WO2012148324A1 - Secure virtual machine provisioning - Google Patents

Secure virtual machine provisioning Download PDF

Info

Publication number
WO2012148324A1
WO2012148324A1 PCT/SE2011/050502 SE2011050502W WO2012148324A1 WO 2012148324 A1 WO2012148324 A1 WO 2012148324A1 SE 2011050502 W SE2011050502 W SE 2011050502W WO 2012148324 A1 WO2012148324 A1 WO 2012148324A1
Authority
WO
WIPO (PCT)
Prior art keywords
target platform
provisioning
unit
key
virtual machine
Prior art date
Application number
PCT/SE2011/050502
Other languages
French (fr)
Inventor
Christian Gehrmann
András MÉHES
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to EP11864525.8A priority Critical patent/EP2702724B1/en
Priority to US14/111,212 priority patent/US9264220B2/en
Priority to PCT/SE2011/050502 priority patent/WO2012148324A1/en
Publication of WO2012148324A1 publication Critical patent/WO2012148324A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2153Using hardware token as a secondary aspect
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/127Trusted platform modules [TPM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Definitions

  • the invention relates generally to a method and device for secure
  • provisioning of a virtual machine on a target platform and in particular to secure provisioning that establishes that the target platform is a trusted target platform.
  • Virtualization allows the running of unmodified legacy applications on hardware platforms. This is realized through on-theiy translation from one hardware instruction set to another with the assistance of a so-called hypervisor or Virtual Machine Monitor (VMM).
  • VMM runs in a so called “most privileged mode" in a computer system running a virtual machine and has full control over vital system resources.
  • a VMM-based system does not only allow instruction translation, but increased system utilization as multiple Virtual Machines (VMs) can run simultaneously on a single powerful hardware platform, opening for different business models. This implies, for example, that existing services can rather easily be migrated into large computing clusters, often referred to as "the cloud”.
  • VMM solutions are VMWare, Xen and KVM. Differences in underiying technology of the VMMs provides differences in the operation and performance of for example the above mentioned VMMs.
  • VMWare is a VMM with the ability of running directly on server hardware without requiring an additio ml underiying operating system
  • VMware software provides a completely virtualized setof hardware to the guest operating system and uses the CPU to run code directly whenever possible and a dynamic re-write code process called "binary translation" when the code needs to be migrated to a different CPU architecture.
  • Xen is a VMM that allows several guest operating systems to execute on the same computer hardware concurrently. On most CPUs, Xen uses a form of virtualization known as paravirtualization, meaning that guests run a modified operating system using a special hypercall AH instead of certain architectural features.
  • paravirtualization a form of virtualization known as paravirtualization, meaning that guests run a modified operating system using a special hypercall AH instead of certain architectural features.
  • KVM Kernel-based Virtual Machine
  • Iinux operating system's kernel in order to virtualize a system, which gives good performance since user-space drivers can be avoided.
  • Trusted Platform Module
  • the ⁇ enables secure generation of cryptographic keys, protected computation and shielded storage.
  • the ⁇ includes capabilities such as Ifemote attestation, Hnding and Sealing. Ifemote attestation creates a secure signature over the current platform configuration in the form of signed hash values. This allows a remote third party to verify if trusted or untrusted software has been installed on the platform Hnding and sealing enables the usage of a particular private unique RSA (Kvest, Shamir and Adleman) key to be restricted to a certain platform state.
  • RSA Kerman
  • the state is determined through the current values in me so-called Hatforai Configuration Ffegisters (FCRs) in the TFM.
  • FCRs Hatforai Configuration Ffegisters
  • the FCFfe stores hash values of the software blocks that have been loaded into the platform.
  • the ESA key is a private and public key pair is generated within the TFM or transferred to the TFM at production.
  • the public RSA key may be used by third parties to Bicryptdata such that access (through restricted usage of the
  • TFM Trusted Flatform Module overview
  • Virtualization technologies as such can provide secure isolation and protect different VMs that run on a shared platform while being isolated from each other, but the isolation as well as other security properties of the system can only be guaranteed as long as a trusted VMM version is in use and trusted VMM
  • a provisioning unit for secure provisioning of a virtual machine on a target platform having a specific configuration.
  • the provisioning unit comprising an encryption unit, adapted to encrypt a virtual machine provisioning command using a public binding key received from the target platform and bound to the specific configuration, and a sending unit adapted to send the encrypted virtual machine provisioning command to the target platform.
  • the method comprising receiving a public binding key from the target platform, the public binding key being bound to the specific configuration, encrypting a virtual machine provisioning command using the public binding key, and sending the encrypted virtual machine provisioning command, to the target platform.
  • the sending unit is further adapted to send a configuration information re quest to the target platform
  • the provisioning unit further comprises a receiving unit adapted to receive information on the specific configuration, from the target platform, in response to the request The received information can be used by the provisioning unit or an intermediate gateway to determine that the target platform is the intended target platform
  • the receiving unit is adapted to receive information on the specific configuration based on at least one of: the hardware configuration, and the software configuration.
  • the received information may be received from a Trusted Ha tfo mi Module of the target platform
  • the encryption unit is further adapted to encrypt the virtual machine provisioning command using a symmetric key created by the provisioning unit, and encrypt the symmetric key with the public binding key
  • the sending unit is further adapted to send the encrypted symmetric key to the target platform Ey using a symmetric key for encrypting the provisioning command, large amounts of data may be included in the provisioning command.
  • the provisioning unit further comprises a verifying unit adapted to verify that the specific information on the configuration identifies a trusted target platform by comparing the received configuration information with information on trusted configurations which have been stored in a database.
  • the provisioning unit is further adapted to enter the sending of the provisioning command into a log, such that the history of occurred actions is preserved.
  • the sending unit is further adapted to send a binary version of a virtual machine and parameters enabling the virtual machine to execute on the target platform
  • the sending unit is further adapted to send a key request to the target platform
  • the receiving unit is adapted to receive the public binding key in response to the key request
  • the provisioning unit is further adapted to sign the encrypted provisioning command with a key unique to the provisioning unit
  • a target platform having a specific configuration comprising a receiving unit adapted to receive a virtual machine provisioning command encrypted by a public binding key bound to the specific configuration.
  • a method in a target platform of receiving secure provisioning commands comprising receiving a virtual machine provisioning command encrypted using a public binding key bound to the specific configuration.
  • the receiving unit is further adapted to receive a request for the public binding key and configuration information from a provisioning unit
  • the target platform further comprises a sending unit adapted to send the public binding key and information on the specific configuration, in response to the request
  • the sending unit is adapted to send the public binding key generated by a Trusted Hatform Module of the target platform
  • the sending unit is further adapted to send configuration information based on at least one of: the hardware configuration and the software configuration obtained from a Trusted Hatform Module of the target platform.
  • the receiving unit is further adapted to receive an encrypted symmetric key and the encrypted virtual rmchine provisioning command encrypted with the symmetric key.
  • the symmetric key is decrypted by the Trusted Hatform Module using a private binding key bound to the specific configuration, and the target platform further comprises a calculating unit adapted to use the symmetric key for decrypting the virtual rmchine provisioning command.
  • the receiving unit is adapted to receive a binary version of a virtual rmchine and parameters enabling the virtual machine to execute on the target platfor
  • Jig. 1 is an overview of an arrangement and method for secure virtual machine provisioning, according to some possible embodiments.
  • Jig. 2 is a block diagram showing a provisioning unit for secure
  • Jig. 3 is a block diagram showing a target platform for a virtual machine, according to one embodiment
  • Jig. 4 is a flow chart showing a method in a provisioning unit for secure provisioning of a virtual machine, according to one embodiment
  • Jig. 5 is a flow chart showing a method in a target platform for secure provisioning of a virtual machine, according to one embodiment
  • Jig. 6 is a signaling diagram showing an embodiment for secure
  • Jig. 7 shows an overview of a virtualized computer system
  • An arrangement and method for secure provisioning of a virtual machine on a target platform are provided.
  • the secure provisioning is enabled by encrypting a provisioning command, to be sent to the target platform, in a provisioning unit, using a public binding key cryptographically bound to the target platform and to the particular configuration of the target platform on which the virtual rmchine should be provisioned.
  • the provisioning unit can establish that the virtual rmchine is launched or provisioned on a trusted and intended target platform
  • the public binding key used for encrypting the provisioning command can be bound to any configuration of target platforms, using any virtualization technology, the secure provisioning is possible independent of the VMM or the actual protocols used between provisioning unit 103 and target platform 107
  • Jig. 1 is an overview of an exeirplifying embodiment of secure
  • a resource is herein referred to as a "target platform 107", “trusted target platform 107” or “virtual machine platform 107".
  • a resource provider network 109 of virtualized resources is generally referred to as a "cloud”.
  • the resource provider network 109 is managed by a provisioning unit 103 adapted to launch and manage virtual machines on the target platforms 107 in the resource provider network ROvisioning unit 103 is to be understood in a broad sense as a unitconnected to, and capable of provisioning or managing the virtual machine on a target platform 107.
  • the provisioning unit may be an operator management unit enabling the operator to manage a virtual machine.
  • the provisioning unit 103 could be a unit in a node in large network, or a unit in a single or distributed datacenter (sorratimes referred to as a private cloud), or a storage controller in a Storage Area Network (SAN) or a unit in a single computer with virtualized features.
  • SAN Storage Area Network
  • the provisioning unit 103 is in connection with a database 111, which enables the provisioning unit 103 to perform a look-up.
  • the database 111 comprises stored information on configurations, which for example could be in the form of stored platform configuration register (PCR) parameters of trusted platform configurations received from a Trusted Hatform Module (TFM) of the target platform or from a data base with trusted reference (FCK) parameters.
  • PCR stored platform configuration register
  • TPM Trusted Hatform Module
  • FCK data base with trusted reference
  • the lookup could be performed by the target platform 107, in which case the database 111 is connected to the target platform 107 instead of to the provisioning unit 103.
  • the provisioning unit 103 may be in communication with the target platform 107 via a gateway 105 (further described in fig. 6) which could locate a suitable platform, authenticate the provisioning unit 103 and establish a secure channel between the provisioning unit 103 and the gateway 105.
  • a gateway 105 further described in fig. 6 which could locate a suitable platform, authenticate the provisioning unit 103 and establish a secure channel between the provisioning unit 103 and the gateway 105.
  • the method is initiated with a receipt of a service request 201 from a service requesting client 101.
  • the provisioning unit 103 or the gateway uses a discovery mechanism to find a suitable free target platform 107 in the platform provider network 109.
  • a discovery mechanism is a protocol thatallows the provisioning unit to request a list of available platform resources based on discovery request criteria.
  • the platform provider network 109 may pre-assign a target platform 107 for use by the provisioning unit 103, in which case the discovery step may be omitted altogether.
  • the provisioning unit sends a request for a public binding key and configuration information 202, to the target platform 107.
  • the request for configuration information could be a request for the target platform's 107 current virtualization layer and hardware platform configuration status (an example of which is described with reference to fig. 7).
  • the target platform 107 sends configuration information 203 associated with the specific configuration of the target platform 107 to the provisioning unit 103 and a public binding key.
  • the public binding key is the public part of the binding key pair where the usage of the private binding key partis bound to the specific configuration of the target platform 107 (as described in the background section).
  • the public binding key is used to encrypt a provisioning command such that the provisioning command only can be decrypted by the target platform holding the corresponding private key, when the target platform has the specific configuration.
  • the provisioning unit 103 After receipt of the configuration information, the provisioning unit 103 optionally verifies that the target platform 107 is a trusted target platform 107 by performing a look-up 205/ 207 in a database 111 in connection with the provisioning unit 103.
  • the target platform 107 After receipt of the encrypted provisioning command, the target platform 107 asks the ⁇ to decrypt the provisioning command using the private binding key. ff the provisioning command is encrypted by a symmetric key which in turn is encrypted with the public bonding key, the target platform 107 asks the ⁇ to decrypt the symmetric key using the private binding key and the target platform 107 then uses the symmetric key to decrypt the provisioning command.
  • the private binding key is bound to the reported configurations of the target platform 107 and the ⁇ only allows the target platform to use it when the platform is in a state that corresponds to the reported configuration (enforced by the ⁇ ).
  • the provisioning unit can be certain that the VM is provisioned on a target platform having the specific configuration on the basis of which the public binding key was created (see description of TFM in Background).
  • the provisioning of the VM comprises the launching of the VM, in which case the provisioning command comprises a special VM launch package containing the VM image and necessary configuration information.
  • the target platform 107 has the correct configuration, it will be able to request a decryption of a secret key by usage of the private binding key inthe TFM and decrypt the VM launch package (as previously described) and launch the VM on the trusted target platform 107.
  • the service provider who runs services as VMs on target platforms 107, is ensured that the virtualization software and configurations of the platform are trusted for launcliing a VM on a particular target platform 107. iurthermore, the provider can make sure that the particular service launched on the target platform 107 is crypto graphically bound to only run on a trusted platform and with trusted configurations by further management commands being encrypted with the public binding key.
  • the target platform 107 can generate a public identifier "VM Handle” or "VM Token” which is a reference to a "session key” forVM provisioning/ management which could be included in the encrypted launch package for further provisioning/ management actions.
  • VM Handle or "VM Token” which is a reference to a "session key” forVM provisioning/ management which could be included in the encrypted launch package for further provisioning/ management actions.
  • the provisioning command which may include a launch or provisioning package, is encrypted with a symmetric key.
  • Ehcrypting the provisioning command using a symmetric key may be necessary since the VM configuration may comprise considerable data amounts.
  • the symmetric key may in turn be encrypted by the public binding key received from the target platform, such that only the target platform can decrypt the symmetric key and use it for decrypting the provisioning command and only when the target platform is in the specific state.
  • the target platform 107 may verify (through a certificate or similar) a provisioning unit signature to establish that the provisioning unit is a trusted provisioning unit and may report the provisioning or launch in a log file, which ensures that the service provider cannot repudiate the provisioning command.
  • Jig. 2 is a block diagram of an embodiment of the provisioning unit 103 of fig. 1 in further detail.
  • the provisioning unit 103 comprises a sending unit 121 adapted to send the virtual rmchine provisioning command 209 encrypted using a public binding key bound to the target platform 107 configuration, to the target platform 107, thereby enabling secure provisioning of the VM.
  • the provisioning unit 103 can make certain that the target platform 107 remains in the specific configuration.
  • the sending unit may further be adapted to send a request202 for the public binding key and configuration of the target platform, to the target platform 107.
  • the target platform 107 has a specific configuration related to the hardware, the software, the firmware, the ⁇ , the VMM or applications riinning on the target platform.
  • the target platform sends the public binding key generated by the TEM of the target platform, and configuration information 203 to the provisioning unit 103.
  • the provisioning unit 103 comprises a receiving unit 123 adapted to receive the public binding key and configuration information 203.
  • the provisioning unit 103 further comprises an encryption unit 125 in connection with the receiving unit 123.
  • the encrypting unit 125 is adapted to encrypt pro visioning command to be sent to the target platform using the received 203 binding key.
  • me receiving unit 123 is further adapted to receive a service request 201 from a service requesting client 101, however this should be considered as optional since the provisioning unit 103 could act without a direct input from a service requesting client 101.
  • the virtual imchine provisioning command 209 is a VM launch package for launching a VM on a target platform 107.
  • Bv encrypting the VM launch package using the public binding key received from the target platform 107 , the provisioning unit could be guaranteed that the virtualization software and configurations of the target platform 107 are trusted for launching a VM on a particular target platform 107.
  • the provisioning unit may furthermore comprise a verifying unit 127 connected to the receiving unit 123.
  • the verifying unit 127 is adapted to verify that the specific configuration of the target platform 107 is trusted.
  • the verifying process may be implemented by comparing the received configuration information 203 with information on trusted configurations which have been stored in a database 111.
  • the action of comparing the received configuration information 203 with information on trusted configurations could be performed as a look-up, where the verification unit 127 sends a look-up request205 to the database 111 and receives a look-up response 207 which could be interpreted by the verification unit 127 to determine if the specific configuration of the target platform 107, is trusted.
  • the verification process could be performed in the target platform 107 and in further alternative embodiments, the target platform 107 could be assigned by the service requesting client, in which case the target platform 107 is considered to be trusted and no further verification is required.
  • the symmetric key is in turn encrypted by the public binding key received from the target platform 107, such that the target platform 107 only can access the symmetric key and thereby the provisioning command encrypted with the symmetric key by accessing the private binding key generated by the TFM, which is only possible when the target platform has the specific configuration
  • Jig. 3 is a block diagram showing an embodimentof a target platform 107, which may be the target platform of fig. 1 and 2.
  • the target platform 107 has a specific configuration
  • the target platform 107 comprises a receiving unit 133 adapted to receive a configuration information request 303 from the provisioning unit l03.
  • the target platform 107 further comprises a sending unit 131 adapted to send configuration information 305 associated with the specific configuration of the target platform 107 to the provisioning unit 103, in response to the request
  • the receiving unit 133 is further adapted to receive a virtual rmchine provisioning command encrypted by the public binding key bound to the specific configuration of the target platform 107.
  • the target platform 107 Upon receiptof the provisioning command, the target platform 107 asks the TFM 136 to decrypt the provisioning command using the private binding key bound to the specific configuration of the target platform 107, i.e the target platform 107 can only decrypt the provisioning command when in the specific configuration
  • the virtual rmchine provisioning command is encrypted by a symmetric key, which is encrypted by the public binding key and provided together with the encrypted provisioning command.
  • the symmetric key is being decrypted by the ⁇ through using the private binding key, which is possible only when the target platform is in the specific configuration
  • the decrypted symmetric key is used by the target platform to decrypt the provisioning command.
  • the target platform 107 is furthermore optionally adapted to decrypt the virtual rmchine provisioning command using a symmetric key received at the receiving unit 133.
  • the received virtual machine provisioning command could be symmetrically encrypted using the symmetric key and sent together with the symmetric key, which in turn is encrypted by the public binding key bound to the target platform
  • the encrypted symmetric key is first decrypted and then used by a calculating unit 139 of the target platform 107 for decrypting the virtual rmchine provisioning command.
  • Jig. 4 is a flowchart of an exeirplifying method in a provisioning unit, e.g. the provisioning unit 103 of figs. 2 and 3, for secure provisioning of a VM on a target platform
  • the provisioning unit sends a request for public binding key and configuration information to a target platform 402, and in response thereto receives 404 configuration information and the public binding key from the target platform
  • the configuration information is associated with the specific configuration of the target platform and could for example be information related to the software, hardware or TFM of the target platform
  • the provisioning unit verifies 405 thatthe target platform is a trusted target platform by comparing the specific configuration with configurations of trusted target platforms. The verification could e.g. be done according to the Trusted Computer Group (ICG) attestation procedure.
  • ICG Trusted Computer Group
  • the virtual rmchine provisioning command is encrypted with a symmetric key 409, which in turn is encrypted by the public binding key received from the target platform 410.
  • the encrypted virtual machine provisioning command and symmetric key is sent to the target platform, thus enabling secure provisioning of the target platform
  • the provisioning of the VM is a launch of a VM, in which case the launch command is encrypted by the public binding key received from the target platform The launch command along with the VM
  • configurations and the VM identity can be encrypted using a symmetric key which in turn is encrypted by the public binding key, which ensures that the VM can only be launched on the intended target platform, because only that target platform can access the corresponding private binding key and decrypt the symmetric key used for decryption of the launch command.
  • Jig. 5 is a flow chart of an embodiment of a method of secure
  • provisioning of a VM as executed in a target platform Firstly, configuration information and binding key request is received 503 from a provisioning unit In response to the request, the target platform sends 505 configuration information associated with the specific configuration of the target platform and the public binding key to the provisioning unit The configuration information could for example be one or more parameters associated with a current state of the platform configuration register.
  • the target platform receives 509 a virtual machine provisioning command from the provisioning unit, the virtual machine provisioning command being encrypted by the public binding key received from the target platform.
  • the provisioning command is encrypted by a symmetric key, which in turn is encrypted by the public binding key and appended to the provisioning command.
  • the public binding key is generated by the ⁇ of the target platform, which holds the corresponding private key, and thereby bound to the configuration of the target platform.
  • the target platform After receipt 509 of the encrypted provisioning command, the target platform decrypts 512 the VM provisioning command using the private binding key generated by the ⁇ , which can be accessed only when the target platform has the specific configuration.
  • Jig. 6 is a signaling diagram of an embodiment in which the method of secure provisioning is implemented in a virtualized computer system.
  • the target platforms 107 e.g. any of the target platforms previously described, authenticates all service requests 601 from clients 101 through a platform provider gateway 105 which authenticates and establishes a secure channel between the provisioning unit 103 and the gateway 105.
  • the provisioning unit 103 ensures that it connects to a trusted resource target platform 107.
  • standard VF Virtual Hivate Network
  • IKE Internet Exchange
  • the provisioning unit 103 After the establishment of the secure connection, the provisioning unit 103 issues a resource discovery request601b to gateway 105 searcliing for a particular resource (target platform 107) or resource type and gets a response 601c from the gateway 105 with a handle that can be used by the provisioning unit 103 to perform a resource connect601d, to connect to the target platform 107.
  • a handle for the target platform 107 may be provided to the service provider outofband, in which case explicit discovery is not needed.
  • connection to a platform provider gateway 105 may also be omitted, and the provisioning unit may connect directly to the target platform 107.
  • the provisioning unit Before provisioning or launcliing a VM to a particular target platform, the provisioning unit needs to verify the integrity of the Trusted Computing Base (TCB) of the target platform, i.e., the hardware and software parts of the platform upon which the security of the platform depends like the hardware, virtualization layer software and VMM configurations in an attestation step. This is for example done according to the Trusted Computer Group (TCG) attestation procedure.
  • TCG Trusted Computer Group
  • the attestation starts with the provisioning unit sending a request 604a to the Target Hatform 107 with a request to report its integrity state comprising configuration information of the target platform
  • the target platform Management Agent requests the Integrity Manager to generate an Attestation Response 604b.
  • the Attestation Response 604b comprises configuration information of the target platform 107 which for example could be the current state of the Hatform Configuration Registers (FCRs) and the Integrity Report
  • the ⁇ on the target platform 107 is requested to sign the current state of the Hatform Configuration Registers with the ⁇ identity key.
  • the Integrity Report could be generated according to the Trusted Computing Group Integrity Schema.
  • the integrity report is signed using the ⁇ identity key which ensures that it belongs to the Trusted Hatform identified in an AK-Certificate (Attestation Identity Key Certificate).
  • the configuration information in form of the current platform configuration registers state; the Integrity Report and the AK-Certificate are received by the provisioning unit 103 as the attestation response 604b.
  • the provisioning unit validates the AK-Certificate and the signatures and verifies the received integrity report with the trusted reference metrics, using, for example, a lookup i.e. comparing the
  • the provisioning unit 103 After receipt of the attestation response 604b the provisioning unit 103 computes a cryptographic one-way hash hi of the received attestation response 604b to be used in the provisioning step.
  • a key request 606a is sent to the target platform 107.
  • the target platform 107 sends a key response 606b comprising a public bind key generated by the THVI of the target platform 107 and having a corresponding private key held by the ⁇ and being bound to the specific configuration of the target platform 107.
  • me target platform computes a hash h2 of me key response 606b to be used in me provisioning step.
  • a virtual machine provisioning command is men encrypted using a symmetric key.
  • the symmetric encryption is only necessary in embodiments where me provisioning command contains large amounts of data.
  • the symmetric key is in turn encrypted by me public binding key received by me provisioning unit
  • the virtual machine provisioning command is men sent 612 to me target platform 107 mat decrypts me provisioning command using me private binding key which is generated by me TFM.
  • the provisioning of me VM could be a launch of a VM, in which case me launch is encrypted using me public binding key, which means mat me VM will only be able to launch on me target platform 107 with me reported unique setof configurations.
  • a symmetric key is used to encrypt me VM along with me VM identity and related target platform configurations, if mis concerns considerable amounts of data.
  • the symmetric key is in turn encrypted using me public binding key received from me target platform 107, which ensures mat me VM can only be launched on me intended target platform 107.
  • provisioning unit appends me second cryptographic one-way hash h2 of me key response to me first cryptographic one-way hash hi, and computes h, a hash of hi combined wim h2, for example hi concatenated wim h2, which is also sent 612 to me target platform 107 along with me restof me provisioning command.
  • the provisioning unit 103 may also cryptographically sign me VM launch message so mat me service provider cannot repudiate me launch later on [00077]
  • me target platform 107 decrypts the symmetric key using the private binding key, if symmetric encryption is used, and then decrypts the VM launch credentials using the symmetric key, and optionally verifies the provisioning unit launch signature.
  • the target platform 107 performs necessary validations and optionally checks operator license for VM launch rights, and optionally also updates corresponding charging records. It then launches the service provider VM and sends a virtual machine handle 613 to the provisioning unit 103.
  • the target platform also generates a "virtual rmchine token", which is returned to the provisioning unit encrypted with a suitable provisioning unit encryption key sent to the target platform as partof the protected launch command.
  • This "virtual machine token" along with the "virtual machine handle” can then be used to issue other provisioning commands (e.g. shutdown, reboot, pause, resume, etc.) concerning this VM, in similar protocol runs, where the VM launch message is replaced by a virtual rmchine provisioning message including a proof that the provisioning unit knows the virtual machine token.
  • a service acknowledgement 613 is returned to the requesting client 101 along with the virtual rmchine handle which enables the client to connect 614 to the VM on the target platform 107.
  • JIG. 7 is a block diagram of an exemplifying embodiment of a virtualized computer system providing a plurality of virtual machine platforms 107 or target platforms 107. ibr the purpose of this description, virtual machine platform and target platform is to be understood as synonymous, the target platform is the virtual rmchine platform being target for the communication from the provisioning unit
  • the embodiment of fig. 1 is an example of a virtualized computer system and in alternative embodiments, which could be used in methods described herein; components described with reference to fig. 1 may be excluded or combined.
  • a host system 10 is a platform on which several virtual rmchines may run simultaneously.
  • the host system includes hardware 14 comprising a processor, which may be a single CPU (Central processing unit), or could comprise two or more processing units,
  • the processor may include general purpose microprocessors, instruction set processors and/ or related chips sets and/ or special purpose microprocessors such as ASICs (Application Specific Integrated Circuit).
  • the processor may also comprise board memory for caching purposes.
  • the hardware 14 further comprises memory, which may for example be a flash memory, a RAM (Random-access memory), a ROM (Read-Only Memory) or an EEPROM (Electrically Erasable Programmable ROM).
  • the hardware 14 could further comprise a network interface, input device (s), output de vie e(s), and/ or mass storage device(s).
  • the host system 10 further comprises a special hardware module, the Trusted Platform Module ( ⁇ )15, thathas the ability of storing integrity
  • the ⁇ 15 can be accessed by an external verifier to get a report on the current platform state.
  • the ⁇ 15 could be implemented in a software module, a so called virtual ⁇ (vTPM).
  • the host system 10 according to the exeirplifying embodiment shown in fig. 1 further comprises a firmware module 13 which may be implemented as machine accessible instructions to bootthe host system 10.
  • the firmware 13 may be partof or include the basic input output system (BIOS) of the host system 10.
  • BIOS basic input output system
  • the host system 10 further comprises a Virtual Machine Monitor (VMM) 11 or hypervisor, which may be a firmware or a software component that is configured to enable multiple VMs running simultaneously and support a series of virtual environments or virtual machine platforms 107.
  • VMM 11 ensures that the operation of each of the plurality of VMs does not interrupt the operation of any other VM.
  • VMM is exposed to threats both from external and internal sources and if the VMM is compromised this could affect the whole system.
  • the host system 10 of the embodiment disclosed with reference to fig. 7 supports a plurality of virtual niachine platforms 107.
  • Each of the plurality of virtual machine platforms 107 may operate like a complete physical machine that can run an operating system.
  • Different VMs may run different and/ or the same type of operating system.
  • a first VM may include an operating system such as the Micro so ft Windows OS
  • a second VM may include an operating system such as the EteeKIOS
  • a third VM may include an operating system such as linux OS.
  • one or more of the plurality of VMs may be
  • JVM Java Virtual Machine
  • CL common language runtime
  • the configuration information could for example be a hash based on parameters associated with the software, the firmware, the TfM, the VMM and/ or applications rurining on the target platform.
  • a hash is to be understood as any value or parameter used to uniquely identify an associated value or set of values.
  • a hash function or one-way hash function is to be understood as any function used to calculate a hash value from any associated value or set of values.
  • An example of a hash function is the SHA-1 or SHA-256 one-way hash functions defined by NIST.
  • An advantage with virtualization is that a crash of an operating system in one of the plurality of VMs may not affect an OS executing in another VM because the VMs have isolated resources.
  • the Micro so ft Windows operating system in the first VM and the linux operating system in the third VM may notbe affected by a crash in the Micro so ft Windows operating system in the second VM.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A device and method in a provisioning unit of secure provisioning of a virtual machine on a target platform having a specific configuration is provided. The method comprising: receiving (404) a public binding key from the target platform (107), the public binding key being bound to the specific configuration, encrypting (410) a virtual machine provisioning command using the public binding key, and sending (412) the encrypted virtual machine provisioning command, to the target platform (107). By the provided device and method secure provisioning of a virtual machine on a target platform is enabled.

Description

SECURE V UALMACHINE PROVISIONING
Technical field
[0001] The invention relates generally to a method and device for secure
provisioning of a virtual machine on a target platform, and in particular to secure provisioning that establishes that the target platform is a trusted target platform.
Background
[0002] In the past years, there has been a strong move in the field of computing services towards usage of virtualization technologies. Virtualization allows the running of unmodified legacy applications on hardware platforms. This is realized through on-theiy translation from one hardware instruction set to another with the assistance of a so-called hypervisor or Virtual Machine Monitor (VMM). A VMM runs in a so called "most privileged mode" in a computer system running a virtual machine and has full control over vital system resources. A VMM-based system does not only allow instruction translation, but increased system utilization as multiple Virtual Machines (VMs) can run simultaneously on a single powerful hardware platform, opening for different business models. This implies, for example, that existing services can rather easily be migrated into large computing clusters, often referred to as "the cloud".
[0003] One drawback of this new flexibility is that it creates increased security risks. Systems which previously were physically isolated from each other, might run on the same machine which may entail unwanted interaction beyond control between VMs running simultaneously on the same hardware. Further, the VMM is exposed to threats both from external and internal sources, ff the VMM is
compromised this could affect the whole system. [0004] Examples of VMM solutions are VMWare, Xen and KVM. Differences in underiying technology of the VMMs provides differences in the operation and performance of for example the above mentioned VMMs.
[0005] VMWare is a VMM with the ability of running directly on server hardware without requiring an additio ml underiying operating system VMware software provides a completely virtualized setof hardware to the guest operating system and uses the CPU to run code directly whenever possible and a dynamic re-write code process called "binary translation" when the code needs to be migrated to a different CPU architecture.
[0006] Xen is a VMM that allows several guest operating systems to execute on the same computer hardware concurrently. On most CPUs, Xen uses a form of virtualization known as paravirtualization, meaning that guests run a modified operating system using a special hypercall AH instead of certain architectural features.
[0007] KVM (Kernel-based Virtual Machine) is a VMM that uses the Iinux operating system's kernel in order to virtualize a system, which gives good performance since user-space drivers can be avoided.
[0008] Many virtual machine platforms have a Trusted Platform Module (ΊΡΜ), which is a special purpose hardware module. The ΊΡΜ enables secure generation of cryptographic keys, protected computation and shielded storage. The ΊΡΜ includes capabilities such as Ifemote attestation, Hnding and Sealing. Ifemote attestation creates a secure signature over the current platform configuration in the form of signed hash values. This allows a remote third party to verify if trusted or untrusted software has been installed on the platform Hnding and sealing enables the usage of a particular private unique RSA (Kvest, Shamir and Adleman) key to be restricted to a certain platform state. The state is determined through the current values in me so-called Hatforai Configuration Ffegisters (FCRs) in the TFM. The FCFfe stores hash values of the software blocks that have been loaded into the platform. The ESA key is a private and public key pair is generated within the TFM or transferred to the TFM at production. The public RSA key may be used by third parties to Bicryptdata such that access (through restricted usage of the
corresponding private key) to the data is restricted to the platform being in the configuration in which the binding key was created. The TFM is further disclosed in "Trusted Flatform Module overview", released by Trusted Computing Group
(http:/ / www.trustedcomputinggroup.org).
[0009] Virtualization technologies as such can provide secure isolation and protect different VMs that run on a shared platform while being isolated from each other, but the isolation as well as other security properties of the system can only be guaranteed as long as a trusted VMM version is in use and trusted VMM
configurations are in place.
[00010] From the view of a service provider, who runs services as VMs on virtual platforms, the provider would like to be ensured that virtualization software and configurations of the platforms are trusted and that a particular service (in the form of a VM) is bound to run only on the trusted platform with the trusted configurations.
[00011] In previously known virtual machine systems it is not certain that all security critical components including the VMM are trusted prior to launching a service or provisioning a virtual machine on a platform Summary of invention
[00012] It is an objectof the embodiments herein to address atleast some of the problems and shortcomings outlined above by using a method and an arrangement as defined in the attached independent claims.
[00013] According to one aspect, a provisioning unit for secure provisioning of a virtual machine on a target platform having a specific configuration is provided. The provisioning unit comprising an encryption unit, adapted to encrypt a virtual machine provisioning command using a public binding key received from the target platform and bound to the specific configuration, and a sending unit adapted to send the encrypted virtual machine provisioning command to the target platform.
[00014] According to another aspect, a method in a provisioning unit of secure provisioning of a virtual machine on a target platform having a specific
configuration is provided. The method comprising receiving a public binding key from the target platform, the public binding key being bound to the specific configuration, encrypting a virtual machine provisioning command using the public binding key, and sending the encrypted virtual machine provisioning command, to the target platform.
[00015] Ey the provided arrangement and method, encryption of the provisioning command using a public binding key bound to the specific configuration of the target platform is provided such that the provisioning unit can establish that the target platform is the intended target platform with the intended configurations.
[00016] The above method and arrangement may be configured and implemented according to different optio nal embodiments. According to one embodiment, the sending unit is further adapted to send a configuration information re quest to the target platform, and the provisioning unit further comprises a receiving unit adapted to receive information on the specific configuration, from the target platform, in response to the request The received information can be used by the provisioning unit or an intermediate gateway to determine that the target platform is the intended target platform
[00017] According to one embodiment, the receiving unitis adapted to receive information on the specific configuration based on at least one of: the hardware configuration, and the software configuration. The received information may be received from a Trusted Ha tfo mi Module of the target platform
[00018] According to one embodiment, the encryption unit is further adapted to encrypt the virtual machine provisioning command using a symmetric key created by the provisioning unit, and encrypt the symmetric key with the public binding key, and wherein the sending unitis further adapted to send the encrypted symmetric key to the target platform Ey using a symmetric key for encrypting the provisioning command, large amounts of data may be included in the provisioning command.
[00019] According to one embodiment, the provisioning unit further comprises a verifying unit adapted to verify that the specific information on the configuration identifies a trusted target platform by comparing the received configuration information with information on trusted configurations which have been stored in a database.
[00020] According to one embodiment, the provisioning unitis further adapted to enter the sending of the provisioning command into a log, such that the history of occurred actions is preserved.
[00021] According to one embodiment, the sending unitis further adapted to send a binary version of a virtual machine and parameters enabling the virtual machine to execute on the target platform [00022] According to one embodiment, the sending unit is further adapted to send a key request to the target platform, and the receiving unit is adapted to receive the public binding key in response to the key request
[00023] According to one embodiment, the provisioning unit is further adapted to sign the encrypted provisioning command with a key unique to the provisioning unit
[00024] According to another aspect, a target platform having a specific configuration is provided. The target platform comprising a receiving unit adapted to receive a virtual machine provisioning command encrypted by a public binding key bound to the specific configuration.
[00025] According to another aspect, a method in a target platform of receiving secure provisioning commands is provided, the target platform having a specific configuration, the method comprising receiving a virtual machine provisioning command encrypted using a public binding key bound to the specific configuration.
[00026] Ey the provided arrangement and method, secure provisioning of the target platform is provided. According to one embodiment, the receiving unit is further adapted to receive a request for the public binding key and configuration information from a provisioning unit The target platform further comprises a sending unit adapted to send the public binding key and information on the specific configuration, in response to the request
[00027] According to one embodiment, the sending unit is adapted to send the public binding key generated by a Trusted Hatform Module of the target platform
[00028] According to one embodiment, the sending unit is further adapted to send configuration information based on at least one of: the hardware configuration and the software configuration obtained from a Trusted Hatform Module of the target platform.
[00029] According to one embodiment, the receiving unit is further adapted to receive an encrypted symmetric key and the encrypted virtual rmchine provisioning command encrypted with the symmetric key. The symmetric key is decrypted by the Trusted Hatform Module using a private binding key bound to the specific configuration, and the target platform further comprises a calculating unit adapted to use the symmetric key for decrypting the virtual rmchine provisioning command.
[00030] According to one embodiment, the receiving unit is adapted to receive a binary version of a virtual rmchine and parameters enabling the virtual machine to execute on the target platfor
[00031] Further possible features and benefits of this solution will become apparent from the detailed description below.
Bief description of drawings
[00032] Embodiments are now described, by way of example, with reference to the accompanying drawings, in which:
[00033] Jig. 1 is an overview of an arrangement and method for secure virtual machine provisioning, according to some possible embodiments.
[00034] Jig. 2 is a block diagram showing a provisioning unit for secure
provisioning of a virtual machine, according to one embodiment
[00035] Jig. 3 is a block diagram showing a target platform for a virtual machine, according to one embodiment
[00036] Jig. 4 is a flow chart showing a method in a provisioning unit for secure provisioning of a virtual machine, according to one embodiment
[00037] Jig. 5 is a flow chart showing a method in a target platform for secure provisioning of a virtual machine, according to one embodiment
[00038] Jig. 6 is a signaling diagram showing an embodiment for secure
provisioning of a virtual machine.
[00039] Jig. 7 shows an overview of a virtualized computer system
Detailed description
[00040] In the following a detailed description of exeirpHfying embodiments will be given. In the figures, like reference numerals designate identical or
corresponding elements throughout the several figures.
[00041] An arrangement and method for secure provisioning of a virtual machine on a target platform are provided. The secure provisioning is enabled by encrypting a provisioning command, to be sent to the target platform, in a provisioning unit, using a public binding key cryptographically bound to the target platform and to the particular configuration of the target platform on which the virtual rmchine should be provisioned.
[00042] Ey encrypting the provisioning command such that only the intended target platform can encrypt the data using the corresponding private binding key, the provisioning unit can establish that the virtual rmchine is launched or provisioned on a trusted and intended target platform
[00043] Since the public binding key used for encrypting the provisioning command can be bound to any configuration of target platforms, using any virtualization technology, the secure provisioning is possible independent of the VMM or the actual protocols used between provisioning unit 103 and target platform 107
[00044] Jig. 1 is an overview of an exeirplifying embodiment of secure
provisioning of a virtual rmchine, in which a service requesting client 101 requests a resource from a resource provider network 109 of virtualized resources. The term "Service requesting client' is to be understood in a broad sense as representing any client that could requesta virtualized service, such as for example an operator in a mobile communications system or a node in the Internet A resource is herein referred to as a "target platform 107", "trusted target platform 107" or "virtual machine platform 107". A resource provider network 109 of virtualized resources is generally referred to as a "cloud". The resource provider network 109 is managed by a provisioning unit 103 adapted to launch and manage virtual machines on the target platforms 107 in the resource provider network ROvisioning unit 103 is to be understood in a broad sense as a unitconnected to, and capable of provisioning or managing the virtual machine on a target platform 107. R>r example, in a mobile communications system, the provisioning unit may be an operator management unit enabling the operator to manage a virtual machine. The provisioning unit 103 could be a unit in a node in large network, or a unit in a single or distributed datacenter (sorratimes referred to as a private cloud), or a storage controller in a Storage Area Network (SAN) or a unit in a single computer with virtualized features.
[00045] According to the exemplifying embodiment disclosed with reference to fig. 1, the provisioning unit 103 is in connection with a database 111, which enables the provisioning unit 103 to perform a look-up. The database 111 comprises stored information on configurations, which for example could be in the form of stored platform configuration register (PCR) parameters of trusted platform configurations received from a Trusted Hatform Module (TFM) of the target platform or from a data base with trusted reference (FCK) parameters. In alternative embodiments, the lookup could be performed by the target platform 107, in which case the database 111 is connected to the target platform 107 instead of to the provisioning unit 103.
[00046] Optionally, the provisioning unit 103 may be in communication with the target platform 107 via a gateway 105 (further described in fig. 6) which could locate a suitable platform, authenticate the provisioning unit 103 and establish a secure channel between the provisioning unit 103 and the gateway 105.
[00047] The method is initiated with a receipt of a service request 201 from a service requesting client 101. The provisioning unit 103 or the gateway uses a discovery mechanism to find a suitable free target platform 107 in the platform provider network 109. A discovery mechanism is a protocol thatallows the provisioning unit to request a list of available platform resources based on discovery request criteria. In some possible alternative embodiments, the platform provider network 109 may pre-assign a target platform 107 for use by the provisioning unit 103, in which case the discovery step may be omitted altogether. In the next action the provisioning unit sends a request for a public binding key and configuration information 202, to the target platform 107. The request for configuration information could be a request for the target platform's 107 current virtualization layer and hardware platform configuration status (an example of which is described with reference to fig. 7). In response to the request, the target platform 107 sends configuration information 203 associated with the specific configuration of the target platform 107 to the provisioning unit 103 and a public binding key. The public binding key is the public part of the binding key pair where the usage of the private binding key partis bound to the specific configuration of the target platform 107 (as described in the background section). The public binding key is used to encrypt a provisioning command such that the provisioning command only can be decrypted by the target platform holding the corresponding private key, when the target platform has the specific configuration.
[00048] After receipt of the configuration information, the provisioning unit 103 optionally verifies that the target platform 107 is a trusted target platform 107 by performing a look-up 205/ 207 in a database 111 in connection with the provisioning unit 103.
After receipt of the encrypted provisioning command, the target platform 107 asks the ΊΤΜ to decrypt the provisioning command using the private binding key. ff the provisioning command is encrypted by a symmetric key which in turn is encrypted with the public bonding key, the target platform 107 asks the ΊΤΜ to decrypt the symmetric key using the private binding key and the target platform 107 then uses the symmetric key to decrypt the provisioning command. The private binding key is bound to the reported configurations of the target platform 107 and the ΊΤΜ only allows the target platform to use it when the platform is in a state that corresponds to the reported configuration (enforced by the ΊΤΜ). Since the key pair generated by the ΊΤΜ is bound to the specific configuration of the target platform 107, and the provisioning command is encrypted with the public binding key, the provisioning unit can be certain that the VM is provisioned on a target platform having the specific configuration on the basis of which the public binding key was created (see description of TFM in Background).
[00049] According to one exeirplifying embodiment, the provisioning of the VM comprises the launching of the VM, in which case the provisioning command comprises a special VM launch package containing the VM image and necessary configuration information. I" the target platform 107 has the correct configuration, it will be able to request a decryption of a secret key by usage of the private binding key inthe TFM and decrypt the VM launch package (as previously described) and launch the VM on the trusted target platform 107. By binding the launch to the configuration, the service provider, who runs services as VMs on target platforms 107, is ensured that the virtualization software and configurations of the platform are trusted for launcliing a VM on a particular target platform 107. iurthermore, the provider can make sure that the particular service launched on the target platform 107 is crypto graphically bound to only run on a trusted platform and with trusted configurations by further management commands being encrypted with the public binding key.
[00050] R>r further provisioning or management of the VM, the target platform 107 can generate a public identifier "VM Handle" or "VM Token" which is a reference to a "session key" forVM provisioning/ management which could be included in the encrypted launch package for further provisioning/ management actions.
[00051] According to one embodiment, the provisioning command, which may include a launch or provisioning package, is encrypted with a symmetric key.
Ehcrypting the provisioning command using a symmetric key may be necessary since the VM configuration may comprise considerable data amounts. The symmetric key may in turn be encrypted by the public binding key received from the target platform, such that only the target platform can decrypt the symmetric key and use it for decrypting the provisioning command and only when the target platform is in the specific state.
[00052] The target platform 107 may verify (through a certificate or similar) a provisioning unit signature to establish that the provisioning unit is a trusted provisioning unit and may report the provisioning or launch in a log file, which ensures that the service provider cannot repudiate the provisioning command.
[00053] Jig. 2 is a block diagram of an embodiment of the provisioning unit 103 of fig. 1 in further detail. The provisioning unit 103 comprises a sending unit 121 adapted to send the virtual rmchine provisioning command 209 encrypted using a public binding key bound to the target platform 107 configuration, to the target platform 107, thereby enabling secure provisioning of the VM. By encrypting the provisioning command using the public binding key received from the target platform 107 the provisioning unit 103 can make certain that the target platform 107 remains in the specific configuration.
[00054] The sending unit may further be adapted to send a request202 for the public binding key and configuration of the target platform, to the target platform 107. The target platform 107 has a specific configuration related to the hardware, the software, the firmware, the ΊΡΜ, the VMM or applications riinning on the target platform. In response to the request, the target platform sends the public binding key generated by the TEM of the target platform, and configuration information 203 to the provisioning unit 103. The provisioning unit 103 comprises a receiving unit 123 adapted to receive the public binding key and configuration information 203.
[00055] The provisioning unit 103 further comprises an encryption unit 125 in connection with the receiving unit 123. The encrypting unit 125 is adapted to encrypt pro visioning command to be sent to the target platform using the received 203 binding key. [00056] In the exenplifying embodiment shown in fig. 2, me receiving unit 123 is further adapted to receive a service request 201 from a service requesting client 101, however this should be considered as optional since the provisioning unit 103 could act without a direct input from a service requesting client 101.
[00057] According to one possible embodiment, the virtual imchine provisioning command 209 is a VM launch package for launching a VM on a target platform 107. Bv encrypting the VM launch package using the public binding key received from the target platform 107 , the provisioning unit could be guaranteed that the virtualization software and configurations of the target platform 107 are trusted for launching a VM on a particular target platform 107.
[00058] The provisioning unit may furthermore comprise a verifying unit 127 connected to the receiving unit 123. The verifying unit 127 is adapted to verify that the specific configuration of the target platform 107 is trusted. The verifying process may be implemented by comparing the received configuration information 203 with information on trusted configurations which have been stored in a database 111.
[00059] The action of comparing the received configuration information 203 with information on trusted configurations could be performed as a look-up, where the verification unit 127 sends a look-up request205 to the database 111 and receives a look-up response 207 which could be interpreted by the verification unit 127 to determine if the specific configuration of the target platform 107, is trusted. In altemative embodiments, the verification process could be performed in the target platform 107 and in further alternative embodiments, the target platform 107 could be assigned by the service requesting client, in which case the target platform 107 is considered to be trusted and no further verification is required.
[00060] In embodiments where the virtual machine provisioning command is encrypted using a symmetric key, the symmetric key is in turn encrypted by the public binding key received from the target platform 107, such that the target platform 107 only can access the symmetric key and thereby the provisioning command encrypted with the symmetric key by accessing the private binding key generated by the TFM, which is only possible when the target platform has the specific configuration
[00061] Jig. 3 is a block diagram showing an embodimentof a target platform 107, which may be the target platform of fig. 1 and 2. The target platform 107 has a specific configuration In order to act with a provisioning unit 103, the target platform 107 comprises a receiving unit 133 adapted to receive a configuration information request 303 from the provisioning unit l03. The target platform 107 further comprises a sending unit 131 adapted to send configuration information 305 associated with the specific configuration of the target platform 107 to the provisioning unit 103, in response to the request The receiving unit 133 is further adapted to receive a virtual rmchine provisioning command encrypted by the public binding key bound to the specific configuration of the target platform 107. Upon receiptof the provisioning command, the target platform 107 asks the TFM 136 to decrypt the provisioning command using the private binding key bound to the specific configuration of the target platform 107, i.e the target platform 107 can only decrypt the provisioning command when in the specific configuration
Alternatively the virtual rmchine provisioning command is encrypted by a symmetric key, which is encrypted by the public binding key and provided together with the encrypted provisioning command. In this alternative the symmetric key is being decrypted by the ΊΤΜ through using the private binding key, which is possible only when the target platform is in the specific configuration The decrypted symmetric key is used by the target platform to decrypt the provisioning command.
[00062] The target platform 107 is furthermore optionally adapted to decrypt the virtual rmchine provisioning command using a symmetric key received at the receiving unit 133. The received virtual machine provisioning command could be symmetrically encrypted using the symmetric key and sent together with the symmetric key, which in turn is encrypted by the public binding key bound to the target platform The encrypted symmetric key is first decrypted and then used by a calculating unit 139 of the target platform 107 for decrypting the virtual rmchine provisioning command.
[00063] Jig. 4 is a flowchart of an exeirplifying method in a provisioning unit, e.g. the provisioning unit 103 of figs. 2 and 3, for secure provisioning of a VM on a target platform In this example the provisioning unit sends a request for public binding key and configuration information to a target platform 402, and in response thereto receives 404 configuration information and the public binding key from the target platform The configuration information is associated with the specific configuration of the target platform and could for example be information related to the software, hardware or TFM of the target platform The provisioning unit verifies 405 thatthe target platform is a trusted target platform by comparing the specific configuration with configurations of trusted target platforms. The verification could e.g. be done according to the Trusted Computer Group (ICG) attestation procedure.
[00064] The virtual rmchine provisioning command is encrypted with a symmetric key 409, which in turn is encrypted by the public binding key received from the target platform 410. The encrypted virtual machine provisioning command and symmetric key is sent to the target platform, thus enabling secure provisioning of the target platform
[00065] According to one embodiment, the provisioning of the VM is a launch of a VM, in which case the launch command is encrypted by the public binding key received from the target platform The launch command along with the VM
configurations and the VM identity can be encrypted using a symmetric key which in turn is encrypted by the public binding key, which ensures that the VM can only be launched on the intended target platform, because only that target platform can access the corresponding private binding key and decrypt the symmetric key used for decryption of the launch command.
[00066] Jig. 5 is a flow chart of an embodiment of a method of secure
provisioning of a VM as executed in a target platform. Firstly, configuration information and binding key request is received 503 from a provisioning unit In response to the request, the target platform sends 505 configuration information associated with the specific configuration of the target platform and the public binding key to the provisioning unit The configuration information could for example be one or more parameters associated with a current state of the platform configuration register. After the optional step of sending configuration information, the target platform receives 509 a virtual machine provisioning command from the provisioning unit, the virtual machine provisioning command being encrypted by the public binding key received from the target platform. Alternatively, the provisioning command is encrypted by a symmetric key, which in turn is encrypted by the public binding key and appended to the provisioning command. The public binding key is generated by the ΊΤΜ of the target platform, which holds the corresponding private key, and thereby bound to the configuration of the target platform.
[00067] After receipt 509 of the encrypted provisioning command, the target platform decrypts 512 the VM provisioning command using the private binding key generated by the ΊΤΜ, which can be accessed only when the target platform has the specific configuration.
[00068] Jig. 6 is a signaling diagram of an embodiment in which the method of secure provisioning is implemented in a virtualized computer system. In the shown procedure, the target platforms 107, e.g. any of the target platforms previously described, authenticates all service requests 601 from clients 101 through a platform provider gateway 105 which authenticates and establishes a secure channel between the provisioning unit 103 and the gateway 105. Similarly, the provisioning unit 103 ensures that it connects to a trusted resource target platform 107. As one example, standard VF (Virtual Hivate Network) protection
mechanisms can be used to provide the secure channel and the Internet Key
Exchange (IKE) protocol could for example be used in combination with Internet security protocol.
[00069] After the establishment of the secure connection, the provisioning unit 103 issues a resource discovery request601b to gateway 105 searcliing for a particular resource (target platform 107) or resource type and gets a response 601c from the gateway 105 with a handle that can be used by the provisioning unit 103 to perform a resource connect601d, to connect to the target platform 107.
Alternatively, a handle for the target platform 107 may be provided to the service provider outofband, in which case explicit discovery is not needed. In this alternative case, connection to a platform provider gateway 105 may also be omitted, and the provisioning unit may connect directly to the target platform 107.
[00070] Before provisioning or launcliing a VM to a particular target platform, the provisioning unit needs to verify the integrity of the Trusted Computing Base (TCB) of the target platform, i.e., the hardware and software parts of the platform upon which the security of the platform depends like the hardware, virtualization layer software and VMM configurations in an attestation step. This is for example done according to the Trusted Computer Group (TCG) attestation procedure. The attestation starts with the provisioning unit sending a request 604a to the Target Hatform 107 with a request to report its integrity state comprising configuration information of the target platform The target platform Management Agent requests the Integrity Manager to generate an Attestation Response 604b. The Attestation Response 604b comprises configuration information of the target platform 107 which for example could be the current state of the Hatform Configuration Registers (FCRs) and the Integrity Report
[00071] According to one exemplifying embodiment, the ΊΓΜ on the target platform 107 is requested to sign the current state of the Hatform Configuration Registers with the ΊΗνΙ identity key. The Integrity Report could be generated according to the Trusted Computing Group Integrity Schema. The integrity report is signed using the ΊΓΜ identity key which ensures that it belongs to the Trusted Hatform identified in an AK-Certificate (Attestation Identity Key Certificate). The configuration information in form of the current platform configuration registers state; the Integrity Report and the AK-Certificate are received by the provisioning unit 103 as the attestation response 604b.
[00072] After receiving the attestation response, the provisioning unit validates the AK-Certificate and the signatures and verifies the received integrity report with the trusted reference metrics, using, for example, a lookup i.e. comparing the
configuration information of the target platform with configurations of trusted target platforms in for example a suitable database (for example 111 in fig. 4). an alternative embodiment, the verification is outsourced to a trusted service, and in yet another alternative embodiment, the target platform can make such a request and include the result in its response. After receipt of the attestation response 604b the provisioning unit 103 computes a cryptographic one-way hash hi of the received attestation response 604b to be used in the provisioning step.
[00073] In a key exchange step, a key request 606a is sent to the target platform 107. In response thereto the target platform 107 sends a key response 606b comprising a public bind key generated by the THVI of the target platform 107 and having a corresponding private key held by the ΊΓΜ and being bound to the specific configuration of the target platform 107. After receipt of the key response 606b me target platform computes a hash h2 of me key response 606b to be used in me provisioning step.
[00074] A virtual machine provisioning command is men encrypted using a symmetric key. The symmetric encryption is only necessary in embodiments where me provisioning command contains large amounts of data. The symmetric key is in turn encrypted by me public binding key received by me provisioning unit The virtual machine provisioning command is men sent 612 to me target platform 107 mat decrypts me provisioning command using me private binding key which is generated by me TFM.
[00075] The provisioning of me VM could be a launch of a VM, in which case me launch is encrypted using me public binding key, which means mat me VM will only be able to launch on me target platform 107 with me reported unique setof configurations. A symmetric key is used to encrypt me VM along with me VM identity and related target platform configurations, if mis concerns considerable amounts of data. The symmetric key is in turn encrypted using me public binding key received from me target platform 107, which ensures mat me VM can only be launched on me intended target platform 107.
[00076] In order to cryptographically bind me different protocol steps - attestation (604a; 604b), key exchange (606a; 606b) and provisioning (612) - me
provisioning unit appends me second cryptographic one-way hash h2 of me key response to me first cryptographic one-way hash hi, and computes h, a hash of hi combined wim h2, for example hi concatenated wim h2, which is also sent 612 to me target platform 107 along with me restof me provisioning command. The provisioning unit 103 may also cryptographically sign me VM launch message so mat me service provider cannot repudiate me launch later on [00077] After receipt, me target platform 107 decrypts the symmetric key using the private binding key, if symmetric encryption is used, and then decrypts the VM launch credentials using the symmetric key, and optionally verifies the provisioning unit launch signature. The target platform 107 performs necessary validations and optionally checks operator license for VM launch rights, and optionally also updates corresponding charging records. It then launches the service provider VM and sends a virtual machine handle 613 to the provisioning unit 103.
[00078] In an alternative embodiment, the target platform also generates a "virtual rmchine token", which is returned to the provisioning unit encrypted with a suitable provisioning unit encryption key sent to the target platform as partof the protected launch command. This "virtual machine token" along with the "virtual machine handle" can then be used to issue other provisioning commands (e.g. shutdown, reboot, pause, resume, etc.) concerning this VM, in similar protocol runs, where the VM launch message is replaced by a virtual rmchine provisioning message including a proof that the provisioning unit knows the virtual machine token.
[00079] A service acknowledgement 613 is returned to the requesting client 101 along with the virtual rmchine handle which enables the client to connect 614 to the VM on the target platform 107.
[00080] JIG. 7 is a block diagram of an exemplifying embodiment of a virtualized computer system providing a plurality of virtual machine platforms 107 or target platforms 107. ibr the purpose of this description, virtual machine platform and target platform is to be understood as synonymous, the target platform is the virtual rmchine platform being target for the communication from the provisioning unit It should be noted thatthe embodiment of fig. 1 is an example of a virtualized computer system and in alternative embodiments, which could be used in methods described herein; components described with reference to fig. 1 may be excluded or combined. [00081] A host system 10 is a platform on which several virtual rmchines may run simultaneously. The host system includes hardware 14 comprising a processor, which may be a single CPU (Central processing unit), or could comprise two or more processing units, For example, the processor may include general purpose microprocessors, instruction set processors and/ or related chips sets and/ or special purpose microprocessors such as ASICs (Application Specific Integrated Circuit). The processor may also comprise board memory for caching purposes. The hardware 14 further comprises memory, which may for example be a flash memory, a RAM (Random-access memory), a ROM (Read-Only Memory) or an EEPROM (Electrically Erasable Programmable ROM). The hardware 14 could further comprise a network interface, input device (s), output de vie e(s), and/ or mass storage device(s). The host system 10 further comprises a special hardware module, the Trusted Platform Module (ΊΡΜ)15, thathas the ability of storing integrity
measurements by computing a hash summary of at least some of the hardware 14, firmware 13 and software 11 configuration parameters. The ΊΡΜ 15 can be accessed by an external verifier to get a report on the current platform state. In alternative embodiments, the ΊΡΜ 15 could be implemented in a software module, a so called virtual ΊΡΜ (vTPM).
[00082] The host system 10 according to the exeirplifying embodiment shown in fig. 1 further comprises a firmware module 13 which may be implemented as machine accessible instructions to bootthe host system 10. The firmware 13 may be partof or include the basic input output system (BIOS) of the host system 10.
[00083] The host system 10 according to the exeirplifying embodiment shown in fig. 7 further comprises a Virtual Machine Monitor (VMM) 11 or hypervisor, which may be a firmware or a software component that is configured to enable multiple VMs running simultaneously and support a series of virtual environments or virtual machine platforms 107. The VMM 11 ensures that the operation of each of the plurality of VMs does not interrupt the operation of any other VM. As previously mentioned, the advantages of having a plurality of VMs running simultaneously on the same hardware however also create risks. The VMM is exposed to threats both from external and internal sources and if the VMM is compromised this could affect the whole system.
[00084] The host system 10 of the embodiment disclosed with reference to fig. 7 supports a plurality of virtual niachine platforms 107. Each of the plurality of virtual machine platforms 107 may operate like a complete physical machine that can run an operating system. Different VMs may run different and/ or the same type of operating system. R>r example, a first VM may include an operating system such as the Micro so ft Windows OS, a second VM may include an operating system such as the EteeKIOS, and a third VM may include an operating system such as linux OS. In alternative embodiments, one or more of the plurality of VMs may be
implemented as an execution environment such as a Java Virtual Machine (JVM) or a Microsoft .NET. common language runtime (CL ).
[00085] The configuration information could for example be a hash based on parameters associated with the software, the firmware, the TfM, the VMM and/ or applications rurining on the target platform. A hash is to be understood as any value or parameter used to uniquely identify an associated value or set of values. A hash function or one-way hash function is to be understood as any function used to calculate a hash value from any associated value or set of values. An example of a hash function is the SHA-1 or SHA-256 one-way hash functions defined by NIST.
[00086] An advantage with virtualization is that a crash of an operating system in one of the plurality of VMs may not affect an OS executing in another VM because the VMs have isolated resources. In the example above, the Micro so ft Windows operating system in the first VM and the linux operating system in the third VM may notbe affected by a crash in the Micro so ft Windows operating system in the second VM.
[00087] It will be appreciated that the figures described are for illustration only and are not in any way restricting the scope of the invention. Hease note that any embodiment or part of embodiment as well as any method or part of method could be combined in any way. AH examples herein should be seen as part of the general description and therefore possible to combine in any way in general terms. It should be noted that the figures 1 - 3, 6, 7 merely illustrate various units in the nodes or functional units in a logical sense, although the skilled person is free to implement these functions in practice using suitable software and hardware means.

Claims

CIAJMS
1. Ovisioning unit (103) for secure provisioning of a virtual machine on a target platform having a specific configuration, the provisioning unit comprising:
• an encryption unit (125) adapted to encrypt a virtual machine provisioning command using a public binding key received from the target platform (107) and bound to the specific configuration, and
• a sending unit (121) adapted to send the encrypted virtual machine provisioning command, to the target platform (107).
2. The provisioning unitacconiing to claim 1, wherein the sending unit (121) is further adapted to send a configuration information re quest to the target platform (107), and wherein the provisioning unit(103) further comprises a receiving unit(123) adapted to receive information on the specific configuration, from the target platform (107), in response to the request
3. The provisioning unit acconiing to claim 2, wherein the receiving unit (123) is adapted to receive information on the specific configuration based on at least one of:
• the hardware configuration, and
• the software configuration, and
wherein the received information is received from a Trusted Hatform Module (136) of the target platform (107).
4. The provisioning unit according to any of claims 1 - 3, wherein the encryption unit (125) is further adapted to encrypt the virtual machine provisioning command using a symmetric key created by the provisioning unit, and encrypt the symmetric key with the public binding key, and wherein the sending unit is further adapted to send the encrypted symmetric key to the target platform (107 ).
5. The provisioning unit according to any of claims 2 - 4, wherein the
provisioning unit further comprises a verifying unit(127) adapted to verify that the specific information on the configuration identifies a trusted target platform by comparing the received configuration information with information on trusted configurations which have been stored in a database (111).
6. The provisioning unit according to any of claims 1 - 5, wherein the
provisioning unit is further adapted to enter the sending of the provisioning command into a log.
7. The provisioning unit according to any of claims 1 - 6, wherein the sending unit (121) is further adapted to send a binary version of a virtual imchine and parameters enabling the virtual imchine to execute on the target platform
8. The provisioning unit according to any of claims 1 - 7, wherein the sending unit is further adapted to send a key request to the target platform, and wherein a receiving unit (123) is adapted to receive the public binding key in response to the key request
9. The provisioning unit according to any of claims 1 - 8, wherein the provisioning unit is further adapted to sign the encrypted provisioning command with a key unique to the provisioning unit
10. Target platform (107) having a specific configuration, the target
platform comprising:
• a receiving unit (133) adapted to receive a virtual machine
provisioning command encrypted by a public binding key bound to the specific configuration
11. The target platform according to claim 10, wherein the receiving unit (133) is further adapted to receive a request for the public binding key and configuration information from a provisioning unit(103), and wherein the target platform further comprises a sending unit (131) adapted to send the public binding key and information on the specific configuration, in response to the request
12. The target platform according to claim 11, wherein the sending unit is adapted to send the public binding key generated by a Trusted Hatform Module of the target platform
13. The target platform according to claim 12, wherein the sending unit (131) is further adapted to send configuration information based on at least one of:
• the hardware configuration, and
• the software configuration,
obtained from a Trusted Hatform Module of the target platform
14. Hie target platform according to any of claims 10 - 13, wherein the receiving unit (133) is further adapted to receive an encrypted symmetric key and the encrypted virtual imchine provisioning command encrypted with the symmetric key, and wherein the symmetric key is decrypted by a Trusted Hatform Module using a private binding key bound to the specific
configuration, and wherein the target platform further comprises a calculating unit(139) adapted to use the symmetric key for decrypting the virtual machine provisioning command.
15. The target platform according to any of claims 10 - 14, wherein the receiving unit (133) is adapted to receive a binary version of a virtual machine and parameters enabling the virtual machine to execute on the target platform
16. Method in a provisioning unit of secure provisioning of a virtual
machine on a target platform having a specific configuration, the method comprising:
• receiving (404) a public binding key from the target platform (107), the public binding key being bound to the specific configuration,
• encrypting (410) a virtual machine provisioning command using the public binding key, and
• sending (412) the encrypted virtual machine provisioning command, to the target platform (107).
17. Hie method according to claim 16, further comprising
• sending (402) a configuration information request to the target
platform,
• receiving (404) information on the specific configuration, from the target platform, in response to the request
18. The method according to claim 17, wherein receiving information on the specific configuration comprises receiving information from a Trusted Hatform Module of the target platform based on atleastone of:
• the hardware configuration, and
• the software configuration
19. The method according to any of claims 16 - 18, further comprising encrypting (409) the virtual machine provisioning command using a symmetric key created by the provisioning unit, encrypting (410) the symmetric key with the public binding key received from the target platform, and sending the encrypted symmetric key to the target platform (107).
20. The method according to any of claims 17 - 19, further comprising verifying (407) that the information on the specific configuration of the target platform (107) identifies a trusted target platform by comparing the received configuration information with information on trusted configurations which have been stored in a database (111).
21. The method according to any of claims 16 - 20, further comprising entering the sending of the provisioning command into a log.
22. Hie method according to any of claims 16 - 21 , wherein sending the virtual machine provisioning command comprises sending a binary version of a virtual machine and parameters enabling the virtual machine to execute on the target platform (107).
23. The method according to any of claim 16 - 22 , further comprising
contacting a gateway (105) adapted to assign the target platform (107).
24. The method according to any of claim 16 - 23 , further comprising
sending a key request (606a) to the target platform (107), and receiving (606b) the public binding key in response to the key request (606a).
25. The method according to any of claim 16 - 24, further comprising
signing the encrypted provisioning command with a key unique to the provisioning unit
26. Method in a target platform of receiving secure provisioning
commands, the target platform having a specific configuration, the method comprising:
• receiving (509) a virtual machine provisioning command encrypted using a public binding key bound to the specific configuration
27. The method according to claim 26, further comprising: • receiving (503) a request for the public binding key and a request for information on the specific configuration from a provisioning unit (103), and
• sending (505) the public binding key and information on the specific configuration, in response to the request
28. The metiiod according to claim 27, wherein sending (505) tiie public binding key comprises sending tiie public binding key generated by a Trusted Hatform Module of tiie target platform
29. The metiiod according to claim 27, wherein sending information on tiie specific configuration comprises sending information based on at least one of:
• tiie hardware configuration, and
• tiie software configuration,
obtained from tiie Trusted Hatibrm Module of tiie target platform
30. The metiiod according to any of claims 26 - 29, further comprising:
• receiving an encrypted symmetric key and the encrypted virtual
machine provisioning command encrypted with the symmetric key,
• decrypting the symmetric key and using the private binding key, and
• decrypting the virtual machine provisioning command using the
symmetric key.
31. The method according to any of claims 26 - 30, wherein receiving the virtual machine provisioning command comprises receiving a binary version of a virtual machine and parameters enabling the virtual machine to execute on the target platform.
PCT/SE2011/050502 2011-04-26 2011-04-26 Secure virtual machine provisioning WO2012148324A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP11864525.8A EP2702724B1 (en) 2011-04-26 2011-04-26 Secure virtual machine provisioning
US14/111,212 US9264220B2 (en) 2011-04-26 2011-04-26 Secure virtual machine provisioning
PCT/SE2011/050502 WO2012148324A1 (en) 2011-04-26 2011-04-26 Secure virtual machine provisioning

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/SE2011/050502 WO2012148324A1 (en) 2011-04-26 2011-04-26 Secure virtual machine provisioning

Publications (1)

Publication Number Publication Date
WO2012148324A1 true WO2012148324A1 (en) 2012-11-01

Family

ID=47072596

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2011/050502 WO2012148324A1 (en) 2011-04-26 2011-04-26 Secure virtual machine provisioning

Country Status (3)

Country Link
US (1) US9264220B2 (en)
EP (1) EP2702724B1 (en)
WO (1) WO2012148324A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103843303A (en) * 2012-11-22 2014-06-04 华为技术有限公司 Management control method, device and system for virtual machine
CN103888429A (en) * 2012-12-21 2014-06-25 华为技术有限公司 Virtual machine starting method, correlation devices and systems
WO2014185845A1 (en) * 2013-05-13 2014-11-20 Telefonaktiebolaget L M Ericsson (Publ) Procedure for platform enforced secure storage in infrastructure clouds
US20150007175A1 (en) * 2013-07-01 2015-01-01 Amazon Technologies, Inc. Cryptographically attested resources for hosting virtual machines
WO2015158821A1 (en) * 2014-04-16 2015-10-22 Commissariat A L'energie Atomique Et Aux Energies Alternatives System for executing code with blind hypervision mechanism
EP3869332A3 (en) * 2013-03-06 2021-11-17 INTEL Corporation Roots-of-trust for measurement of virtual machines

Families Citing this family (38)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8924723B2 (en) * 2011-11-04 2014-12-30 International Business Machines Corporation Managing security for computer services
US9135460B2 (en) * 2011-12-22 2015-09-15 Microsoft Technology Licensing, Llc Techniques to store secret information for global data centers
US20130219387A1 (en) * 2012-02-22 2013-08-22 Vmware, Inc. Establishing secure two-way communications in a virtualization platform
US9819658B2 (en) * 2012-07-12 2017-11-14 Unisys Corporation Virtual gateways for isolating virtual machines
US20140075522A1 (en) * 2012-09-07 2014-03-13 Red Hat, Inc. Reliable verification of hypervisor integrity
KR101907486B1 (en) * 2012-09-14 2018-10-12 한국전자통신연구원 Mobile computing system for providing execution environment having high secure ability
US9325575B2 (en) * 2012-10-31 2016-04-26 Aruba Networks, Inc. Zero touch provisioning
US9081604B2 (en) * 2012-12-21 2015-07-14 Red Hat Israel, Ltd. Automatic discovery of externally added devices
EP3066567A1 (en) * 2013-11-07 2016-09-14 Telefonaktiebolaget LM Ericsson (publ) Setting up a virtual machine for an ip device
US9785492B1 (en) 2013-12-09 2017-10-10 Forcepoint Llc Technique for hypervisor-based firmware acquisition and analysis
US9696940B1 (en) 2013-12-09 2017-07-04 Forcepoint Federal Llc Technique for verifying virtual machine integrity using hypervisor-based memory snapshots
US9734325B1 (en) * 2013-12-09 2017-08-15 Forcepoint Federal Llc Hypervisor-based binding of data to cloud environment for improved security
US9692599B1 (en) * 2014-09-16 2017-06-27 Google Inc. Security module endorsement
US10230529B2 (en) * 2015-07-31 2019-03-12 Microsft Technology Licensing, LLC Techniques to secure computation data in a computing environment
US9767318B1 (en) * 2015-08-28 2017-09-19 Frank Dropps Secure controller systems and associated methods thereof
US9848039B2 (en) * 2015-09-22 2017-12-19 International Business Machines Corporation Deployment of virtual machines
US10142107B2 (en) 2015-12-31 2018-11-27 Microsoft Technology Licensing, Llc Token binding using trust module protected keys
US10412191B1 (en) 2016-03-30 2019-09-10 Amazon Technologies, Inc. Hardware validation
US10135622B2 (en) * 2016-06-03 2018-11-20 Intel Corporation Flexible provisioning of attestation keys in secure enclaves
US9986023B1 (en) * 2016-06-21 2018-05-29 EMC IP Holding Company LLC Virtual data storage appliance with platform detection by use of VM-accessible record
US10192047B2 (en) 2016-06-28 2019-01-29 Cisco Technology, Inc. Provisioning of identity information
US10503894B2 (en) * 2016-08-30 2019-12-10 Ncr Corporation Secure process impersonation
US10423791B2 (en) 2017-04-27 2019-09-24 Microsoft Technology Licensing, Llc Enabling offline restart of shielded virtual machines using key caching
US10853494B2 (en) * 2018-07-23 2020-12-01 Vmware, Inc. Binding a trusted virtual machine to a trusted host computer
WO2020056015A1 (en) * 2018-09-11 2020-03-19 Amari.Ai Incorporated Deployment and communications gateway for deployment, trusted execution, and secure communications
KR20210132646A (en) * 2019-01-15 2021-11-04 비자 인터네셔널 서비스 어소시에이션 Methods and systems for authenticating digital transactions
US11490256B2 (en) 2019-03-11 2022-11-01 Hewlett Packard Enterprise Development Lp Secure zero-touch provisioning of network devices in an offline deployment
US11394789B2 (en) 2019-05-08 2022-07-19 Hewlett Packard Enterprise Development Lp Seamless migration of a network management system deployment to cloud-based deployment
US11210128B2 (en) * 2019-09-26 2021-12-28 At&T Intellectual Property I, L.P. Device virtualization security layer
SE544340C2 (en) * 2019-11-19 2022-04-12 Assa Abloy Ab Secure configuration of a target device performed by a user device
US12014065B2 (en) * 2020-02-11 2024-06-18 Pure Storage, Inc. Multi-cloud orchestration as-a-service
US11423160B2 (en) 2020-04-16 2022-08-23 Bank Of America Corporation System for analysis and authorization for use of executable environment data in a computing system using hash outputs
US11425123B2 (en) 2020-04-16 2022-08-23 Bank Of America Corporation System for network isolation of affected computing systems using environment hash outputs
US11481484B2 (en) 2020-04-16 2022-10-25 Bank Of America Corporation Virtual environment system for secure execution of program code using cryptographic hashes
US11263109B2 (en) 2020-04-16 2022-03-01 Bank Of America Corporation Virtual environment system for validating executable data using accelerated time-based process execution
US11528276B2 (en) 2020-04-16 2022-12-13 Bank Of America Corporation System for prevention of unauthorized access using authorized environment hash outputs
US11372982B2 (en) 2020-07-02 2022-06-28 Bank Of America Corporation Centralized network environment for processing validated executable data based on authorized hash outputs
US20220326975A1 (en) * 2021-03-31 2022-10-13 Lenovo Enterprise Solutions (Singapore) Pte. Ltd. Transparent data reduction in private/public cloud environments for host encrypted data

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030108205A1 (en) * 2001-12-07 2003-06-12 Bryan Joyner System and method for providing encrypted data to a device
WO2008031148A1 (en) * 2006-09-11 2008-03-20 Commonwealth Scientific And Industrial Research Organisation A portable device for use in establishing trust
WO2009155574A1 (en) 2008-06-19 2009-12-23 Servicemesh, Inc. Cloud computing gateway, cloud computing hypervisor, and methods for implementing same
US20100082984A1 (en) * 2008-09-26 2010-04-01 Microsoft Corporation Protocol-Independent Remote Attestation And Sealing
WO2010085255A1 (en) * 2009-01-23 2010-07-29 Hewlett-Packard Development Company, L.P. Verifying virtual machines
US20100218243A1 (en) * 2009-02-26 2010-08-26 Dehaan Michael Paul Methods and systems for secure gate file deployment associated with provisioning
WO2011141579A2 (en) * 2010-05-14 2011-11-17 Gemalto Sa System and method for providing security for cloud computing resources using portable security devices

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7565522B2 (en) 2004-05-10 2009-07-21 Intel Corporation Methods and apparatus for integrity measurement of virtual machine monitor and operating system via secure launch
US20110202765A1 (en) * 2010-02-17 2011-08-18 Microsoft Corporation Securely move virtual machines between host servers
US9703586B2 (en) * 2010-02-17 2017-07-11 Microsoft Technology Licensing, Llc Distribution control and tracking mechanism of virtual machine appliances
US8856504B2 (en) * 2010-06-07 2014-10-07 Cisco Technology, Inc. Secure virtual machine bootstrap in untrusted cloud infrastructures

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030108205A1 (en) * 2001-12-07 2003-06-12 Bryan Joyner System and method for providing encrypted data to a device
WO2008031148A1 (en) * 2006-09-11 2008-03-20 Commonwealth Scientific And Industrial Research Organisation A portable device for use in establishing trust
WO2009155574A1 (en) 2008-06-19 2009-12-23 Servicemesh, Inc. Cloud computing gateway, cloud computing hypervisor, and methods for implementing same
US20100082984A1 (en) * 2008-09-26 2010-04-01 Microsoft Corporation Protocol-Independent Remote Attestation And Sealing
WO2010085255A1 (en) * 2009-01-23 2010-07-29 Hewlett-Packard Development Company, L.P. Verifying virtual machines
US20100218243A1 (en) * 2009-02-26 2010-08-26 Dehaan Michael Paul Methods and systems for secure gate file deployment associated with provisioning
WO2011141579A2 (en) * 2010-05-14 2011-11-17 Gemalto Sa System and method for providing security for cloud computing resources using portable security devices

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2702724A4

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103843303B (en) * 2012-11-22 2017-03-29 华为技术有限公司 The management control method and device of virtual machine, system
CN103843303A (en) * 2012-11-22 2014-06-04 华为技术有限公司 Management control method, device and system for virtual machine
EP2913956A4 (en) * 2012-11-22 2015-11-04 Huawei Tech Co Ltd Management control method, device and system for virtual machine
JP2016506107A (en) * 2012-11-22 2016-02-25 華為技術有限公司Huawei Technologies Co.,Ltd. Management control method, apparatus and system for virtual machine
US9698988B2 (en) 2012-11-22 2017-07-04 Huawei Technologies Co., Ltd. Management control method, apparatus, and system for virtual machine
CN103888429A (en) * 2012-12-21 2014-06-25 华为技术有限公司 Virtual machine starting method, correlation devices and systems
EP3869332A3 (en) * 2013-03-06 2021-11-17 INTEL Corporation Roots-of-trust for measurement of virtual machines
WO2014185845A1 (en) * 2013-05-13 2014-11-20 Telefonaktiebolaget L M Ericsson (Publ) Procedure for platform enforced secure storage in infrastructure clouds
US10230738B2 (en) 2013-05-13 2019-03-12 Telefonaktiebolaget Lm Ericsson (Publ) Procedure for platform enforced secure storage in infrastructure clouds
US9880866B2 (en) 2013-07-01 2018-01-30 Amazon Technologies, Inc. Cryptographically attested resources for hosting virtual machines
US9367339B2 (en) * 2013-07-01 2016-06-14 Amazon Technologies, Inc. Cryptographically attested resources for hosting virtual machines
CN105493099A (en) * 2013-07-01 2016-04-13 亚马逊技术有限公司 Cryptographically attested resources for hosting virtual machines
EP3017397B1 (en) * 2013-07-01 2021-11-17 Amazon Technologies, Inc. Cryptographically attested resources for hosting virtual machines
US20150007175A1 (en) * 2013-07-01 2015-01-01 Amazon Technologies, Inc. Cryptographically attested resources for hosting virtual machines
FR3020160A1 (en) * 2014-04-16 2015-10-23 Commissariat Energie Atomique SYSTEM FOR EXECUTING A CODE WITH BLIND HYPERVISION MECHANISM
US10095862B2 (en) 2014-04-16 2018-10-09 Commissariat A L'energie Atomique Et Aux Energies Alternatives System for executing code with blind hypervision mechanism
WO2015158821A1 (en) * 2014-04-16 2015-10-22 Commissariat A L'energie Atomique Et Aux Energies Alternatives System for executing code with blind hypervision mechanism

Also Published As

Publication number Publication date
EP2702724A4 (en) 2014-11-05
EP2702724B1 (en) 2017-03-29
US20140032920A1 (en) 2014-01-30
US9264220B2 (en) 2016-02-16
EP2702724A1 (en) 2014-03-05

Similar Documents

Publication Publication Date Title
US9264220B2 (en) Secure virtual machine provisioning
KR102110273B1 (en) Chain security systems
US10530753B2 (en) System and method for secure cloud computing
US10382195B2 (en) Validating using an offload device security component
US9626512B1 (en) Validating using an offload device security component
US8259948B2 (en) Virtual TPM key migration using hardware keys
US9819496B2 (en) Method and system for protecting root CA certificate in a virtualization environment
Danev et al. Enabling secure VM-vTPM migration in private clouds
Krautheim et al. Introducing the trusted virtual environment module: a new mechanism for rooting trust in cloud computing
US10243739B1 (en) Validating using an offload device security component
US20150134965A1 (en) Enhanced Secure Virtual Machine Provisioning
US20090086979A1 (en) Virtual tpm keys rooted in a hardware tpm
US10211985B1 (en) Validating using an offload device security component
JP2016519540A (en) Method and system for secure communication authentication in distributed environment
US10230738B2 (en) Procedure for platform enforced secure storage in infrastructure clouds
Aslam et al. Securely launching virtual machines on trustworthy platforms in a public cloud
Wang et al. A security-enhanced vTPM 2.0 for cloud computing
Manferdelli et al. The cloudproxy tao for trusted computing
EP3550781B1 (en) Private information distribution method and device
Pedone et al. Trusted computing technology and proposals for resolving cloud computing security problems
Paladi Trusted computing and secure virtualization in cloud computing
Aw Ideler Cryptography as a service in a cloud computing environment
Ozga et al. Wawel: Architecture for Scalable Attestation of Heterogeneous Virtual Execution Environments
Quaresma TrustZone based Attestation in Secure Runtime Verification for Embedded Systems
Weiß et al. Integrity verification and secure loading of remote binaries for microkernel-based runtime environments

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11864525

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2011864525

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2011864525

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 14111212

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE