Trying to address the security challenges of a cloud-centric software deployment paradigm, silicon and cloud vendors are introducing confidential computing - an umbrella term aimed at providing hardware and software mechanisms for protecting cloud workloads from the cloud provider and its software stack. Today, Intel SGX, AMD SEV, Intel TDX, etc., provide a way to shield cloud applications from the cloud provider through encryption of the application's memory below the hardware boundary of the CPU, hence requiring trust only in the CPU vendor. Unfortunately, existing hardware mechanisms do not automatically enable the guarantee that a protected system was not tampered with during configuration and boot time. Such a guarantee relies on a hardware RoT, i.e., an integrity-protected location that can store measurements in a trustworthy manner, extend them, and authenticate the measurement logs to the user. In this work, we design and implement a virtual TPM that virtualizes the hardware RoT without requiring trust in the cloud provider. To ensure the security of a vTPM in a provider-controlled environment, we leverage unique isolation properties of the SEV-SNP hardware that allows us to execute secure services as part of the enclave environment protected from the cloud provider. We further develop a novel approach to vTPM state management where the vTPM state is not preserved across reboots. Specifically, we develop a stateless ephemeral vTPM that supports remote attestation without any persistent state on the host. This allows us to pair each confidential VM with a private instance of a vTPM completely isolated from the provider-controlled environment and other VMs. We built our prototype entirely on open-source components. Though our work is AMD-specific, a similar approach could be used to build remote attestation protocols on other trusted execution environments.

翻译：为应对以云为中心的软件部署范式中的安全挑战，芯片与云供应商正引入机密计算这一术语，旨在通过软硬件机制保护云端工作负载免受云服务商及其软件栈的侵害。当前，Intel SGX、AMD SEV、Intel TDX等技术通过将应用程序内存加密至CPU硬件边界以下，使云应用得以屏蔽云服务商的影响，仅需信任CPU供应商。然而，现有硬件机制无法自动保证受保护系统在配置及启动阶段未被篡改。此类保证依赖于硬件信任根（RoT），即一个受完整性保护的位置，可可靠存储度量值、扩展度量值并向用户验证度量日志。本研究设计并实现了虚拟可信平台模块（vTPM），通过虚拟化硬件RoT，无需信任云服务商即可实现该功能。为保障在服务商控制环境下vTPM的安全性，我们利用SEV-SNP硬件的独特隔离特性，将安全服务作为飞地环境的一部分执行，使其免受云服务商干扰。我们还提出了一种新颖的vTPM状态管理方法：vTPM状态在重启后不再保留，具体而言，我们开发了一种无状态临时vTPM，支持在不依赖宿主机持久化状态的情况下完成远程证明。这使得每个机密虚拟机都能与完全隔离于服务商控制环境及其他虚拟机的私有vTPM实例配对。我们的原型系统完全基于开源组件构建。尽管当前工作针对AMD平台，但相似方法可应用于其他可信执行环境，构建远程证明协议。