Running Linux in a Shielded VM

Running Linux in a Shielded VM

Additional Scenarios Provisioning Process Boot Linux in shielded mode Host Guardian Service Guarded Hyper-V hosts Users who request to start specific shielded VMs on the host Host Guardian Service components: VM03 Shielded Attestation requests Attestation Service: virtual VM02 and responses contains information about the machines expected configuration of guarded VM01 hosts. Authorizes only legitimate guarded hosts to run the shielded VMs. Key requests and responses Key Protection Service: contains keys needed for starting shielded VMs. Ensures that a given key is released only if the host is authorized Host Guardian Guarded host and is in a Guarded Fabric specified by Service (HGS) the VM owner. running on a cluster Encrypted with well-known passphrase EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted) grub.cfg init program Linux kernel Boot scripts lsvmload Initial ramdisk Rest of Linux SHIM grub EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted) grub.cfg init program PA* Linux kernel Boot scripts lsvmload Initial ramdisk Rest of Linux VSC SHIM grub *Active boot loader Shielding ‘root’ password Guarded Cert used to Fabric #1 Data File timezone sign VSC IP address Guarded ssh private key Fabric #2 Other per-VM files . Owner Key Guarded Encrypted Fabric #N Each encrypted with a passphrase in ‘sealedkeys’ EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted) grub.cfg init program Encrypted with lsvmload* Linux kernel Boot scripts key sealed in the vTPM sealedkeys Initial ramdisk Rest of Linux Encrypted with specialization.aes SHIM LUKS/dm-crypt masterkey for grub boot partition *Active boot loader • initramfs updated to get dm-crypt • Linux shim passphrase from a file • grub • lsvmload used as a precursor to the • Linux kernel normal Linux boot shim • lsvmload inject disk passphrases as a file into virtualized copy of initramfs • I/O to encrypted boot partition is mediated by custom UEFI file I/O protocols • initramfs gets dm-crypt *First boot only passphrases from injected file Each encrypted with a passphrase in ‘sealedkeys’ EFI System partition Boot partition Root partition (unencrypted) (encrypted) (encrypted) grub.cfg init program Encrypted with lsvmload* Linux kernel Boot scripts key sealed in the vTPM sealedkeys Initial ramdisk Rest of Linux SHIM grub *Active boot loader Wrap-Up .

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    24 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us