Shared computing resources (e.g., one or more servers, computer storage devices, etc.) may utilize virtualization or containerization to isolate users and services from one another. Virtualization may refer to the abstraction of one or more isolated virtual machines (“VMs”), which are virtual versions of computer hardware platforms, storage devices, and/or network resource(s) that are operated by a virtual machine monitor (“VMM”) and/or hypervisor on shared computing resources. Each VM may operate one or more applications to perform various functions and/or provide various services to an individual user. Containerization (also known as “operating system virtualization”) may refer to the abstraction of multiple isolated user-space instances that may operate their own applications or services, run on a single host and access the same operating system (OS) kernel. Each user-space instance is referred to as a container, which is virtualized, software-defined environments in which software applications can run in isolation of other software running on a physical host machine. Virtualization and/or containerization are used for various systems including cloud computing systems in order to isolate user/customer domains. For example, a cloud service provider (CSP) may offer compute and other infrastructure capabilities to various users, customers, organizations (collectively referred to as “tenants” and the like) by consolidating hardware and software resources and sharing the resources between the various tenants.
The consolidation of resources in such systems may result in unique security and/or integrity challenges for both the CSP and the tenants. For instance, the tenants may operate workloads that abuse and/or waste computing resources, and in some cases, may interfere with the workloads of other tenants and/or CSP workloads. Tenant isolation through virtualization and/or containerization is one way to solve such trust issues. Where virtualization is used, the CSP may run tenant workloads in one or more corresponding VMs where the hypervisor or VMM is provided by the CSP. Where containerization is used, the CSP may run tenant workloads in one or more corresponding containers and the CSP may provide a virtualization layer or a trust layer to ensure that individual containers do not interfere with one another. In this way, virtualization or containerization may allow the CSP to be in control of the system hardware and provide some notion of isolation to tenants. While this model addresses some security issues from a CSP point of view, it does not provide assurance to the tenants that their data or applications are not being accessed by unauthorized users. Some solutions to address these concerns include duplicating VMM code across multiple tenant domains, resulting in inefficient memory usage. Additionally, since duplicated VMM code is encrypted using unique VM keys, such solutions do not allow the CSP to inspect VMM code to provide bug fixes, security patches, etc.