Roy Hopkins: Establishing root seeds in a vTPM with COCONUT-SVSM in Confidential VM Remote

Опубликовано: 10 Июнь 2024
на канале: SUSE Labs

Confidential Computing for virtual machines provides hardware protection for data as it is being processed on an untrusted host, giving strong assurance that the guest memory and context is protected from observation and manipulation by the host. In order to ensure integrity of the workload deployed into a confidential VM, CPU vendors include the ability to remotely attest the startup state of the guest. This provides verifiable cryptographic evidence that the guest is running inside a patched, up-to-date CC environment and confirms exactly what firmware the guest is running. In order to retain integrity from the verified firmware, unlock an encrypted disk and boot the operating system, a traditional secure boot process can be used. However, a TPM or equivalent is required to implement secure boot. COCONUT-SVSM provides a secure environment to implement a virtual TPM where keys and state are protected both from the host and the guest firmware. Manufacturing a vTPM requires access to persistent root seeds that must remain secure and available even when the guest is migrated to a different host. This talk introduces the process and capabilities of remote attestation with AMD SEV-SNP and discusses how this can be used during the the initialisation of COCONUT-SVSM to securely obtain vTPM seeds from a key broker service.

Смотрите видео Roy Hopkins: Establishing root seeds in a vTPM with COCONUT-SVSM in Confidential VM Remote онлайн, длительностью часов минут секунд в хорошем качестве, которое загружено на канал SUSE Labs 10 Июнь 2024. Делитесь ссылкой на видео в социальных сетях, чтобы ваши подписчики и друзья так же посмотрели это видео. Данный видеоклип посмотрели 99 раз и оно понравилось 3 посетителям.

85,159

4.3 тыс