Secure public cloud with protected guest-verified host control
First Claim
1. An apparatus comprising:
- a processor; and
a memory coupled to the processor;
whereinthe processor is to execute an untrusted host virtual machine monitor to manage execution by the processor of at least one guest virtual machine;
the untrusted host virtual machine monitor is to receive an encrypted key domain key, an encrypted guest code image encrypted by a key domain key, and an encrypted guest control structure encrypted by the key domain key, the key domain key inaccessible to the untrusted host virtual machine monitor;
the untrusted host virtual machine monitor is to issue a create command to the processor to create a first key domain, the first key domain comprising a region of the memory to be encrypted by the key domain key;
in response to receiving the create command, the processor is to create the first key domain and decrypt the encrypted key domain key to produce the key domain key;
the untrusted host virtual machine monitor is to issue a launch command to the processor to launch a first guest virtual machine within the first key domain;
in response to receiving the launch command, the processor is to (a) switch to the first key domain, (b) decrypt the encrypted guest control structure to produce a guest control structure containing guest processor state information, (c) decrypt the encrypted guest code image to produce a guest code image, and (d) execute the guest code image within the first key domain using the guest processor state information, wherein the guest control structure specifies a protected location of the memory where the processor may store the guest processor state information;
in response to an event triggering an exit condition of the first guest virtual machine, the processor is to save the guest processor state information for the first guest virtual machine in the protected location of the memory;
the untrusted host virtual machine monitor is to issue a resume command to the processor to resume the first guest virtual machine; and
in response to receiving the resume command, the processor is to (a) switch to the first key domain, (b) retrieve the guest processor state information for the first guest virtual machine from the protected location of the memory, and (c) execute the guest code image within the first key domain using the guest processor state information.
1 Assignment
0 Petitions
Accused Products
Abstract
A host Virtual Machine Monitor (VMM) operates “blindly,” without the host VMM having the ability to access data within a guest virtual machine (VM) or the ability to access directly control structures that control execution flow of the guest VM. Guest VMs execute within a protected region of memory (called a key domain) that even the host VMM cannot access. Virtualization data structures that pertain to the execution state (e.g., a Virtual Machine Control Structure (VMCS)) and memory mappings (e.g., Extended Page Tables (EPTs)) of the guest VM are also located in the protected memory region and are also encrypted with the key domain key. The host VMM and other guest VMs, which do not possess the key domain key for other key domains, cannot directly modify these control structures nor access the protected memory region. The host VMM, however, can verify correctness of the control structures of guest VMs.
26 Citations
35 Claims
-
1. An apparatus comprising:
-
a processor; and a memory coupled to the processor;
whereinthe processor is to execute an untrusted host virtual machine monitor to manage execution by the processor of at least one guest virtual machine; the untrusted host virtual machine monitor is to receive an encrypted key domain key, an encrypted guest code image encrypted by a key domain key, and an encrypted guest control structure encrypted by the key domain key, the key domain key inaccessible to the untrusted host virtual machine monitor; the untrusted host virtual machine monitor is to issue a create command to the processor to create a first key domain, the first key domain comprising a region of the memory to be encrypted by the key domain key; in response to receiving the create command, the processor is to create the first key domain and decrypt the encrypted key domain key to produce the key domain key; the untrusted host virtual machine monitor is to issue a launch command to the processor to launch a first guest virtual machine within the first key domain; in response to receiving the launch command, the processor is to (a) switch to the first key domain, (b) decrypt the encrypted guest control structure to produce a guest control structure containing guest processor state information, (c) decrypt the encrypted guest code image to produce a guest code image, and (d) execute the guest code image within the first key domain using the guest processor state information, wherein the guest control structure specifies a protected location of the memory where the processor may store the guest processor state information; in response to an event triggering an exit condition of the first guest virtual machine, the processor is to save the guest processor state information for the first guest virtual machine in the protected location of the memory; the untrusted host virtual machine monitor is to issue a resume command to the processor to resume the first guest virtual machine; and in response to receiving the resume command, the processor is to (a) switch to the first key domain, (b) retrieve the guest processor state information for the first guest virtual machine from the protected location of the memory, and (c) execute the guest code image within the first key domain using the guest processor state information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A processor to:
-
execute an untrusted host virtual machine monitor to manage execution by the processor of at least one guest virtual machine; create a first key domain in response to a create command issued by the untrusted host virtual machine monitor, the first key domain comprising a region of a memory to be encrypted by a key domain key, the key domain key inaccessible to the untrusted host virtual machine monitor; decrypt an encrypted key domain key received from the untrusted host virtual machine monitor to produce the key domain key; launch a first guest virtual machine within the first key domain in response to a launch command issued by the untrusted host virtual machine monitor, wherein to launch the first guest virtual machine comprises to; switch to the first key domain, decrypt an encrypted guest control structure received from the untrusted host virtual machine monitor to produce a guest control structure containing guest processor state information, wherein the guest control structure specifies a protected location of the memory where the processor may store the guest processor state information, decrypt an encrypted guest code image received from the untrusted host virtual machine monitor to produce a guest code image, and execute the guest code image within the first key domain using the guest processor state information; and
wherein the processor is further to;save the guest processor state information for the first guest virtual machine in the protected location of the memory in response to an event triggering an exit condition of the first guest virtual machine; and in response to receiving a resume command from the untrusted host virtual machine monitor, the processor is to (a) switch to the first key domain, (b) retrieve the guest processor state information for the first guest virtual machine from the protected location of the memory, and (c) execute the guest code image within the first key domain using the guest processor state information. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. At least one non-transitory computer-readable medium comprising instructions that, when executed by a processor of a computer, cause a computer to:
-
receive an encrypted key domain key, an encrypted guest code image encrypted by a key domain key, and an encrypted guest control structure encrypted by the key domain key, wherein the encrypted key domain key comprises an encrypted version of the key domain key; issue a create command to the processor to create a first key domain, the first key domain comprising a region of a memory to be encrypted by the key domain key; issue a launch command to the processor to launch a first guest virtual machine within the first key domain, wherein to launch the first guest virtual machine comprises to; switch to the first key domain, decrypt the encrypted guest control structure to produce a guest control structure containing guest processor state information, wherein the guest control structure specifies a protected location of the memory where the processor may store the guest processor state information, decrypt the encrypted guest code image to produce a guest code image, and execute the guest code image within the first key domain using the guest processor state information; save the guest processor state information for the first guest virtual machine in the protected location of the memory in response to an event triggering an exit condition of the first guest virtual machine; and issue a resume command to the processor to resume the first guest virtual machine, wherein to resume the first guest virtual machine comprises to; switch to the first key domain, retrieve the guest processor state information for the first guest virtual machine from the protected location of the memory, and execute the guest code image within the first key domain using the guest processor state information. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
-
-
28. A method comprising:
-
receiving an encrypted key domain key, an encrypted guest code image encrypted by a key domain key, and an encrypted guest control structure encrypted by the key domain key, wherein the encrypted key domain key comprises an encrypted version of the key domain key; issuing a create command to a processor create a first key domain, the first key domain comprising a region of a memory to be encrypted by the key domain key; issuing a launch command to the processor to launch a first guest virtual machine within the first key domain, wherein to launch the first guest virtual machine comprises to; switch to the first key domain, decrypt the encrypted guest control structure to produce a guest control structure containing guest processor state information, wherein the guest control structure specifies a protected location of the memory where the processor may store the guest processor state information, decrypt the encrypted guest code image to produce a guest code image, and execute the guest code image within the first key domain using the guest processor state information; saving the guest processor state information for the first guest virtual machine in the protected location of the memory in response to an event triggering an exit condition of the first guest virtual machine; and issuing a resume command to the processor to resume the first guest virtual machine, wherein to resume the first guest virtual machine comprises to; switch to the first key domain, retrieve the guest processor state information for the first guest virtual machine from the protected location of the memory, and execute the guest code image within the first key domain using the guest processor state information. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
-
Specification