When software services use cloud providers to run their workloads, they place implicit trust in the cloud provider, without an explicit trust relationship. One way to achieve such explicit trust in a computer system is to use a hardware Trusted Platform Module (TPM), a coprocessor for trusted computing. However, in the case of managed platform-as-a-service (PaaS) offerings, there is currently no cloud provider that exposes TPM capabilities. In this paper, we improve trust by integrating a virtual TPM device into the Firecracker hypervisor, originally developed by Amazon Web Services. In addition to this, multiple performance tests along with an attack surface analysis are performed to evaluate the impact of the changes introduced. We discuss the results and conclude that the slight performance decrease and attack surface increase are acceptable trade-offs in order to enable trusted computing in PaaS offerings.

翻译：当软件服务使用云提供商运行其工作负载时，它们隐式地信任云提供商，而并未建立显式的信任关系。在计算机系统中实现这种显式信任的一种方法是使用硬件可信平台模块（TPM），这是一种用于可信计算的协处理器。然而，在托管式平台即服务（PaaS）产品中，目前尚无云提供商提供TPM功能。在本文中，我们通过将虚拟TPM设备集成到由亚马逊网络服务最初开发的Firecracker虚拟机管理程序中，来增强信任。此外，我们进行了多项性能测试以及攻击面分析，以评估这些变更带来的影响。我们讨论了测试结果，并得出结论：性能的轻微下降和攻击面的适度增加，是为了在PaaS产品中实现可信计算所可接受的权衡。