The Virtual Machine (VM)-based Trusted-Execution-Environment (TEE) technology, like AMD Secure-Encrypted-Virtualization (SEV), enables the establishment of Confidential VMs (CVMs) to protect data privacy. But CVM lacks ways to provide the trust proof of its running state, degrading the user confidence of using CVM. The technology of virtual Trusted Platform Module (vTPM) can be used to generate trust proof for CVM. However, the existing vTPM-based approaches have the weaknesses like lack of a well-defined root-of-trust, lack of vTPM protection, and lack of vTPM's trust proof. These weaknesses prevent the generation of the trust proof of the CVM. This paper proposes an approach to generate the trust proof for AMD SEV-based CVM so as to ensure its security by using a secure vTPM to construct Trusted Complete Chain for the CVM (T3CVM). T3CVM consists of three components: 1) TR-Manager, as the well-defined root-of-trust, helps to build complete trust chains for CVMs; 2) CN-TPMCVM, a special CVM provides secure vTPMs; 3) CN-CDriver, an enhanced TPM driver. Our approach overcomes the weaknesses of existing approaches and enables trusted computing-based applications to run seamlessly in the trusted CVM. We perform a formal security analysis of T3CVM, and implement a prototype system to evaluate its performance.

翻译：虚拟机（VM）可信执行环境（TEE）技术（如AMD安全加密虚拟化SEV）能够构建机密虚拟机（CVM）以保护数据隐私。但CVM缺乏对其运行状态的可信证明机制，降低了用户信任度。虚拟可信平台模块（vTPM）技术可用于生成CVM的可信证明。然而现有基于vTPM的方法存在可信根定义不明确、vTPM保护缺失及vTPM可信证明不足等缺陷，导致难以生成CVM的可信证明。本文提出一种为AMD SEV型CVM生成可信证明的方法，通过安全vTPM构建CVM可信完整链（T3CVM）保障其安全性。T3CVM包含三个组件：1）TR-Manager作为明确定义的可信根，协助建立CVM的完整可信链；2）CN-TPMCVM作为专用CVM提供安全vTPM；3）CN-CDriver作为增强型TPM驱动。本方法克服了现有方案的缺陷，使可信计算应用能在可信CVM中无缝运行。我们对T3CVM进行了形式化安全分析，并实现了原型系统以评估其性能。