All Products
Search
Document Center

Elastic Compute Service:Overview

Last Updated:Mar 18, 2024

This topic describes how a trusted instance works and the basic concepts of the trusted computing technology.

Introduction to trusted computing capabilities

Trusted computing is one of the main features that are used to ensure high-level security of underlying computing environments for cloud tenants. Trusted Platform Module (TPM) or Trusted Cryptography Module (TCM) is integrated into the hardware platform to provide a remote attestation mechanism and build a chain of trust that covers system startup and user-specified applications. This ensures a trusted environment for users in all aspects during the startup and runtime phases. Trust verification of systems and applications reduces vulnerability to attacks that are caused by unknown or tampered systems or software.

Instance families that support trusted computing capabilities

Note

The g7t, c7t, and r7t instance families support Software Guard Extensions (SGX) confidential computing. When you create instances of these instance families in the Elastic Compute Service (ECS) console, the Alibaba Cloud SGX runtime is automatically installed. For information about SGX confidential computing, see Build an SGX confidential computing environment.

How a trusted instance works

Trusted instances use the trusted computing technology to perform integrity verification. This ensures that the instances are not compromised by startup-level or kernel-level malware or rootkits. With the TPM or TCM as the hardware root of trust, trusted instances provide measured boot and integrity verification by using the Unified Extensible Firmware Interface (UEFI) firmware, vTPM or vTCM, and remote attestation service to ensure security and trustworthiness.

TPM or TCM

Trusted computing relies on TPM or TCM chips. TPM is standardized by ISO as ISO 11889, and TCM is standardized as GM/T 0012-2020 in China. TPM or TCM chips that are used as the root of trust provide the following benefits:

  • TPM or TCM chips use internal firmware and logic circuits to process instructions. These chips do not rely on OSs and are isolated from external software vulnerabilities.

  • Attackers must have physical access to computers before they can attack TPM or TCM chips.

  • Trusted instances are equipped with TPM or TCM chips, boot firmware, and system software to build a chain of trust.

Firmware security

Alibaba Cloud supports secure firmware updates. Before firmware is updated, firmware signatures are verified to ensure that only authorized firmware can be updated. This prevents malicious firmware from attacking the cloud infrastructure.

vTPM and vTCM

Alibaba Cloud also provides virtual roots of trust (vTPM and vTCM) for ECS instances to extend the trust system of servers to the ECS virtualization layer based on trusted hardware. A comprehensive security system is built on hardware and virtual roots of trust.

vTPM and vTCM are virtualized and trusted platform modules that can be used to transmit trust from the trusted server hardware to trusted instances. vTPM is fully compatible with TPM 2.0, and vTCM is fully compatible withTCM 2.0. Trusted instances use vTPM or vTCM to build a virtual root of trust and implement a trusted boot chain and a remote attestation mechanism that are similar to those of the host layer. Benchmark measurement is generated when an instance is created. Measurement values that are collected on subsequent instance startups are compared against the benchmark measurement to determine whether the instance changed. The comparison result indicates the trusted status of the instance and is displayed in the Security Center console.

UEFI firmware

Trusted instances use trusted boot firmware that meets the UEFI specification for system boot. UEFI firmware measures the integrity of system firmware, system boot loader, and system kernel modules during the boot process of the OS to build a chain of trust for system startup.

Measured boot

Components are measured stage by stage. The components that are started first measure the components that are started at the next stage. If the measurement is successful, the chain of trust is extended to the next stage.

Each module in the boot chain from the underlying hardware to the guest OS is measured during the boot process of an instance. When the modules are loaded, trusted components calculate the hash value for each module and securely store the calculated values to the root of trust to build a chain of trust. Stage-by-stage measurement and verification of all modules in the boot chain ensure that the system remains unchanged from the previous boot.

Integrity verification

Integrity verification helps you understand the trusted status of instances and make decisions.

The first time an instance is started, the trusted components create the first set of hash values as benchmark measurement and securely store the data. Then, the measurement and storage operations are performed each time the instance starts. Trusted components send the measurement values to the trusted service by using remote attestation. You can compare the most recent measurement data with the benchmark measurement to measure and verify the integrity of the instance and determine whether the instance runs in the expected trusted state.

Integrity verification compares startup measurement information with the benchmark measurement of an instance. If the information matches the benchmark measurement, a success result is returned. This indicates that the instance is trusted. Otherwise, a failure result is returned, which indicates that the instance is untrusted.

  • If an expected integrity verification failure occurs in specific scenarios, such as during a system update of the ECS instance, you can add the trusted event to a whitelist to update the instance benchmark measurement. Subsequent integrity measurements are performed against the most recent benchmark measurement. For more information, see Handle trusted exceptions.

  • If an unexpected integrity verification failure occurs, identify the cause of the failure based on the trusted event details to prevent the instance from running in an untrusted environment.