Confidential Virtual Machines (CVMs), such as AMD SEV-SNP, enable cloud tenants to run security-sensitive workloads, but tenants can rely on the execution of these workloads only when they can trust the CVM. This trust requires continuous integrity assurance from CVM launch to the current runtime state, including initial trust establishment at launch and subsequent runtime integrity assurance. Existing works help establish launch-time trust and protect parts of runtime integrity, but they do not fully address the integrity of file-backed user-space executable objects, such as main executables, program interpreters, and dynamically loaded shared objects, that may be loaded or mapped dynamically during execution inside CVMs. In this paper, we propose Privilege-Separated User-space Integrity Enforcement (PS-UIE), an approach for enforcing the integrity of user-space executable objects inside AMD SEV-SNP-based CVMs. PS-UIE consists of a privilege-separated architecture and three mechanisms. The architecture separates the authority for integrity measurement and enforcement from the measured targets by placing it in a higher-privileged protected domain. Built on this architecture, PS-UIE provides policy lifecycle management, execution-time integrity enforcement, and evidence export and verification mechanisms. It enables policy-controlled integrity measurement and enforcement for user-space executable objects and generates verifiable runtime evidence. We implement PS-UIE on an AMD SEV-SNP platform. The security analysis and performance evaluation show that PS-UIE enforces the integrity of user-space executable objects on the covered execute-permission grant paths and provides verifiable runtime evidence while incurring acceptable overhead.

翻译：摘要：机密虚拟机（如AMD SEV-SNP）使云租户能够运行安全敏感的工作负载，但只有当租户能够信任这些虚拟机时，他们才能依赖这些工作负载的执行。这种信任要求从虚拟机启动到当前运行时状态（包括启动时的初始信任建立和后续的运行时完整性保证）持续提供完整性保障。现有工作有助于建立启动时信任并保护部分运行时完整性，但并未完全解决文件支持的、可在虚拟机内部动态加载或映射的用户空间可执行对象（如主可执行文件、程序解释器和动态加载的共享对象）的完整性问题。本文提出特权分离的用户空间完整性强制（PS-UIE），一种在基于AMD SEV-SNP的机密虚拟机中强制用户空间可执行对象完整性的方法。PS-UIE由特权分离架构和三种机制组成。该架构通过将完整性度量和强制的权限置于更高特权级的受保护域中，实现其与度量目标的分隔。基于此架构，PS-UIE提供了策略生命周期管理、执行时完整性强制以及证据导出与验证机制。它实现了对用户空间可执行对象的策略控制完整性度量与强制，并生成可验证的运行时证据。我们在AMD SEV-SNP平台上实现了PS-UIE。安全分析与性能评估表明，PS-UIE在覆盖的执行权限授予路径上强制执行用户空间可执行对象的完整性，并提供可验证的运行时证据，同时开销可接受。