
Boost UDP Transaction PerformanceLF Events
 
Introduction to yocto
Introduction to yoctoIntroduction to yocto
Introduction to yoctoAlex Gonzalez
 
RISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeRISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeAtish Patra
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu WorksZhen Wei
 
Part 02 Linux Kernel Module Programming
Part 02 Linux Kernel Module ProgrammingPart 02 Linux Kernel Module Programming
Part 02 Linux Kernel Module ProgrammingTushar B Kute
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopLorin Hochstein
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-timeNational Cheng Kung University
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part IIEmertxe Information Technologies Pvt Ltd
 
XS 2008 Boston VTPM
XS 2008 Boston VTPMXS 2008 Boston VTPM
XS 2008 Boston VTPMThe Linux Foundation
 
NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...
NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...
NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...Byeongseok Yu
 

More Related Content

What's hot

Yocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerYocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerSherif Mousa
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)k33a
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecturehugo lu
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBshimosawa
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel CrashdumpMarian Marinov
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel SourceMotaz Saad
 
Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Tushar B Kute
 
Boost UDP Transaction Performance
Boost UDP Transaction PerformanceBoost UDP Transaction Performance
Boost UDP Transaction PerformanceLF Events
 
Introduction to yocto
Introduction to yoctoIntroduction to yocto
Introduction to yoctoAlex Gonzalez
 
RISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeRISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeAtish Patra
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu WorksZhen Wei
 
Part 02 Linux Kernel Module Programming
Part 02 Linux Kernel Module ProgrammingPart 02 Linux Kernel Module Programming
Part 02 Linux Kernel Module ProgrammingTushar B Kute
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopLorin Hochstein
 

What's hot (20)

Yocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution MakerYocto - Embedded Linux Distribution Maker
Yocto - Embedded Linux Distribution Maker
 
Understanding The Boot Process
Understanding The Boot ProcessUnderstanding The Boot Process
Understanding The Boot Process
 
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)Trusted Platform Module (TPM)
Trusted Platform Module (TPM)
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
 
Embedded Linux on ARM
Embedded Linux on ARMEmbedded Linux on ARM
Embedded Linux on ARM
 
The linux networking architecture
The linux networking architectureThe linux networking architecture
The linux networking architecture
 
Linux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKBLinux Kernel Booting Process (1) - For NLKB
Linux Kernel Booting Process (1) - For NLKB
 
Linux Kernel Crashdump
Linux Kernel CrashdumpLinux Kernel Crashdump
Linux Kernel Crashdump
 
Intro to Embedded OS, RTOS and Communication Protocols
Intro to Embedded OS, RTOS and Communication ProtocolsIntro to Embedded OS, RTOS and Communication Protocols
Intro to Embedded OS, RTOS and Communication Protocols
 
Browsing Linux Kernel Source
Browsing Linux Kernel SourceBrowsing Linux Kernel Source
Browsing Linux Kernel Source
 
Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)
 
What is Bootloader???
What is Bootloader???What is Bootloader???
What is Bootloader???
 
Boost UDP Transaction Performance
Boost UDP Transaction PerformanceBoost UDP Transaction Performance
Boost UDP Transaction Performance
 
Introduction to yocto
Introduction to yoctoIntroduction to yocto
Introduction to yocto
 
RISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a TimeRISC-V Boot Process: One Step at a Time
RISC-V Boot Process: One Step at a Time
 
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Worksfrom Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu Works
 
Part 02 Linux Kernel Module Programming
Part 02 Linux Kernel Module ProgrammingPart 02 Linux Kernel Module Programming
Part 02 Linux Kernel Module Programming
 
Vagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptopVagrant, Ansible, and OpenStack on your laptop
Vagrant, Ansible, and OpenStack on your laptop
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
Linux Internals - Part II
Linux Internals - Part IILinux Internals - Part II
Linux Internals - Part II
 

Viewers also liked

NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...
NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...
NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...Byeongseok Yu
 
Vacatures bij Infotheek
Vacatures bij InfotheekVacatures bij Infotheek
Vacatures bij InfotheekFrankVisser
 
JMP208 The Never Ending Integration Story: How to Integrate Your Lotus Notes,...
JMP208 The Never Ending Integration Story: How to Integrate Your Lotus Notes,...JMP208 The Never Ending Integration Story: How to Integrate Your Lotus Notes,...
JMP208 The Never Ending Integration Story: How to Integrate Your Lotus Notes,...John Head
 
Powerfitness
PowerfitnessPowerfitness
Powerfitnessaaronmv
 
Boletim Informativo - Ano 4, nº 05 - Janeiro de 2008 - Informativo do deputad...
Boletim Informativo - Ano 4, nº 05 - Janeiro de 2008 - Informativo do deputad...Boletim Informativo - Ano 4, nº 05 - Janeiro de 2008 - Informativo do deputad...
Boletim Informativo - Ano 4, nº 05 - Janeiro de 2008 - Informativo do deputad...José Nunes
 
Bibliotecas académicas, laboratorio de innovación social
Bibliotecas académicas, laboratorio de innovación socialBibliotecas académicas, laboratorio de innovación social
Bibliotecas académicas, laboratorio de innovación socialLourdes Epstein Cal y Mayor
 
EESAP4 VEKA
EESAP4 VEKAEESAP4 VEKA
EESAP4 VEKAeesap
 
Microscopía: Una herramienta avanzada para el desarrollo y caracterización de...
Microscopía: Una herramienta avanzada para el desarrollo y caracterización de...Microscopía: Una herramienta avanzada para el desarrollo y caracterización de...
Microscopía: Una herramienta avanzada para el desarrollo y caracterización de...GAIKER
 
Analise de fourier murray spiegel
Analise de fourier murray spiegelAnalise de fourier murray spiegel
Analise de fourier murray spiegelAdilson Bazachi
 
Paradigma y pensamiento complejo 1 laminas
Paradigma y pensamiento complejo 1 laminasParadigma y pensamiento complejo 1 laminas
Paradigma y pensamiento complejo 1 laminasequipo3detalentohumano
 

Viewers also liked (20)

XS 2008 Boston VTPM
XS 2008 Boston VTPMXS 2008 Boston VTPM
XS 2008 Boston VTPM
 
NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...
NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...
NEOS IoT Security Platform : System-on-module with WiFi and TPM (Trusted Plat...
 
Vacatures bij Infotheek
Vacatures bij InfotheekVacatures bij Infotheek
Vacatures bij Infotheek
 
Pb group 6
Pb group 6Pb group 6
Pb group 6
 
Centros de voluntariado
Centros de voluntariadoCentros de voluntariado
Centros de voluntariado
 
CURRICULU VITAE
CURRICULU VITAECURRICULU VITAE
CURRICULU VITAE
 
JMP208 The Never Ending Integration Story: How to Integrate Your Lotus Notes,...
JMP208 The Never Ending Integration Story: How to Integrate Your Lotus Notes,...JMP208 The Never Ending Integration Story: How to Integrate Your Lotus Notes,...
JMP208 The Never Ending Integration Story: How to Integrate Your Lotus Notes,...
 
Powerfitness
PowerfitnessPowerfitness
Powerfitness
 
Competir en el futuro inmediato
Competir en el futuro inmediatoCompetir en el futuro inmediato
Competir en el futuro inmediato
 
B2C
B2CB2C
B2C
 
Boletim Informativo - Ano 4, nº 05 - Janeiro de 2008 - Informativo do deputad...
Boletim Informativo - Ano 4, nº 05 - Janeiro de 2008 - Informativo do deputad...Boletim Informativo - Ano 4, nº 05 - Janeiro de 2008 - Informativo do deputad...
Boletim Informativo - Ano 4, nº 05 - Janeiro de 2008 - Informativo do deputad...
 
Bibliotecas académicas, laboratorio de innovación social
Bibliotecas académicas, laboratorio de innovación socialBibliotecas académicas, laboratorio de innovación social
Bibliotecas académicas, laboratorio de innovación social
 
Jutharat's Resume
Jutharat's ResumeJutharat's Resume
Jutharat's Resume
 
FhC spring edition
FhC spring editionFhC spring edition
FhC spring edition
 
Beyond XPages
Beyond XPagesBeyond XPages
Beyond XPages
 
EESAP4 VEKA
EESAP4 VEKAEESAP4 VEKA
EESAP4 VEKA
 
Microscopía: Una herramienta avanzada para el desarrollo y caracterización de...
Microscopía: Una herramienta avanzada para el desarrollo y caracterización de...Microscopía: Una herramienta avanzada para el desarrollo y caracterización de...
Microscopía: Una herramienta avanzada para el desarrollo y caracterización de...
 
Corporate Innovation at 3M
Corporate Innovation at 3MCorporate Innovation at 3M
Corporate Innovation at 3M
 
Analise de fourier murray spiegel
Analise de fourier murray spiegelAnalise de fourier murray spiegel
Analise de fourier murray spiegel
 
Paradigma y pensamiento complejo 1 laminas
Paradigma y pensamiento complejo 1 laminasParadigma y pensamiento complejo 1 laminas
Paradigma y pensamiento complejo 1 laminas
 

Similar to Property-Based Virtual TPM Enables Secure Virtualization

Introduction to Trusted Computing
Introduction to Trusted ComputingIntroduction to Trusted Computing
Introduction to Trusted ComputingMaksim Djackov
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using MeterpreterShubham Mittal
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overviewSajid Marwat
 
Symmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan DohertySymmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan Dohertyharryvanhaaren
 
Cooperative VM Migration for a virtualized HPC Cluster with VMM-bypass I/O de...
Cooperative VM Migration for a virtualized HPC Cluster with VMM-bypass I/O de...Cooperative VM Migration for a virtualized HPC Cluster with VMM-bypass I/O de...
Cooperative VM Migration for a virtualized HPC Cluster with VMM-bypass I/O de...Ryousei Takano
 
Enhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXEnhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXPriyanka Aash
 
trusted computing platform alliancee.ppt
trusted computing platform alliancee.ppttrusted computing platform alliancee.ppt
trusted computing platform alliancee.pptnaghamallella
 
Using Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesUsing Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesEmeka Mosanya
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSFelipe Prado
 
Xen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTXen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTThe Linux Foundation
 
Bloombase Spitfire KeyCastle Payment Systems Key Server Specifications
Bloombase Spitfire KeyCastle Payment Systems Key Server SpecificationsBloombase Spitfire KeyCastle Payment Systems Key Server Specifications
Bloombase Spitfire KeyCastle Payment Systems Key Server SpecificationsBloombase
 
OMAP Verification
OMAP VerificationOMAP Verification
OMAP VerificationDVClub
 
Roy omap validation_dvc_lub_092106
Roy omap validation_dvc_lub_092106Roy omap validation_dvc_lub_092106
Roy omap validation_dvc_lub_092106Obsidian Software
 
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look ForwardACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look ForwardProject ACRN
 

Similar to Property-Based Virtual TPM Enables Secure Virtualization (20)

Trusted Computing Base
Trusted Computing BaseTrusted Computing Base
Trusted Computing Base
 
Introduction to Trusted Computing
Introduction to Trusted ComputingIntroduction to Trusted Computing
Introduction to Trusted Computing
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using Meterpreter
 
Trusted computing introduction and technical overview
Trusted computing introduction and technical overviewTrusted computing introduction and technical overview
Trusted computing introduction and technical overview
 
Symmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan DohertySymmetric Crypto for DPDK - Declan Doherty
Symmetric Crypto for DPDK - Declan Doherty
 
Cooperative VM Migration for a virtualized HPC Cluster with VMM-bypass I/O de...
Cooperative VM Migration for a virtualized HPC Cluster with VMM-bypass I/O de...Cooperative VM Migration for a virtualized HPC Cluster with VMM-bypass I/O de...
Cooperative VM Migration for a virtualized HPC Cluster with VMM-bypass I/O de...
 
Enhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPXEnhance Virtualization Stack with Intel CET and MPX
Enhance Virtualization Stack with Intel CET and MPX
 
trusted computing platform alliancee.ppt
trusted computing platform alliancee.ppttrusted computing platform alliancee.ppt
trusted computing platform alliancee.ppt
 
MPEG Extensible Middleware Poster
MPEG Extensible Middleware PosterMPEG Extensible Middleware Poster
MPEG Extensible Middleware Poster
 
Using Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial TimesUsing Service Oriented Operation and Provisioning at Financial Times
Using Service Oriented Operation and Provisioning at Financial Times
 
Puppetconf2012
Puppetconf2012Puppetconf2012
Puppetconf2012
 
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORSDEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
DEF CON 27 - ALI ISLAM and DAN REGALADO WEAPONIZING HYPERVISORS
 
Xen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTXen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XT
 
Pcp
PcpPcp
Pcp
 
Nos Windows
Nos WindowsNos Windows
Nos Windows
 
Bloombase Spitfire KeyCastle Payment Systems Key Server Specifications
Bloombase Spitfire KeyCastle Payment Systems Key Server SpecificationsBloombase Spitfire KeyCastle Payment Systems Key Server Specifications
Bloombase Spitfire KeyCastle Payment Systems Key Server Specifications
 
OMAP Verification
OMAP VerificationOMAP Verification
OMAP Verification
 
Roy omap validation_dvc_lub_092106
Roy omap validation_dvc_lub_092106Roy omap validation_dvc_lub_092106
Roy omap validation_dvc_lub_092106
 
nullcon 2011 - Chupa Rustam
nullcon 2011 - Chupa Rustamnullcon 2011 - Chupa Rustam
nullcon 2011 - Chupa Rustam
 
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look ForwardACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
 

More from Marcel Winandy

Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An IntroductionMarcel Winandy
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysMarcel Winandy
 
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One DeviceUni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One DeviceMarcel Winandy
 
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...Marcel Winandy
 
A Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health CardA Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health CardMarcel Winandy
 
Securing the E-Health Cloud
Securing the E-Health CloudSecuring the E-Health Cloud
Securing the E-Health CloudMarcel Winandy
 
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop EnvironmentsTrusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop EnvironmentsMarcel Winandy
 
Patterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer SystemsPatterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer SystemsMarcel Winandy
 
A Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface SystemsA Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface SystemsMarcel Winandy
 
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web AuthenticationTruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web AuthenticationMarcel Winandy
 
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...Marcel Winandy
 
Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...Marcel Winandy
 
Compartmented Security for Browsers
Compartmented Security for BrowsersCompartmented Security for Browsers
Compartmented Security for BrowsersMarcel Winandy
 

More from Marcel Winandy (13)

Security Patterns - An Introduction
Security Patterns - An IntroductionSecurity Patterns - An Introduction
Security Patterns - An Introduction
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter Gateways
 
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One DeviceUni-directional Trusted Path: Transaction Confirmation on Just One Device
Uni-directional Trusted Path: Transaction Confirmation on Just One Device
 
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
MediTrust: Secure Client Systems for Healthcare IT to Protect Sensitive Data ...
 
A Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health CardA Note on the Security in the Card Management System of the German E-Health Card
A Note on the Security in the Card Management System of the German E-Health Card
 
Securing the E-Health Cloud
Securing the E-Health CloudSecuring the E-Health Cloud
Securing the E-Health Cloud
 
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop EnvironmentsTrusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
Trusted Virtual Domains on OpenSolaris: Usable Secure Desktop Environments
 
Patterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer SystemsPatterns for Secure Boot and Secure Storage in Computer Systems
Patterns for Secure Boot and Secure Storage in Computer Systems
 
A Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface SystemsA Pattern for Secure Graphical User Interface Systems
A Pattern for Secure Graphical User Interface Systems
 
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web AuthenticationTruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
TruWallet: Trustworthy and Migratable Wallet-Based Web Authentication
 
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
Dynamic Integrity Measurement and Attestation: Towards Defense Against Return...
 
Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...Modeling Trusted Computing Support in a Protection Profile for High Assurance...
Modeling Trusted Computing Support in a Protection Profile for High Assurance...
 
Compartmented Security for Browsers
Compartmented Security for BrowsersCompartmented Security for Browsers
Compartmented Security for Browsers
 

Property-Based Virtual TPM Enables Secure Virtualization

  • 1. Property­Based TPM Virtualization Ahmad­Reza Sadeghi, Christian Stüble*, Marcel Winandy Horst Görtz Institute for IT Security Ruhr­University Bochum, Germany * Sirrix AG security technologies Bochum, Germany ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 1
  • 2. Introduction: Virtualization ● Features – Standardized operating systems on various hardware platforms – Virtual machines: suspend & resume, migration – Security: isolation of virtual machines – Application scenario: corporate/private computing ● Isolated work loads for private and corporate working ● Isolated work loads for different security levels Linux Linux Windows Linux Windows Hypervisor Hypervisor Hardware Hardware ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 2
  • 3. Introduction: Trusted Computing (TPM) – TPM: cheap, tamper­evident hardware security module ● Cryptographic functions (RSA, SHA­1, key generation, RNG) ● Protected storage for small data (e.g. keys) ● Special keys: Endorsement Key (EK) and Storage Root Key (SRK) – Authenticated Boot (recording integrity measurements) ● Measurements stored in Platform Configuration Registers (PCRs) ● Each component measures next component (chain of trust) hash Apps store hash hash OS TPM Boot Loader store hash hash PCRs BIOS store hash SRK hash store hash EK CRTM – Attestation and Sealing ● Attestation Identity Key (AIK) signs PCRs for (remote) attestation ● Binding key is used to encrypt data to the current PCR values (decrypting only  possible with same PCR states) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 3
  • 4. Introduction: Virtual TPM (vTPM) ● Each VM should be able to use TPM – Providing protected storage and crypto coprocessor – Assurance about the booted hypervisor and virtual machines – Support for migration Private Working Unclassified Corporate Classified Corporate Environment Environment Environment VM VM VM Hypervisor TPM Hardware ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 4
  • 5. Introduction: Virtual TPM (vTPM) ● Each VM should be able to use TPM – Providing protected storage and crypto coprocessor – Assurance about the booted hypervisor and virtual machines – Support for migration ● Virtualization of the TPM – Emulation in software, but binding to VM and hardware TPM Private Working Unclassified Corporate Classified Corporate Environment Environment Environment VM VM VM TPM Driver TPM Driver TPM Driver vTPM vTPM vTPM Hypervisor TPM Hardware ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 5
  • 6. Shortcomings of Existing vTPM Solutions ● Migration – Protected data bound to binary representation of hypervisor ● VM's data may be unavailable after migration to another platform ● Keys – Differentiated strategies for key generation missing ● some IT environments demand hardware­protected keys ● wheras others would benefit from flexibility of software keys ● Privacy – Revealing information about system configuration ● (v)TPM reveals information during remote attestation of PCR values ● Profiling (security risk) and discrimination possible ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 6
  • 7. New vTPM Design ● Adding new components to internal vTPM design: ● Property Management – Representation of virtual PCRs – Different mechanisms to store and read values – Realizing property­based attestation and sealing ● Key Management – Creating and loading cryptographic keys – Supports software keys or keys of physical TPM ● vTPM Policy – User­defined policy of the vTPM instance ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 7
  • 8. Flexible vTPM Architecture VM TPM Driver TPM_CreateWrapKey() TPM_Extend(i, m) TPM_PCRRead(i) vTPM Interface Management Interface CreateKey() Extend(i, m) PCRRead(i) crypto... migrate() Key Property Cryptographic Migration Management Management Functions Controller PropertyFilter Software Key PropertyProvider 1 Hardware Key PropertyProvider 2 vTPM ... ... ... PropertyProvider N vTPM Policy Hypervisor TPM Key TPM Novel components for vTPM ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 8
  • 9. Property Providers ● Each property provider has its own PCR vector – How to store values is up to each implementation – This results in a matrix of vPCRs – vTPM Policy decides which vector to use on which operation vTPM Instance  PropertyProvider 1 PropertyProvider j PropertyProvider N vPCR[0] ... ... vPCR[1] ... ... Mapping ... ... ... vPCR[n] ... ... – Initialization TPM ● Applying all property providers to build the vPCR matrix PCRs ● Each Property Provider can implement a different mapping ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 9
  • 10. Changing the Measurement Function ● PCR extension function of the TPM: Extend(i, m): PCRi ← SHA1(PCRi || m) ● Generalizing this for each Providerj: Providerj.Extend(i,m): vPCRi,j← translatej(vPCRi,j,m) ● Examples: – translatehash() is hashing like in hardware TPM – translatecert() looks for a certificate and stores the public key ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 10
  • 11. PCR Extension: Example VM­OS measures a file and wants to extend the measurement in PCR 10 of the vTPM  TPM_Extend(10, f572d396fae9206628714fb2ce00f72e94f2258f)                                                                                Property Management of vTPM instance calls each Property Provider vPCR10,hash of Providerhash vPCR10,cert of Providercert 09d2af8dd22201dd8d48e5dcfcaed281ff9422c7 PKcertA                                                                                 vPCR10,hash := SHA1(vPCR10,hash ||  Look for cert for hash f572d.... f572d396fae9206628714fb2ce00f72e94f2258f) If found one (e.g., certB), add its PK vPCR10,hash : vPCR10,cert : 3a2fdfb2e10d4286a56715952340177c508b173c PKcertA , PKcertB                                                             ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 11
  • 12. Property­Based Attestation with vTPM ● Providercert is one example to use property certificates – Certificates describe the properties for a particular measurement – Issued by a Trusted Third Party 1. attest(nonce,i,...,j) VM 6. (pcrData, nonce) Verifier 2. quote(vAIKID,nonce,i,...,j) 5. (pcrData, nonce) vTPM 3. prov = policy.askForProvider(i,...,j) 4. sign[vAIKID](nonce,vPCRi,prov,...,vPCRj,prov) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 12
  • 13. Migration of VM and vTPM ● Secure migration needed (confidentiality, integrity, authenticity) ● Example: move private working environment to home PC Private Working Classified Corporate Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Hardware (Office PC) TPM TPM Hardware (Home PC) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 13
  • 14. Trusted Channel based Migration ● Source platform requests trusted channel to destination – Creates secret encryption key bound to TPM and configuration of  destination platform (assurance about integrity of end points) – Configuration can also be property­based – Re­usable for several migrations Private Working Classified Corporate Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Trusted Channel Hardware (Office PC) TPM TPM Hardware (Home PC) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 14
  • 15. Trusted Channel based Migration ● Source platform requests trusted channel to destination – Creates secret encryption key bound to TPM and configuration of  destination platform (assurance about integrity of end points) – Configuration can also be property­based – Re­usable for several migrations Private Working Classified Corporate Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Trusted Channel Hardware (Office PC) TPM TPM Hardware (Home PC) Transfer encrypted TPM state via Trusted Channel No re­mapping of PCRs necessary (because of property providers) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 15
  • 16. Trusted Channel based Migration ● Source platform requests trusted channel to destination – Creates secret encryption key bound to TPM and configuration of  destination platform (assurance about integrity of end points) – Configuration can also be property­based – Re­usable for several migrations Classified Corporate Private Working Online Gaming Environment Environment Environment VM VM VM vTPM vTPM vTPM  Hypervisor (Xen 3.1)  Hypervisor (Xen 3.2) Trusted Channel Hardware (Office PC) TPM TPM Hardware (Home PC) Transfer encrypted TPM state via Trusted Channel No re­mapping of PCRs necessary (because of property providers) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 16
  • 17. Summary VM New vTPM Design TPM Driver TPM_CreateWrapKey() TPM_Extend(i, m) TPM_PCRRead(i) vTPM Interface Management Interface CreateKey() Extend(i, m) PCRRead(i) crypto... migrate() Key Property Cryptographic Migration Management Management Functions Controller ­ Property Providers PropertyFilter Software Key PropertyProvider 1 vTPM ­ Key Management Hardware Key PropertyProvider 2 ... ... ... PropertyProvider N vTPM Policy ­ vTPM Policy TPM Key TPM Novel components for vTPM ● Allows to link hypervisor to vTPM based on properties – Data availability after migration or software updates – Trusted Migration protocol ensures binding to trustworthy platform ● More flexibility in key usage – Key Management can delegate key requests to hardware TPM ● User­defined policy decides which information to reveal – Policy defines which Property Provider to use on attestation ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 17
  • 19. BACKUP ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 19
  • 20. Property­Based Sealing ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 20
  • 21. Migration Protocol Source platform Destination platform vTPM Migration Controlling Process Migration Controlling Process ' initiateMigration() create() vTPM ' migrate() requestTrustedChannel() (PKBind, certBind) verify(PKBind, certBind) sk := createKey() esk := bind[PKBind](sk) s := getState() es := encrypt[sk](s) deleteKey(sk), deleteState() transfer(es,esk) destroy() sk := unbind[PKBind](esk) s := decrypt[sk](es) X setState(s) ISC 2008, Taipei/Taiwan Marcel Winandy  ­  Property­Based TPM Virtualization 21