ENHANCED SAFE BOAT FOR LAUNCHING A VIRTUAL MACHINE
Patent Information
- Authority / Receiving Office
- DE · DE
- Patent Type
- Patents
- Current Assignee / Owner
- CYSEC SA
- Filing Date
- 2023-01-23
- Publication Date
- 2026-06-10
AI Technical Summary
Cloud-based services face challenges in protecting VM images from data breaches, particularly the theft of sensitive data contained in unsecured virtual machines, necessitating enhanced security measures to ensure data integrity and authenticity during the boot process.
A method involving secure boot mechanisms that include secure boot key modules, partition key modules, and encryption to authenticate and verify the integrity of operating system components, ensuring that only trusted kernels can boot and decrypt encrypted partitions, with additional checks for authenticity and integrity before completing the boot process.
Provides a trustworthy execution environment by ensuring the authenticity and integrity of the operating system, protecting end-user data from unauthorized access and tampering, thereby enhancing security in cloud compute environments.
Description
Technical Field
[0001] The present disclosure relates to a method for launching a virtual machine by using an extended secure boot.
[0002] The present invention relates to a computer program and to a computer device for carrying out the method of according to the present invention.Background of the art
[0003] Cloud infrastructure drives innovation by allowing companies to easily aggregate, analyze and share sensitive data whether at enterprise or consumer levels. However, cloud-based services also face issues regarding their security, making it hard for organizations and citizens to embrace them.
[0004] Cloud service providers (CSP) offer encryption services protect data at rest and the data in transit. Data at rest refers to the information in persistent storage along with those present in databases. On the other hand, the data in transit account for the data that is transferred over a network.
[0005] However, data breaches might happen in the countermeasures that the CSP put in place. Therefore, it is a wise approach to include additional specific security measures to protect end-user data in case of an unexpected data breach in the cloud hosting sensitive data.
[0006] One possible threat during a data breach in a cloud is the theft of the image of one or more of an end-user VMs. These VM images might contain sensitive data that are not protected by the CSP countermeasures. Documents US2019 / 311127 and US2017 / 230179 form part of the technological background Hence, there is a need to provide solutions that protect data stored in VM images as long as these images are not launched in specified VMs.Summary of the invention
[0007] The above problems are solved by the apparatus and the method according to present invention.
[0008] The invention concerns a method for launching a virtual machine in a cloud compute engine, the method comprising uploading an operating system disk image on said VM, said image comprising a boot bundle and at least one encrypted partition, generating a virtual machine image on said cloud compute engine by using secure boot, booting a virtual machine and launching said virtual machine image in the cloud compute engine, characterized in that the secure boot comprises the upload of a secure boot key module on the cloud compute engine so that the secure boot further comprises generating a virtual machine image comprising secure boot keys provided by secure boot key module and a partition key provided by a partition key module, authenticating the boot bundle by using the secure boot keys, continuing the boot of the virtual machine by decrypting the encrypted partitions using partition keys, extending the secure boot by checking the integrity of one or more decrypted partitions before, booting them finalizing the boot of the virtual machine by booting the partitions that don't follow the secure boot extension process, i.e. that are mounted without being verified previously.
[0009] In another aspect, the invention concerns a computer program comprising instructions which, when the program is executed by a computer, cause the computer to carry out method according to the present invention.
[0010] In another aspect, the invention relates to an apparatus comprising means for carrying out the method of according to the present invention.Description of the invention
[0011] The invention concerns a method for launching a virtual machine in a cloud compute engine, the method comprising uploading an operating system disk image on said VM, said image comprising a boot bundle and at least one encrypted partition, generating a virtual machine image on said cloud compute engine by using secure boot, booting a virtual machine and launching said virtual machine image in the cloud compute engine, characterized in that the secure boot comprises the upload of a secure boot key module on the cloud compute engine so that the secure boot further comprises generating a virtual machine image comprising secure boot keys provided by secure boot key module and a partition key provided by a partition key module, authenticating the boot bundle by using the secure boot keys, continuing the boot of the virtual machine by decrypting the encrypted partitions using partition keys, extending the secure boot by checking the integrity of one or more decrypted partitions before and booting them finalizing the boot of the virtual machine by booting the partitions that don't follow the secure boot extension process, i.e. that are mounted without being verified previously. method for launching a virtual machine supported in a processing unit of a cloud compute engine named secure enclave, the method comprising uploading an operating system disk image on said enclave, said image comprising a boot bundle and at least one encrypted partition, generating a virtual machine image on said enclave by using secure boot, booting a virtual machine and launching said virtual machine image in the secure enclave, characterized in that the secure boot comprises the upload of a secure boot keys module on the cloud compute engine so that the secure boot further comprises generating a virtual machine image comprising secure boot key provided by the secure boot key module and a partition key provided by a partition key module, authenticating the boot bundle by using the secure boot key, booting the virtual machine by decrypting the encrypted partitions using partitions keys
[0012] The present invention is mainly composed of the following functionalities: a secure boot that verifies the authenticity and the integrity of a first sequence of unencrypted software components of the operating system in a VM image launched in a cloud compute engine; a secure storage for keys that can seal keys with the secure boot measurement results; an encryption mechanism to encrypt and decrypt some partitions of the operating system (OS) running in the launched VM image; an extension of the secure boot that can verify the integrity of some of the partitions decrypted by the said encryption mechanism.
[0013] In the present invention, the secure boot starts by authenticating the boot bundle with the secure boot keys provisioned in the cloud secure engine. The said key provisioning allows to control the origin of the operating system launched in the provisioned cloud compute engine and to check the integrity of this operating system, preferably of the boot bundles of the operating system for instance the kernel. In other words, if a modified / corrupted version of the operating system disk image is uploaded in the cloud compute engine by a unauthorized party, the booting process will stop here.
[0014] Overall, the present invention focuses on providing a hardened operating system leveraging cloud infrastructure hardware elements to expose security features to application workloads. By realizing such operation, the end-user benefits from a trustworthy execution environment from the launch to the execution and from avoiding the exposition of its data in an unauthorized execution environment.
[0015] Preferably, the at least one operating system partitions that are not verified by the said secure boot are encrypted by specific keys, namely partitions keys, provisioned by a key generator. This allows the protection of the end-user data stored in the said encrypted partitions till the secure boot has successfully verified the authenticity and integrity of a first sequence of software components of the operating system to further increase the security of the extended secure boot.
[0016] Preferably, the partition key generator is chosen among trusted platform module TPM, virtual trusted platform module vTPM, a recovery key module either hardware based or software based
[0017] Preferably the partition key generator is compliant to NIST SP 800-90 B or similar.
[0018] In a preferred embodiment the method further comprises checking the signature of the operating system disk image and if the signature check fails, the secure boot is cancelled. This step ensures that the operating system image has not been corrupted or tampered with.
[0019] Preferably, the method further comprises creating at least a cluster on said cloud compute engine to deploy at least a workload using said virtual machine. Preferably, the method further comprises joining an existing cluster on said cloud compute engine to deploy at least a workload using said virtual machine.
[0020] In a preferred embodiment the boot bundle comprises at least one file chosen among an initramfs and a kernel. This step ensures the authenticity of initramfs and of the kernel and ensures that the boot bundle has not been tampered with.
[0021] Preferably, the at least one partitions are chosen among Extensible Firmware Interface EFI, system partition SYS, LUKS partition, data partition DATA
[0022] In a preferred embodiment, the operating system disk image comprises Extensible firmware Interface EFI, system partition SYS and data partitions. This partitioning structure enables to segregate by design the system files provided from the application owner and user data. This is particularly relevant for enabling smooth and easy back-ups, the addition of new clusters and nodes.
[0023] Preferably, the secure boot comprises an unified extensible firmware interface UEFI functionality.
[0024] Preferably, the secure boot key module is an unified extensible firmware interface UEFI. This advantageously enables to store keys and authenticate sub-parts of the secure boot.
[0025] In a preferred embodiment, the UEFI functionality is operated by an open virtual machine firmware OVMF. In this embodiment, OVMF is a virtualization and emulation of the UEFI functionalities. This is particularly relevant for deployment through cloud providers platforms and services.
[0026] In another aspect, the invention further relates to a computer program comprising instructions which, when the program is executed by a computer, cause the computer to carry out method according to the present invention.
[0027] The particular advantages of the computer program are similar to the ones of the method of the invention and will thus not be repeated here.
[0028] In another aspect, the invention also relates to an apparatus comprising means for carrying out the method of according to the present invention.
[0029] The particular advantages of the apparatus, in other words a computer device, are similar to the ones of the method of the invention and will thus not be repeated here.
[0030] As used herein, the word "means" (singular or plural) preceded or followed by a function can be replaced by the word "unit" or " module".
[0031] The embodiments describe for the method also apply to the apparatus and to the computer program according to the present invention mutatis mutandis.Brief description of the drawings
[0032] Further particular advantages and features of the invention will become more apparent from the following non-limitative description of at least one embodiment of the invention which will refer to the accompanying drawings, wherein Figures 1 and 2 represent the extended secure boot according to the present invention; Figures 3 represents the implementation of the extended secure boot according to the present invention in the context of confidential Virtual Machine; Figure 4 represents the implementation of the extended secure boot according to the present invention in the context of confidential Virtual Machine on a cloud provider infrastructure. Detailed description of the invention
[0033] The present detailed description is intended to illustrate the invention in a non-limitative manner since any feature of an embodiment may be combined with any other feature of a different embodiment in an advantageous manner.
[0034] Figure 1 describes an embodiment of an extended secure boot according to the present invention after the first ignition of the virtual machine, which is most of all composed of three steps.
[0035] In a first step, the boot chain starts by verifying the authenticity and integrity of the boot bundle. In this example, the boot bundle comprises a signed kernel bundles stored in a partition called ESP. In a specific embodiment ESP can follow the system d-boot specifications and contains the signed kernel bundles used to start the boot chain.
[0036] In a second step, two partitions of the disk called SYS and DATA are encrypted by partitions keys provided by a key generator, herein a vTPM. When the kernel is booted, the control flow is passed to "initramfs" which will unlock the partitions SYS and DATA using the partition keys outputted by the vTPM. A recovery key (i.e. a partition key module) can be used instead of the TPM key.
[0037] In this embodiment, the extended secure boot comprises, in a third and last step. Once SYS is decrypted, the extended secure boot will check the signature of Operating System image, which is stored as a signed compressed filesystem. If the signature check fails, then the image is corrupted and / or has been tampered with.
[0038] In this embodiment, the system partition SYS is encrypted with dm-crypt . A LUKS header is used to store 2 keys: 1. primary key used in combination with a TPM either virtualized or physical 2. secondary key used for recovery, usually split into shares
[0039] In most of the cases, during a boot the TPM will output the key. If it is not the case the "key device" (i.e. the partition key module or recovery key module) will be used as a backup. If none works, the boot process will stop and partitions will remain encrypted.
[0040] In the present embodiment, all system and user data are stored in the DATA partition. Backups of this partition can be done to prevent data loss. It also contains BTRFS subvolumes that are used to hold on to various types of data, mainly the writable parts of the system ( / etc and / var overlays).
[0041] Similarly to the SYS partition, the DATA partition is unlocked using the TPM or a recovery key module as key generator after the key rotation.
[0042] Figure 2 represents another embodiment of the secure boot according to the present invention. In this embodiment, the secure boot module comprises a UEFI as a firmware. This UEFI is used to check and enables the secure boot of the bootloader
[0043] In this specific embodiment, the ESP comprises systemd-boot as bootloader that checks the system-boot stub and the kernel with the secure boot keys. Systemd-boot will find the default kernel bundle or show the boot menu and pass the control flow to the stub. Secure boot is activated and used to authenticate kernel bundles. Here more precisely, Systemd-boot allows easy support of signed secure boot UEFI bundle.
[0044] Then, when the kernel is booted, the control flow is passed to "initramfs" which will unlock the partitions SYS and DATA using the partition keys outputted by the TPM. When the initramfs is done, the kernel switches the filesystem root and executes the second stage, the initialization.
[0045] The TPM is used to auto-unlock the SYS and DATA partition during the first stage of the initramfs. Specific TPM registers state (like secure boot state, dba bd dbx state, etc.) are used to encrypt the primary LUKS key. With this mechanism, disks can be decrypted only when a trusted kernel is booted.
[0046] Figure 3 relates to the method implementation of the extended secure boot according to the present invention in the context of VM launch in cloud compute engine after the first ignition of the VM.
[0047] In a first step the secure boot keys are provisioned in OVMF which enables UEFI support for Virtual Machines in cloud compute engines.
[0048] In a second step the OS is initialized through the initramfs and kernel modules. When kernel is booted the control flow is passed to our first stage init: the initramfs. The initramfs is responsible to unlock SYS and DATA partitions. The OS may use an A / B scheme for system updates, which means the boot chain has to figure out which version of the system has to start. When the initramfs is done, the kernel switches the filesystem root and executes the second stage init. This second stage init is responsible to mount / etc and / var as RW, by overlaying correct RW btrfs subvolumes present in the DATA partition.
[0049] In a third step Secure boot is used to verify integrity and authenticity of the OS image. System provider public keys are placed in [pk] , [kek] , and [db] UEFI secure boot keystores. systemd-boot will ensure that only valid signed bundles, in regards of db and dbx , are booted. systemd-boot is itself signed by System provider key. Any updates of db and dbx from a booted system require [pk] or [kek] signatures. With this mechanism the platform ensures that only trusted kernels are able to boot.
[0050] In this context, the TPM is used to auto-unlock the SYS and DATA partition during the first stage init inside the initramfs. Some TPM registers state are used to encrypt the primary LUKS key. Registers like secure boot state, db and dbx state, etc can be used for example. With this mechanism disks can be decrypted only when a trusted kernel is booted.
[0051] In a fourth step partition encryption keys are unlocked in order to decrypt and map disk layout with at least two partitions: (1) system (SYS) and (2) data (DATA).
[0052] Figure 4 relates to the method implementation in the context of confidential VM launch in an enclave on a Cloud provider infrastructure.
[0053] In a 1 st< step, the method consists in initiating and uploading an OS image In a cloud compute engine of the cloud infrastructure.
[0054] In a 2 nd< step, the system provider secure boot keys are uploaded in the OVMF firmware of the said compute engine.
[0055] In a 3 rd< step, the user generates a VM image on the Cloud compute engine exploiting the said secure boot keys loaded previously in OVMF and the said OS image disk. Preferably, steps 2 and 3 are performed in a single step.
[0056] In a 4 th< step it is to mention that the compute infrastructure enables the launch of VMs as well as secure boot (as an example through TPM or Virtual TPM).
[0057] In a 5 th< step, when the VM is launched for the first time, the partitions recovery keys are used to decrypt partitions and access the VM.
[0058] In a 6 th< step, the user proceeds with key rotation to encrypt the partitions with new partitions keys provisioned in the vTPM. This step enable user to benefit from customized keys.
[0059] In a last step, the user can fully benefit from a trustworthy execution environment thanks to the features of the invention through the OS reboot and launch. And then, the user is capable to create clusters or join existing clusters where sensitive workloads are deployed on VMs.
[0060] While the embodiments have been described in conjunction with a number of embodiments, it is evident that many alternatives, modifications and variations would be or are apparent to those of ordinary skill in the applicable arts. Accordingly, this disclosure is intended to embrace all such alternatives, modifications, equivalents and variations that are within the scope of this disclosure. This for example particularly the case regarding the different apparatuses which can be used.
Claims
1. Method for launching a virtual machine in a cloud compute engine, the method comprising uploading an operating system disk image on said VM, said image comprising a boot bundle, at least one encrypted partition and two partition key generators, one of them being a recovery key module, generating a virtual machine image on said cloud compute engine by using secure boot, booting a virtual machine and launching said virtual machine image in the cloud compute engine, characterized in that the secure boot comprises the upload of a secure boot key module on the cloud compute engine so that the secure boot further comprises at first boot, generating a virtual machine image comprising secure boot keys provided by secure boot key module and partition keys provided by the recovery key module, authenticating the boot bundle by using the secure boot keys, continuing the boot of the virtual machine by decrypting the encrypted partitions using partition keys, extending the secure boot by checking the integrity of one or more decrypted partitions before booting them, finalizing the boot of the virtual machine by booting the partitions that don't follow the secure boot extension process, i.e. that are mounted without being verified previously, proceeding with a key rotation process in the second key partition generator to encrypt the partitions with new partition keys provisioned in the said second key partition generator, at the following boots of the said image, generating a virtual machine image using secure boot keys provided by the said secure boot key module and the partition keys provided by the said second partition key generator.
2. Method according to the preceding claim, wherein the second partition key generator is chosen among a trusted platform module TPM and a virtual trusted platform module vTPM either hardware based or software based.
3. Method according to claim 1 or 2, wherein the method further comprises Checking the signature of the operating system disk image and if the signature check fails, the secure boot is cancelled.
4. Method according to any one of claims 1 to 3, wherein the method further comprises creating at least a cluster on said enclave to deploy at least a workload using said virtual machine.
5. Method according to any one of claims 1 to 3, wherein the method further comprises joining an existing cluster on said enclave to deploy at least a workload using said virtual machine.
6. Method according to any one of claims 1 to 5, wherein the boot bundle comprises at least one file chosen among an initramfs and a kernel.
7. Method according to any one of claims 1 to 6, wherein said at least one partitions is chosen among Extensible firmware Interface EFI, system partition SYS, LUKS partition, data partition DATA.
8. Method according to the preceding claim, wherein the operating system disk image comprises Extensible firmware Interface EFI, system partition SYS and data partitions.
9. Method according to any one of claims 1 to 8, wherein the secure boot comprises an unified extensible firmware interface UEFI functionality, preferably the secure boot key module is an unified extensible firmware interface UEFI.
10. Method according to the preceding claim, wherein the UEFI functionality is operated by an open virtual machine firmware OVMF.
11. A computer program comprising instructions which, when the program is executed by a computer, cause the computer to carry out method according to any one of claims 1 to 10.
12. An apparatus comprising means for carrying out the method of according to any one of claims 1 to 10.