Enabling Secure VM-vTPM Migration in Private Clouds

The integration of Trusted Computing technologies into virtualized computing environments enables hardware-based protection of private (sensitive) information and detection of malicious software. Their use in virtual platforms, however, requires appropriate virtualization of their main component, the Trusted Platform Module (TPM) by means of virtual TPMs (vTPM). Using TPM virtualization should also not impede classical platform processes such as virtual machine (VM) migration.

In this work, we consider the problem of enabling secure migration of vTPM-based virtual machines in private clouds. We detail the requirements that a secure VM-vTPM migration solution should satisfy in private virtualized environments and propose a vTPM key structure suitable for VM-vTPM migration. We then leverage on this structure to construct a secure VM-vTPM migration protocol. We show that our protocol provides stronger security guarantees when compared to existing solutions for VM-vTPM migration. We evaluate the feasibility of our scheme via an implementation on the Xen hypervisor and we show that it can be directly integrated within existing hypervisors. Our Xen-based implementation can be downloaded as open-source software. Finally, we discuss how our scheme can be extended to support live-migration of vTPM-based VMs.

Author(s):

Boris Danev    
ETH Zurich
Switzerland

Ramya Jayaram Masti    
ETH Zurich
Switzerland

Ghassan O. Karame    
ETH Zurich
Switzerland

Srdjan Capkun    
ETH Zurich
Switzerland