Cluster Nodes Integrity Attestation and Monitoring Scheme for Confidential Computing Platform.

With the widespread adoption of cloud computing, a substantial amount of sensitive user data is stored on the cloud. In Infrastructure as a Service (IaaS) cloud environments, the provider is fully trusted, making it essential to ensure the confidentiality and integrity of cloud applications and data. As a novel security technology, confidential computing strives to decrease reliance on cloud providers by delivering the smallest Trusted Computing Base (TCB) and providing enhanced end-to-end data protection capabilities within the cloud environment.This paper proposes an efficient scheme for remote attestation and monitoring the integrity of confidential computing platforms based on a hardware root of trust, addressing the load-time and run-time trust problems of cluster nodes in a confidential cloud environment. The scheme uses Trusted Platform Module (TPM) as the identity of hardware root of trust to achieve secure registration and attestation. Additionally, the scheme ensures load-time trust by binding the boot state to PCRs through TPM2.0 policy authorization mechanism. To ensure secure transmission of sensitive data between nodes, trusted channels are established for the remote attestation with key agreements. Runtime integrity is ensured by periodically attesting nodes with the EpochID-based integrity monitoring. This paper also analyzes the security of the proposed scheme. We implement the prototype to proves the efficiency and feasibility based on TPM2 and x86 confidential platform. It demonstrate measurement and attestation logs of cluster nodes in our scheme for remote attestation and integrity monitoring using TPM2.0. Compared with the representative solution Keylime, the integrity monitoring performance has improved by 71.4% without reducing security. Furthermore, it exhibits lower network communication latency.