The Road to Trust: Building Enclaves within Confidential VMs

TL;DR

NestedSGX is introduced, a framework which leverages virtual machine privilege level (VMPL), a recent hardware feature available on AMD SEV-SNP to enable the creation of hardware enclaves within the guest VM, and considers the guest OS untrusted for loading potentially malicious code.

Abstract

Integrity is critical for maintaining system security, as it ensures that only genuine software is loaded onto a machine. Although confidential virtual machines (CVMs) function within isolated environments separate from the host, it is important to recognize that users still encounter challenges in maintaining control over the integrity of the code running within the trusted execution environments (TEEs). The presence of a sophisticated operating system (OS) raises the possibility of dynamically creating and executing any code, making user applications within TEEs vulnerable to interference or tampering if the guest OS is compromised. To address this issue, this paper introduces NestedSGX, a framework which leverages virtual machine privilege level (VMPL), a recent hardware feature available on AMD SEV-SNP to enable the creation of hardware enclaves within the guest VM. Similar to Intel SGX, NestedSGX considers the guest OS untrusted for loading potentially malicious code. It ensures that only trusted and measured code executed within the enclave can be remotely attested. To seamlessly protect existing applications, NestedSGX aims for compatibility with Intel SGX by simulating SGX leaf functions. We have also ported the SGX SDK and the Occlum library OS to NestedSGX, enabling the use of existing SGX toolchains and applications in the system. Performance evaluations show that context switches in NestedSGX take about 32,000 -- 34,000 cycles, approximately $1.9\times$ -- $2.1\times$ higher than that of Intel SGX. NestedSGX incurs minimal overhead in most real-world applications, with an average overhead below 2% for computation and memory intensive workloads and below 15.68% for I/O intensive workloads.

Figures (7)

• Figure 1: Comparison between NestedSGX and other TEEs. NestedSGX offers a layered protection mechanism against both the host VMM and the guest OS within the CVM.
• Figure 2: NestedSGX overview. The security monitor, the SGX emulation layer and the enclave operate in the kernel and user mode at VMPL0, while the guest OS and App operate in the kernel and user mode at VMPL1. The transitions between VMPL0 and VMPL1 occur via the untrusted host.
• Figure 3: The management of enclave life cycles, e.g., handling synchronous and asynchronous enclave entry and exit events.
• Figure 4: The guest physical address space is divided into 3 parts: the secure memory used by the security monitor, the EPC memory, and the normal memory.
• Figure 5: The NestedSGX attestation report consists of two parts: the SEV-SNP attestation report signed by VCEK, and the enclave report signed by NestedSGX AIK. The NestedSGX AIK is generated within the security monitor and subsequently bound to the SEV-SNP hardware by placing its public key as part of the SEV-SNP attestation report.