Running Linux in a Shielded VM

Additional  Scenarios  Provisioning  Process

Boot Linux in  shielded mode 

Host Guardian Service Guarded Hyper-V hosts 

Users who request to start specific shielded VMs on the host

Host Guardian Service components: VM03 Shielded Attestation requests Attestation Service: virtual VM02 and responses contains information about the machines expected configuration of guarded VM01 hosts. Authorizes only legitimate guarded hosts to run the shielded VMs. Key requests and responses Key Protection Service: contains keys needed for starting shielded VMs. Ensures that a given key is released only if the host is authorized Host Guardian Guarded host and is in a Guarded Fabric specified by Service (HGS) the VM owner. running on a cluster

Encrypted with well-known passphrase EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted)

grub.cfg init program

Linux kernel Boot scripts

lsvmload Initial ramdisk Rest of Linux

SHIM

grub EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted)

grub.cfg init program

PA* Linux kernel Boot scripts

lsvmload Initial ramdisk Rest of Linux

VSC SHIM grub *Active boot loader

Shielding ‘root’ password Guarded Cert used to Fabric #1 Data File timezone sign VSC IP address Guarded ssh private key Fabric #2 Other per-VM files . . . Owner Key Guarded Encrypted Fabric #N

Each encrypted with a passphrase in ‘sealedkeys’ EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted)

grub.cfg init program

Encrypted with lsvmload* Linux kernel Boot scripts key sealed in the vTPM sealedkeys Initial ramdisk Rest of Linux

Encrypted with specialization.aes SHIM LUKS/dm-crypt masterkey for grub boot partition *Active boot loader • initramfs updated to get dm-crypt • Linux shim passphrase from a file • grub • lsvmload used as a precursor to the • Linux kernel normal Linux boot shim • lsvmload inject disk passphrases as a file into virtualized copy of initramfs • I/O to encrypted boot partition is mediated by custom UEFI file I/O protocols • initramfs gets dm-crypt *First boot only passphrases from injected file Each encrypted with a passphrase in ‘sealedkeys’ EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted)

grub.cfg init program

Encrypted with lsvmload* Linux kernel Boot scripts key sealed in the vTPM sealedkeys Initial ramdisk Rest of Linux SHIM grub *Active boot loader

Wrap-Up