This topic describes how an instance that supports trusted computing capabilities (trusted instance) works and the basic concepts of trusted computing technology.
Introduction to trusted computing capabilities
Trusted computing is one of the main features that are used to ensure the high-level security of underlying computing environments for cloud tenants. A virtual Trusted Platform Module (vTPM) is used as a virtual root of trust to provide a remote attestation mechanism and build a chain of trust that covers system startup and user-specified applications. This ensures a trusted environment for users in all aspects during the startup and runtime phases. Trust verification of systems and applications reduces vulnerability to attacks that are caused by unknown or tampered systems or software.
Instance families that support trusted computing capabilities
The g7t, c7t, and r7t instance families support Software Guard Extensions (SGX) confidential computing. When you create instances of the preceding instance families in the Elastic Compute Service (ECS) console, the Alibaba Cloud SGX runtime is automatically installed. For information about SGX confidential computing, see Build an SGX confidential computing environment.
How a trusted instance works
Trusted instances use trusted computing technology to perform integrity verification. This ensures that the trusted instances are not compromised by startup-level or kernel-level malware or rootkits. Trusted instances provide measured boot and integrity verification by using the Unified Extensible Firmware Interface (UEFI) firmware, vTPMs or virtual Trusted Cryptography Modules (vTCMs), and a remote attestation service to ensure security and trustworthiness.
Firmware security
Alibaba Cloud supports secure firmware updates. Before firmware is updated, firmware signatures are verified to ensure that only authorized firmware is updated. This prevents malicious firmware from attacking the cloud infrastructure.
vTPM and vTCM
vTPMs and vTCMs are virtualized and trusted platform modules that can be used to transmit trust from the trusted server hardware to trusted instances. vTPMs are fully compatible with TPM 2.0. vTCMs are fully compatible with TCM 2.0. Trusted instances use a vTPM or a vTCM to build a virtual root of trust and implement a trusted boot chain and a remote attestation mechanism that are similar to the trusted boot chain and remote attestation mechanism of the host layer. A benchmark measurement is generated when you create an instance. The measurement values that are collected on subsequent instance startups are compared against the benchmark measurement to determine whether the instance changed. The comparison result indicates the trusted status of the instance and is displayed in the Security Center console.
UEFI firmware
Trusted instances use trusted boot firmware that meets the UEFI specification for system boot. The UEFI firmware measures the integrity of system firmware, system boot loader, and system kernel modules during the boot process of the OS to build a chain of trust for system startup.
Measured boot
Components are measured stage by stage. The components that are started first measure the components that are started in the next stage. If the measurement is successful, the chain of trust is extended to the next stage.
Each module in the boot chain, from the underlying hardware to the guest operating system, is measured during the boot process of an instance. When the modules are loaded, trusted components calculate a hash value for each module and securely store the calculated hash values to the root of trust to build a chain of trust. Stage-by-stage measurement and verification of all modules in the boot chain ensure that the system remains unchanged from the previous boot.
Integrity verification
Integrity verification helps you understand the trusted status of instances and make decisions.
The first time you start an instance, the trusted components create the first set of hash values as benchmark measurement and securely store the data. Then, the measurement and storage operations are performed each time the instance starts. Trusted components send the measurement values to the trusted service by using remote attestation. You can compare the most recent measurement data with the benchmark measurement to measure and verify the integrity of the instance and determine whether the instance runs in the expected trusted state.
Integrity verification compares the startup measurement information with the benchmark measurement of an instance. If the startup measurement information matches the benchmark measurement, a success result is returned, which indicates that the instance is trusted. Otherwise, a failure result is returned, which indicates that the instance is not trusted.
If an expected integrity verification failure occurs in specific scenarios, such as during a system update of an instance, you can add the trusted event to a whitelist to update the instance benchmark measurement. Subsequent integrity measurements are performed against the most recent benchmark measurement. For more information, see the Handle trust exceptions section of the "Use trusted instances" topic.
If an unexpected integrity verification failure occurs, identify the cause of the failure based on the trusted event details to prevent the instance from running in an untrusted environment.