Guest-first memory for KVM
Guest-first memory for KVM
Posted Nov 3, 2023 14:20 UTC (Fri) by farnz (subscriber, #17727)In reply to: Guest-first memory for KVM by spacefrogg
Parent article: Guest-first memory for KVM
Fundamentally, because the soft TPM will not have the expected public key.
The hoster does not provide the public key to the tenant; the TPM vendor provides the public key to all and sundry, usually via a CA type system that verifies that the public key you're being offered is one from the TPM vendor (not the hoster). The TPM vendor also guarantees that the TPM, if installed correctly, will produce certain hashes of data that goes between the TPM and CPU during operation; if the hoster changes the hardware so that different data goes between the TPM and CPU, those hashes change.
From this, we can build a setup where the hoster does not need to be trusted, but the TPM vendor and CPU vendor do. The CPU vendor guarantees that there will be certain exchanges between the TPM and the CPU, such that if it's a real TPM and not a soft TPM, the hashes the TPM will sign and disclose can be predicted. As the tenant, you can take those signed hashes, validate that the TPM's public key is signed by the TPM vendor's CA (so isn't compromised by the hoster), and then send a secret, encrypted using the TPM's private key if, and only if, the hashes match what you expect from the platform.
If you want the gory details, look up how Intel TDX and AMD SEV work; they're not perfect (implementations are buggy), but the mathematics of the verification side work out, and reduce the trust domain from "hoster + CPU maker + TPM maker" to "CPU maker + TPM maker".
Posted Nov 5, 2023 4:03 UTC (Sun)
by ssmith32 (subscriber, #72404)
[Link] (2 responses)
An analog: when running malware that attempted to check if it was running in a VM, I would just open it up in a disassembler (perhaps after going through some unpacking steps), and patch the check for a VM to return false. No reason a host can't do this to a guest. There's some kind of integrity check on the code, you say? Well, patch that out too.
The reality is you *have* to trust the host at some point.
What this helps with is not a fully Byzantine malicious failure scenario, but, rather, a host that is trusted at startup, but is not trusted to remain trusted after.
That is, it helps with a host that may eventually be compromised. As far as helping with a fully malicious host, this does absolutely nothing.
Posted Nov 5, 2023 5:30 UTC (Sun)
by mjg59 (subscriber, #23239)
[Link]
Posted Nov 5, 2023 10:20 UTC (Sun)
by farnz (subscriber, #17727)
[Link]
Note that a CPU that's designed for this also prevents the host from reading or writing the memory of the guest OS without the guest's co-operation (memory encryption). You still have to trust the CPU and the TPM, but that's better than having to trust the entire hosting platform.
And yes, the attestation has to be to something outside the guest; but the idea is that I can stand up a microserver in my office, which I can trust because I have full control of it, and then not have to trust the hosting company.
Guest-first memory for KVM
Guest-first memory for KVM
Guest-first memory for KVM