Confidential vTPM

Introduction

Today, TPMs (Trusted Platform Modules) are available in many different forms and ways. The TPM is able to act as root of trust for measuring software components and storing and sealing user defined secrets. Therefore many modern systems are either equipped with a dedicated TPM (A small specialized microcontroller) or a firmware based TPM which is implemented in the CPU's firmware.

However these implementations of the TPM fall short in a cloud context, as the cloud provider runs multiple VMs (Virtual Machine) on one physical CPU with each VM requiring its own TPM. Due to the cost of dedicated TPM's, the cloud provider does not provide a dedicated TPM for each VM, and CPU firmware-based TPMs cannot fill the gap because they are unique per CPU and do not scale easily.

To address these issues, cloud providers offer pure software implementations of the TPM specification that are managed by the hypervisor. This approach is called a virtualized TPM.

In the context of confidential computing, where the hypervisor is seen as a malicious actor, the user cannot trust these vTPMs because they are under the control of the hypervisor.

Solution

In order to use a vTPM in a confidential VM it needs to be removed from the trust boundary of the hypervisor and instead has to be moved into a secure enclave which can leverage the hardware security guarantees. To avoid adding complexity, this secure enclave should ideally be part of the VM requesting the vTPM functionality. This can be achieved by using a paravisor/hypervisor in combination with nested virtualization, if supported by the underlying hardware. In this case, the vTPM can remain part of the hypervisor/paravisor in the L1 VM, as this VM is already secured by the hardware. However, some confidential computing implementations, such as AMD-SEV-SNP, do not support nested virtualization and instead provide their own privilege separation method. Under SEV-SNP, AMD introduced Virtual Machine Privilege Levels (VMPL), which allow a user to run different services at different privilege levels within the same VM. Such an implementation is the Secure VM Service Module (SVSM) which runs at the most privileged level VMPL0 and can provide services for less privileged application like the guest operating system through a defined interface.