CoCoTPM: Trusted Platform Modules for Virtual Machines in Confidential Computing Environments

Cloud computing has gained popularity and is increasingly used to process sensitive and valuable data. This development necessitates the protection of data from the cloud provider and results in a trend towards confidential computing. Hardware-based technologies by AMD, Intel and Arm address this and allow the protection of virtual machines and the data processed in them. Unfortunately, these hardware-based technologies do not offer a unified interface for necessary tasks like secure key generation and usage or secure storage of integrity measurements. Moreover, these technologies are oftentimes limited in functionality especially regarding remote attestation. On the other hand, a unified interface is widely used in the area of bare-metal systems to provide these functionalities: the Trusted Platform Module (TPM). In this paper, we present a concept for an architecture providing TPM functionalities for virtual machines in confidential computing environments. We name it Confidential Computing Trusted Platform Module, short CoCoTPM. Different from common approaches for virtual machines, host and hypervisor are not trusted and excluded from the trusted computing base. Our solution is compatible with existing mechanisms and tools utilizing TPMs and thus allows the protection of virtual machines in confidential computing environments without further adaptations of these mechanisms and tools. This includes storage of integrity measurements during a measured boot and for the integrity measurement architecture, full disk encryption bound to these measurements, usage of an openssl provider for TLS connections and remote attestation. We show how our concept can be applied to different hardware-specific technologies and implemented our concept for AMD SEV and SEV-SNP.