First, TPM, Bastion and HyperWall all help to improve the integrity
of certain trusted software components. TPM aims to protect the
integrity of the entire software stack. Bastion tries to protect the
secure launch of a set of trusted software modules in a VM by reporting
the measurement of the identity and security segment of each
of these modules, and the measurement of the trusted hypervisor.
HyperWall aims to protect the VM’s secure initialization by reporting
the measurement of the VM’s image and requested protections of the
VM. All these values can be sent to the remote customer in a signed
attestation report. Our verifications assure the correctness of these
startup attestation protocols.
Second, we build a secure communication channel between the
remote customer and the trusted software components in the last two
architectures. The customer can talk securely to TSMs in Bastion,
and to VMs in HyperWall. Our verification shows that these communication
channels are protected and the untrusted components in each
architecture have no access to the newly generated private key.
We note that the security verification of the protocols depends on
trusted components remaining trusted. For example, in Figure 3 for
the TPM attestation protocol, the entire hardware platform (including)
the processor, the TPM chip and the main memory), the hypervisor
and the Virtual Machine (including the guest OS and the application)
are all assumed to be trusted components. If any of these trusted
components is compromised, then the security verification of TPM’s
attestation protocol becomes null and void.