From: Jan Kiszka <jan.kiszka@siemens.com>
To: Joel Schopp <joel.schopp@amd.com>,
Shiva V <shivaramakrishnan740@gmail.com>,
kvm@vger.kernel.org
Subject: Re: Verifying Execution Integrity in Untrusted hypervisors
Date: Mon, 28 Jul 2014 20:31:00 +0200 [thread overview]
Message-ID: <53D696E4.50608@siemens.com> (raw)
In-Reply-To: <53D68593.6020803@amd.com>
On 2014-07-28 19:17, Joel Schopp wrote:
>
> On 07/25/2014 03:11 PM, Shiva V wrote:
>> Hello,
>> I am exploring on finding a way to ensure runtime integrity of
>>
>> a executable in untrusted hypervisors.
>>
>> In particular, this is my requirements:
>>
>> 1. I have a 2 virtual machines. (A, B).
>>
>> 2. VM-A is running some service (exe) inside it. For example any resource
>>
>> accounting service intended to monitor for VM-B.
>>
>> 3. I need a way to verify run time integrity from VM-B of the executable
>>
>> running inside VM-A.
>>
>> 4. Both the vm's are not privileged vm's and are just normal client virtual
>>
>> machines.
>>
>> 5. Underlying hypervisor is untrusted.
> If the hypervisor is untrusted you have broken the root of trust and are
> going to be pretty out of luck.
>
> Any solution will require a level below the hypervisor that you trust.
> An example would be hardware that isolates memory from the hypervisor,
> ie
> https://www.google.com/patents/WO2013054528A1?cl=en&dq=Joel+Schopp&hl=en&sa=X&ei=YYPWU6aVJNProATe5IHACQ&ved=0CDMQ6AEwAw
The hypervisor has full control of and insight into the guest vCPU
state. Only protecting some portions of guest memory seems insufficient.
We rather need encryption of every data that leaves the CPU or moves
from guest to host mode (and decryption the other way around). I guess
that would have quite some performance impact and is far from being easy
to integrate into modern processors. But, who knows...
Jan
--
Siemens AG, Corporate Technology, CT RTC ITP SES-DE
Corporate Competence Center Embedded Linux
next prev parent reply other threads:[~2014-07-28 18:31 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-25 20:11 Verifying Execution Integrity in Untrusted hypervisors Shiva V
2014-07-25 20:52 ` Paolo Bonzini
[not found] ` <CAAQucXZWvbE0MJyEEeo=6hkwBJi0WkmixcuCzGEXLaZX1+6ziQ@mail.gmail.com>
2014-07-25 22:06 ` Paolo Bonzini
2014-07-26 19:56 ` Andrey Korolyov
2014-07-28 17:17 ` Joel Schopp
2014-07-28 18:31 ` Jan Kiszka [this message]
2014-07-28 20:27 ` Paolo Bonzini
2014-07-28 21:17 ` Nakajima, Jun
2014-07-29 5:35 ` Jan Kiszka
2014-07-31 18:25 ` Shiva V
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53D696E4.50608@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=joel.schopp@amd.com \
--cc=kvm@vger.kernel.org \
--cc=shivaramakrishnan740@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox