Virtual Trusted Platform Modules (vTPMs) are widely used in commercial cloud platforms (e.g., VMware Cloud, Google Cloud, and Microsoft Azure) to provide virtual root-of-trust and security services for virtual machines. Unfortunately, current state-of-the-art vTPM implementations for cloud computing cannot provide strong protection for vTPMs at run-time and suffer from poor performance under binding vTPMs to a physical TPM. In this paper, we propose SvTPM, an SGX-based virtual trusted platform module, which provides complete life cycle protection of vTPMs in the cloud and does not rely on the physical TPM. SvTPM provides strong isolation protection so malicious cloud tenants or even cloud administrators cannot access vTPM's private keys or any other sensitive data. In this paper, we implement a prototype of SvTPM, which identifies and solves a couple of critical security challenges for vTPM protection with SGX, such as NVRAM rollback attacks, NVRAM binding attacks, and vTPM rollback attacks. SvTPM also shows how to establish trust between vTPM and SGX Platform. Our performance evaluation shows that the NVRAM launch time of SvTPM is <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex-math notation="LaTeX">$1700\times$</tex-math></inline-formula> faster than vTPM built upon hardware TPM. In TPM standard command evaluation, we find that SvTPM incurs negligible performance overhead while providing strong isolation and protection. To our knowledge, SvTPM is the first practical work to solve the critical security challenges of securing vTPM using SGX.
Read full abstract