1. Field of the Invention
This invention relates to improving the performance of attestation to the state of virtual machines on virtualizeable computer systems through a single-step attestation process.
2. Description of Background
The TRUSTED COMPUTING GROUP (TCG) has defined a transitive trust model architecture where software measures the next layer of software before that layer is executed. The digests of these measurements are extended through a one-way hash function into Platform Configuration Registers (PCRs) contained in a TRUSTED PLATFORM MODULE (TPM). The names of the measured file or data and the digest values are appended to a list of measurements. The overall procedure begins with a Core Root of Trusted for Measurement (CRTM), which is code that is run early in the boot process after a computer system has been started.
During the remote attestation process, a set of PCRs is quote-digested and digitally signed with a trusted signing key, such as for example an Attestation Identity Key (AIK). The remote party/system validates the AIK certificate issued by a trusted privacy certificate authority, the digital signature of the quote, and the integrity of the measurement list by comparing it to the PCR state included in the quote. Once the measurement list has been evaluated, the remote system uses it to determine whether the attesting system is running trusted software.
In an exemplary embodiment, evaluating the state of a software environment means to replay the log of all hashes of software that was started on the system. If one or multiple pieces of software were started on a system that is determined to be untrusted, the whole system may be declared as untrusted. Untrusted software may be recognized through a hash that explicitly identifies a piece of software to be untrusted or through a hash that is not known to the evaluating system. The replay of the log of all hashes has to match with the state of the PCR registers that affected these logs and were returned in a quote. Further, the signature over the state of the PCR registers must be verifiable.
Virtualizeable systems allow users to spawn multiple virtual machines (VM) that each can run an Operating System independently from those of other VMs. An implementation of such a system may offer the capability to spawn new VMs from within a VM, thus creating a hierarchy of VMs with a parent-child relationship between creating and created VMs. On many virtualizeable systems an initial VM is created during system boot. This VM serves for system management purposes and is for example used for the creation and destruction of other VMs.
For the purpose of supporting trusted computing in a virtualizeable system it is expected that within each VM software is running that implements support for the transitive trust model architecture described previously. An outside challenger who wants to establish trust into a VM would not only be interested in establishing trust into the software running inside of that VM, but also in the software that has been used to start this VM from inside its parent VM. This includes the operating system inside the parent VM, applications involved in the process of starting a VM, the underlying virtualization layer (hypervisor), and all other layers used during system startup including the CRTM.
In a typical system, the trust establishment would require a challenger to perform several different steps by individually challenging all VMs on the direct path (in the hierarchy) from the root VM to the one of interest. This is regarded as necessary since all these VMs are part of the trust chain to the one of interest. If one of these VMs is untrusted, its descendants are also untrusted. The proposed architecture, that in part gives rise to the present invention, creates a solution that allows more efficient support for establishing trust into a VM by allowing a one-step attestation process.