Trustworthy confidential virtual machines for the masses
Anna Galanou, Khushboo Bindlish, Luca Preibsch, Yvonne-Anne Pignolet, Christof Fetzer, Rüdiger Kapitza
TL;DR
This paper tackles the challenge of providing end-user assurance for confidential VM-based workloads hosted in the cloud. It introduces Revelio, a system that combines SNP-based TEEs with reproducible builds, measured direct boot, runtime integrity protections, and a browser-based attestation extension to allow users to verify the exact state of a web-facing service before sharing sensitive data. Key contributions include extending the attestation scope to include the VM’s root filesystem, binding the service TLS identity to the hardware root of trust, scalable TLS key distribution across VMs, and persistence protection via sealing. The evaluation demonstrates robust protection against boot-time and runtime tampering, with manageable performance overhead and practical client-side latency, enabling use cases such as end-to-end encrypted collaboration suites and secure protocol translation proxies in decentralized infrastructures.
Abstract
Confidential computing alleviates the concerns of distrustful customers by removing the cloud provider from their trusted computing base and resolves their disincentive to migrate their workloads to the cloud. This is facilitated by new hardware extensions, like AMD's SEV Secure Nested Paging (SEV-SNP), which can run a whole virtual machine with confidentiality and integrity protection against a potentially malicious hypervisor owned by an untrusted cloud provider. However, the assurance of such protection to either the service providers deploying sensitive workloads or the end-users passing sensitive data to services requires sending proof to the interested parties. Service providers can retrieve such proof by performing remote attestation while end-users have typically no means to acquire this proof or validate its correctness and therefore have to rely on the trustworthiness of the service providers. In this paper, we present Revelio, an approach that features two main contributions: i) it allows confidential virtual machine (VM)-based workloads to be designed and deployed in a way that disallows any tampering even by the service providers and ii) it empowers users to easily validate their integrity. In particular, we focus on web-facing workloads, protect them leveraging SEV-SNP, and enable end-users to remotely attest them seamlessly each time a new web session is established. To highlight the benefits of Revelio, we discuss how a standalone stateful VM that hosts an open-source collaboration office suite can be secured and present a replicated protocol proxy that enables commodity users to securely access the Internet Computer, a decentralized blockchain infrastructure.