Search

US-12619456-B2 - Remote attestation of workloads running in virtual machines

US12619456B2US 12619456 B2US12619456 B2US 12619456B2US-12619456-B2

Abstract

In one set of embodiments, a computer system executing a virtual machine (VM) packaging tool can receive a reference to a container comprising one or more applications of a workload and a reference to an operating system (OS) kernel to be included in the workload. The computer system can inject an agent into the container that is configured to request execution of a hardware VM attestation function, combine contents of the container and the OS kernel into an image file, and compute a hash of the image file. The computer system can then generate a firmware for the workload that includes the hash.

Inventors

  • Radoslav Vladimirov Gerganov
  • Dentcho Ludmilov Bankov

Assignees

  • VMware LLC

Dates

Publication Date
20260505
Application Date
20230911

Claims (20)

  1. 1 . A method comprising: receiving, by a computer system executing a virtual machine (VM) packaging tool, a reference to a container comprising one or more applications of a workload and a reference to an operating system (OS) kernel to be included in the workload; injecting, by the computer system, an agent into the container configured to request execution of a hardware VM attestation function; subsequently to the injecting, combining, by the computer system, contents of the container and the OS kernel into an image file; computing, by the computer system, a first hash of the image file; and generating, by the computer system, a firmware for the workload that includes the first hash.
  2. 2 . The method of claim 1 further comprising: computing a second hash of the firmware; creating a distributable VM package for deploying the workload as a VM, the distributable VM package including the firmware, the image file, and VM configuration information; and providing the second hash and the distributable VM package to a party associated with the workload.
  3. 3 . The method of claim 2 wherein the VM configuration information includes a requirement that the VM is encrypted using hardware VM encryption when run.
  4. 4 . The method of claim 2 wherein at a time the VM is powered-on on a host system of a computing environment, the agent submits a request to a hypervisor of the host system to execute the hardware VM attestation function.
  5. 5 . The method of claim 4 wherein the computing environment is a public cloud.
  6. 6 . The method of claim 4 wherein in response to submitting the request, the agent: receives an attestation report including a third hash signed using a private key associated with a vendor of one or more central processing units (CPUs) of the host system; and makes the attestation report available to the party.
  7. 7 . The method of claim 4 wherein the VM is associated with one or more virtual disks, and wherein the VM: generates one or more storage encryption keys based on hashes of the firmware and the OS kernel computed by a virtual trusted platform module (TPM) of the VM; and uses the one or more storage encryption keys to encrypt the one or more virtual disks.
  8. 8 . A non-transitory computer readable storage medium having stored thereon program code executable by a computer system, the program code causing the computer system to execute a method comprising: receiving a reference to a container comprising one or more applications of a workload and a reference to an operating system (OS) kernel to be included in the workload; injecting an agent into the container configured to request execution of a hardware virtual machine (VM) attestation function; subsequently to the injecting, combining contents of the container and the OS kernel into an image file; computing a first hash of the image file; and generating a firmware for the workload that includes the first hash.
  9. 9 . The non-transitory computer readable storage medium of claim 8 wherein the method further comprises: computing a second hash of the firmware; creating a distributable VM package for deploying the workload as a VM, the distributable VM package including the firmware, the image file, and VM configuration information; and providing the second hash and the distributable VM package to a party associated with the workload.
  10. 10 . The non-transitory computer readable storage medium of claim 9 wherein the VM configuration information includes a requirement that the VM is encrypted using hardware VM encryption when run.
  11. 11 . The non-transitory computer readable storage medium of claim 9 wherein at a time the VM is powered-on on a host system of a computing environment, the agent submits a request to a hypervisor of the host system to execute the hardware VM attestation function.
  12. 12 . The non-transitory computer readable storage medium of claim 11 wherein the computing environment is a public cloud.
  13. 13 . The non-transitory computer readable storage medium of claim 11 wherein in response to submitting the request, the agent: receives an attestation report including a third hash signed using a private key associated with a vendor of one or more central processing units (CPUs) of the host system; and makes the attestation report available to the party.
  14. 14 . The non-transitory computer readable storage medium of claim 11 wherein the VM is associated with one or more virtual disks, and wherein the VM: generates one or more storage encryption keys based on hashes of the firmware and the OS kernel computed by a virtual trusted platform module (TPM) of the VM; and uses the one or more storage encryption keys to encrypt the one or more virtual disks.
  15. 15 . A computer system comprising: a processor; and a non-transitory computer readable medium having stored thereon program code that, when executed by the processor, causes the processor to: receive a reference to a container comprising one or more applications of a workload and a reference to an operating system (OS) kernel to be included in the workload; inject an agent into the container configured to request execution of a hardware virtual machine (VM) attestation function; subsequently to the injecting, combine contents of the container and the OS kernel into an image file; compute a first hash of the image file; and generate a firmware for the workload that includes the first hash.
  16. 16 . The computer system of claim 15 wherein the program code further causes the processor to: compute a second hash of the firmware; create a distributable VM package for deploying the workload as a VM, the distributable VM package including the firmware, the image file, and VM configuration information; and provide the second hash and the distributable VM package to a party associated with the workload.
  17. 17 . The computer system of claim 16 wherein the VM configuration information includes a requirement that the VM is encrypted using hardware VM encryption when run.
  18. 18 . The computer system of claim 16 wherein at a time the VM is powered-on on a host system of a computing environment, the agent submits a request to a hypervisor of the host system to execute the hardware VM attestation function.
  19. 19 . The computer system of claim 18 wherein the computing environment is a public cloud.
  20. 20 . The computer system of claim 18 wherein in response to submitting the request, the agent: receives an attestation report including a third hash signed using a private key associated with a vendor of one or more central processing units (CPUs) of the host system; and makes the attestation report available to the party.

Description

CROSS-REFERENCES TO RELATED APPLICATIONS The present application claims priority to U.S. Provisional Patent Application No. 63/511,828 filed Jul. 3, 2023 and entitled “Remote Attestation of Workloads Running in Virtual Machines.” The entire contents of this provisional application are incorporated herein by reference for all purposes. BACKGROUND Unless otherwise indicated, the subject matter described in this section should not be construed as prior art to the claims of the present application and is not admitted as being prior art by inclusion in this section. In recent years, it has become increasingly common for organizations to move their compute workloads from on-premises data centers to public clouds. Driving factors for this migration include increased workload performance (in terms of latency, throughput, etc.), improved workload resiliency/availability, and cost savings. One significant concern with running a workload in a public cloud is security, or in other words ensuring that the workload is safe from threats and attacks that attempt to tamper with the workload or gain unauthorized access to confidential workload data. Major public cloud providers implement security measures at the infrastructure level in order to counter such threats/attacks, but these measures are not foolproof and are being constantly challenged by new and evolving attack techniques. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 depicts an example computing environment. FIG. 2 depicts a VM packaging tool workflow according to certain embodiments. FIG. 3 depicts a VM boot workflow for enabling remote attestation according to certain embodiments. DETAILED DESCRIPTION In the following description, for purposes of explanation, numerous examples and details are set forth in order to provide an understanding of various embodiments. It will be evident, however, to one skilled in the art that certain embodiments can be practiced without some of these details or can be practiced with modifications or equivalents thereof. Embodiments of the present disclosure are directed to techniques for enabling remote attestation of workloads that are deployed via virtual machines (VMs) in computing environments such as public clouds. As used herein, a “workload” is a combination of firmware (e.g., Unified Extensible Firmware Interface (UEFI) firmware), an operating system (OS) kernel, and one or more user-level applications. “Remote attestation” involves providing, to a party associated with a deployed workload (e.g., the workload developer, administrator, or some other user/entity), cryptographic proof pertaining to the workload's runtime integrity and confidentiality. For example, consider a scenario in which a party P packages a workload W into a VM and deploys the VM on a host system H of a public cloud C. In this scenario, certain embodiments of the present disclosure enable party P to obtain an attestation report comprising cryptographic proof that: 1. workload W is running unmodified on H (i.e., W has not been tampered with); and2. the runtime state of W held in H's system memory is encrypted, such that no one (including the provider of public cloud C) can view or access that runtime state. With this cryptographic proof, party P can be assured that deployed workload W is unaltered and its contents cannot be snooped/leaked, even if the provider of public cloud C is untrusted or is compromised. 1. Example Environment and Solution Overview To provide context for the embodiments described herein, FIG. 1 depicts an example computing environment 100 comprising a host system 102. In this figure, computing environment 100 is specifically a public cloud such as Amazon AWS, Microsoft Azure, Google Cloud, or the like. In alternative embodiments, computing environment 100 may be a hybrid cloud or a private cloud. Although only a single host system is shown for illustration purposes, any number of host systems may be included within environment 100. Host system 102 runs a hypervisor 104 that provides an execution environment for a VM 106. VM 106 in turn runs a workload 108 (comprising a firmware 110, an OS kernel 112, and a set of applications 114) created/deployed by a party 116. For example, party 116 may be a user within an organization that is a customer/tenant of computing environment 100, and workload 108 may include software applications or services that are designed to meet the business objectives of the organization. As noted in the Background section, one challenge with running a workload in a public cloud is ensuring/verifying the security of the workload. Public clouds are inherently multi-tenant environments, which means that they are susceptible to attacks by one tenant on the workloads of other tenants. Further, the public cloud provider itself may be compromised by internal or external threat actors, who can potentially take control of certain components of the public cloud infrastructure (such as the host hypervisors) to disrupt, tamper wit