Remote attestation of SEV-SNP confidential VMs using e-vTPMs

Departing from "your data is safe with us" model where the cloud infrastructure is trusted, cloud tenants are shifting towards a model in which the cloud provider is not part of the trust domain. Both silicon and cloud vendors are trying to address this shift by introducing confidential computing - an umbrella term that provides mechanisms for protecting the data in-use through encryption below the hardware boundary of the CPU, e.g., Intel Software Guard Extensions (SGX), AMD secure encrypted virtualization (SEV), Intel trust domain extensions (TDX), etc. In this work, we design and implement a virtual trusted platform module (vTPM) that virtualizes the hardware root-of-trust without requiring to trust the cloud provider. To ensure the security of a vTPM in a provider-controlled environment, we leverage unique isolation properties of the SEV-SNP hardware and a novel approach to ephemeral TPM state management. Specifically, we develop a stateless ephemeral vTPM that supports remote attestation without persistent state. This allows us to pair each confidential VM with a private instance of a vTPM that is completely isolated from the provider-controlled environment and other VMs. We built our prototype entirely on open-source components - Qemu, Linux, and Keylime. Though our work is AMD-specific, a similar approach could be used to build remote attestation protocol on other trusted execution environments (TEE).