Alibaba Cloud provides security-enhanced Elastic Compute Service (ECS) instance families to implement trusted boot based on Trusted Cryptography Module (TCM) or Trusted Platform Module (TPM) chips. During a trusted boot, each module in the boot chain from the underlying hardware to the guest OS is measured and verified. This topic describes how a security-enhanced instance works and the basic concepts of the trusted computing technology.
How a security-enhanced instance works
Trusted computing is one of the main features that are used to achieve the high-level security of underlying computing environments for cloud tenants. TPM or TCM is integrated into the hardware platform to build a trusted chain that covers system startup and user-specified applications and provide a remote attestation mechanism. This guarantees a trusted environment for users in all aspects during the startup and runtime phases. Trust verification of systems and applications reduces vulnerability to attacks that are caused by unknown or tampered systems or software.
Security-enhanced instance families use the trusted computing feature to verify the integrity of each module. This ensures that instances are not compromised by startup-level or kernel-level malware or rootkits. With the TPM or TCM as the hardware root of trust, security-enhanced instance families provide measured boot and integrity verification by using the Unified Extensible Firmware Interface (UEFI) firmware, vTPM or vTCM, and remote attestation service to ensure the security and trustworthiness of instances.
TPM or TCM
Trusted computing relies on TPM or TCM chips. TPM is standardized by ISO as ISO 11889, and TCM is standardized as GM/T 0012-2020 in China. TPM or TCM chips that are used as the root of trust offer the following benefits:
TPM or TCM chips use their own internal firmware and logic circuits to process instructions. These chip do not rely on OSs and are isolated from external software vulnerabilities.
Attackers must have physical access to computers before they can attack TPM or TCM chips.
Security-enhanced instances are equipped with TPM or TCM chips, boot firmware, and system software to build a chain of trust.
Alibaba Cloud supports secure firmware updates. Before firmware is updated, firmware signatures are verified to ensure that only authorized firmware can be updated. This prevents malicious firmware from attacking the cloud infrastructure.
vTPM and vTCM
Alibaba Cloud also provides virtual roots of trust (vTPM and vTCM) for ECS instances to extend the trust system of servers to the ECS virtualization layer based on trusted hardware. A comprehensive security system is built on hardware and virtual roots of trust.
vTPM and vTCM are virtualized and trusted platform modules that can be used to transmit trust from the trusted server hardware to trusted instances. vTPM is fully compatible with the TPM 2.0 specification, and vTCM is fully compatible with the TCM 2.0 specification. Security-enhanced instances leverage vTPM or vTCM to build a virtual root of trust and implement a trusted boot chain and a remote attestation mechanism that are similarly to those of the host layer. Benchmark measurement is generated when an instance is created. Measurement values that are collected on subsequent instance startups are compared against the benchmark measurement to determine whether the instance changed. The comparison result indicates the trusted status of the instance and is displayed in the Security Center console.
Security-enhanced instances use trusted boot firmware that meets the UEFI specifications for system boot. UEFI firmware can measure the integrity of system firmware, system boot loader, and system kernel modules during the boot process of the OS to build a chain of trust for system startup.
Components are measured stage by stage. The components that are started first measure the next stage components before starting the components. If the measurement is successful, the chain of trust is extended to the next stage.
Each module in the boot chain from the underlying hardware to the guest OS is measured during the boot process of an instance. When the modules are loaded, trusted components calculate the hash value for each module and securely store the calculated values to the root of trust to form a chain of trust. Stage-by-stage measurement and verification of all modules in the boot chain ensure that the system did not change since the previous boot.
Integrity verification helps you understand the trusted status of instances and make decisions.
The first time an instance is started, the trusted components create the first set of hash values as benchmark measurement and securely store the data. Then, the measurement and storage operations are performed each time the instance starts. Trusted components send the measurement values to the trusted service by using remote attestation. You can measure and verify the integrity of the instance by comparing the most recent measurement data with the benchmark measurement to determine whether the instance runs in the expected trusted state.
Integrity verification compares startup measurement information with the benchmark measurement of an instance. If the information is matched, a success result is returned, which indicates that the instance is trusted. Otherwise, a failure result is returned, which indicates that the instance is untrusted.
If an expected integrity verification failure occurs in specific scenarios, such as during a system update of the ECS instance, you can update the instance benchmark measurement by adding the trusted event to a whitelist. Subsequent integrity measurements are performed against the most recent benchmark measurement. For more information, see Handle trusted exceptions.
If an unexpected integrity verification failure occurs, you must identify the cause of the failure based on the trusted event details to prevent instances from running in an untrusted environment.