From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jan Kiszka <jan.kiszka@siemens.com>
Subject: Re: Verifying Execution Integrity in Untrusted hypervisors
Date: Mon, 28 Jul 2014 20:31:00 +0200
Message-ID: <53D696E4.50608@siemens.com>
References: <loom.20140725T215916-638@post.gmane.org> <53D68593.6020803@amd.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
To: Joel Schopp <joel.schopp@amd.com>,
	Shiva V <shivaramakrishnan740@gmail.com>, kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from thoth.sbs.de ([192.35.17.2]:50667 "EHLO thoth.sbs.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751496AbaG1SbN (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 28 Jul 2014 14:31:13 -0400
In-Reply-To: <53D68593.6020803@amd.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 2014-07-28 19:17, Joel Schopp wrote:
> 
> On 07/25/2014 03:11 PM, Shiva V wrote:
>> Hello,
>> I am exploring on finding a way to ensure runtime integrity of 
>>
>> a executable in untrusted hypervisors.
>>
>> In particular, this is my requirements:
>>
>> 1. I have a 2 virtual machines. (A, B). 
>>
>> 2. VM-A is running some service (exe) inside it. For example any resource 
>>
>> accounting service intended to monitor for VM-B.
>>
>> 3. I need a way to verify run time integrity from VM-B of the executable 
>>
>> running inside VM-A.
>>
>> 4. Both the vm's are not privileged vm's and are just normal client virtual 
>>
>> machines.
>>
>> 5. Underlying hypervisor is untrusted.
> If the hypervisor is untrusted you have broken the root of trust and are
> going to be pretty out of luck.
> 
> Any solution will require a level below the hypervisor  that you trust. 
> An example would be hardware that isolates memory from the hypervisor,
> ie
> https://www.google.com/patents/WO2013054528A1?cl=en&dq=Joel+Schopp&hl=en&sa=X&ei=YYPWU6aVJNProATe5IHACQ&ved=0CDMQ6AEwAw

The hypervisor has full control of and insight into the guest vCPU
state. Only protecting some portions of guest memory seems insufficient.

We rather need encryption of every data that leaves the CPU or moves
from guest to host mode (and decryption the other way around). I guess
that would have quite some performance impact and is far from being easy
to integrate into modern processors. But, who knows...

Jan

-- 
Siemens AG, Corporate Technology, CT RTC ITP SES-DE
Corporate Competence Center Embedded Linux