2008-06-27

Property-Based TPM Virtualization

This is the title of paper I have written together with Ahmad-Reza Sadeghi and Christian Stüble. We will present it at the 11th Information Security Conference (ISC 2008) in Taipei, Taiwan. I will also give a presentation about it at the HGI Seminar at Ruhr-University Bochum on 10th July 2008.

Virtualization and hypervisors enable useful and cost-efficient means to manage IT infrastructure, especially migration of virtual machines (VMs) between hardware platforms. A challenge in this context is the virtualization of
hardware security modules like the Trusted Platform Module (TPM) since the intended purpose of TPMs is to securely link software and the underlying hardware. Existing solutions for TPM virtualization, however, have various
shortcomings that hinder the deployment to a wide range of useful scenarios. In our paper, we address these shortcomings by presenting a flexible and privacy-preserving design of a virtual TPM that in contrast to existing
solutions supports different approaches for measuring the platform's state and for key generation, and uses property-based attestation mechanisms to support software updates and VM migration. Our solution improves the maintainability and applicability of hypervisors supporting hardware security modules like the TPM. The following figure shows the design.


For each VM that needs a vTPM, there is a separate vTPM instance. We assume the underlying hypervisor to protect the internal state and operations of each vTPM from any unauthorized access. The main building blocks of our vTPM are the following: PropertyManagement represents the virtual PCRs and manages different mechanisms to store and read measurement values; KeyManagement is responsible for creating and loading keys; vTPMPolicy holds the user-defined policy of the vTPM instance, defining which properties are going to be revealed during an attestation operation; CryptographicFunctions provide monotonic counters, random number generation, hashing, etc.; MigrationController is responsible for migrating the vTPM to another platform.

To improve flexible migration and to preserve the availability of sealed data after migration or software updates, an essential step is to support other measurement strategies. Applying property-based measurement and attestation to a vTPM allows much more flexibility in the choice of the hypervisor and for easier updates of applications -- a VM can still use sealed data or run attestation procedures if the properties of the programs remain the same.

Our vTPM design is based on a plug-in-like architecture for various vPCR extension strategies. Each extension strategy is realized by a PropertyProvider module implementing different translation functions. A translation function translates measurements (i.e., hash values of program binaries) into property representations. Each PropertyProvider has its own vector of virtual PCRs. Thus there is a matrix of vPCR values for each vTPM. This allows us to choose, according to the vTPM policy, which PropertyProvider to use on particular sealing or attestation operations.

Depending on the implementation of the PropertyProvider, we can realize property-based sealing and property-based attestation without any change to the interface of the vTPM from the perspective of the associated VM. This enables the availability of protected data and cryptographic keys of the vTPM after migrating to another platform that provides the same security properties but may have a different binary implementation. TPM-enabled applications executed in a VM can directly profit from this flexibility without the need for modification.

[Slides]

1 comment:

Andreas W. Kuhn said...

Para-Virtualized TPM Sharing

Dr. Jork Löser
Microsoft

The talk introduces a technique that allows a hypervisor to safely share a TPM among its guest operating systems. Our design allows guests full use of the TPM in legacy-compliant or functionally equivalent form. The design also allows guests to use the authenticated-operation facilities of the TPM (attestation, sealed storage) to authenticate themselves and their hosting environment. Finally, our design and implementation makes use of the hardware TPM wherever possible, which means that guests can enjoy the hardware key protection offered by a physical TPM. In addition to superior protection for cryptographic keys our technique is also much simpler than a full soft-TPM implementation. The talk shows that a current TCG TPM 1.2 compliant TPM can be multiplexed easily and safely between multiple guest operating systems. However, the peculiar characteristics of the TPM mean that certain features (in particular those that involve PCRs) cannot be exposed unmodified, but instead need to be exposed in a functionally equivalent para-virtualized form. We provide an analysis of our reasoning on the right balance between the accuracy of virtualization, and the complexity of the resulting implementation.

http://tinyurl.com/655rhz