Remote attestation and integrity measurements with Intel SGX for Virtual Machines

Abstract With response to the emerging virtualization trend, we focus on a Virtual Machine (VM) remote attestation process assuming that it is running in an uncontrolled and untrusted cloud infrastructure. We present a solution that is able to establish a chain of trust in a cloud environment. Our solution is based on a set of CPU instructions and it does not need any additional components to track host modifications. Our solution enables integrity verification of a filesystem. Additionally, it ensures trust level assessment for remote VMs during their startup or while triggered manually at any point in time afterwards. We identify security properties for our solution and show how it meets them. The security analysis shows that with necessary countermeasures, the proposed model can ensure the required level of security. Additionally, We evaluate the performance impact of the prototype and virtualization overhead for a real-life scenario. Here, we assume that small configuration files, binaries, and executables are most critical. The results show that important filesystem components can be verified with a minimum impact on a startup time. This way, the whole proposal allows for making VM a part of a trusted compute resource pool.