Description
With the increased demand for cloud technologies, there have been concerns regarding
data confidentiality within third-party infrastructures. To address these concerns,
technologies such as Confidential Computing have been developed and continue to
be improved. However, Confidential Computing relies on hardware-based Trusted
Execution Environments (TEE) [10], which can be a limiting factor for both research
and development on these environments.
In this thesis, we provide a solution to the issue where requiring such specialized
hardware limits the research availability for AMD SEV-SNP. To emulate the remote
attestation mechanism inside an AMD SEV-SNP-backed CVM , we present an in-depth
analysis for the structure of the AR request procedure. Considering that a TEE will
not exist inside the emulator, we look into the arguments of the AR , and find various
approaches with the possibility for our emulator to replace the original communication
flow from the AMD Secure Processor ( SP ) to the Emulated CVM (ECVM ). As part of the
solution, we create a new kernel module SEV_GUEST_EMU, which can both receive and
respond to AR requests similarly to the module SEV_GUEST inside a hardware-backed
CVM.
Since the emulator is software-based and prevents any modifications to the host
environment, one can run multiple ABIs and hardware versions on one machine, even
if the machine does not contain the vendor-specific TEE. Thus, multiple versions of
the AMD SEV-SNP specifications can be emulated at the same time without a need for
specialized hardware.
As we evaluate the emulator, we conclude that it offers a flexible and scalable
environment for users to analyze and develop tools, assuming the hypervisor is
trustworthy. Since the emulator aims to run without needing the hardware-based TEE,
it offers no confidentiality features. Lastly, we identify possible improvements on the
emulator and discuss important factors to consider for future work on emulating the
remote attestation features of AMD SEV-SNP.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching