Google has released more details on Shielded VMs, a suite of security tools and techniques that the company announced recently for protecting enterprise cloud workloads against malicious software and other cyber-threats at the hardware and firmware levels.
Google rolled out Shielded VMs in beta at its Cloud Next partner conference last month. According to the company the technology offers enterprises a high degree of assurance that workloads running on Google’s cloud have not been penetrated by firmware rootkits and boot malware.
Shielded VMs also ensures that when a VM boots up for the first time it is running code that has not been previously tampered with, the company has noted.
In an Aug. 6 blog August, Google Cloud’s senior product manager Nelly Porter and technical program manager Sergey Simakov described Shielded VMs as offering protection against a range of threats that are becoming increasingly common in cloud environments. These include insider attacks and compromises; attacks exploiting malicious drivers and guest firmware; and vulnerabilities at the guest VM kernel or user-model level.
“Unfortunately, these threats can stay undetected for a long time, and the infected virtual machine continues to boot in a compromised state even after you’ve installed legitimate software,” Porter and Simakov said.
Shielded VMs provide a variety of security features including trusted firmware based on Unified Extended Firmware Interface (UEFI) version 2.3.1. UEFI data tables contain information that the operating system and operating system loader use for securely booting up an operating system and for running so-called pre-boot applications. The new UEFI-based firmware will replace the legacy BIOS subsystems that have typically been used for this process on Google cloud platform.
A virtual Trusted Platform Module (TPM) is another key security feature of Shielded VMs. The vTPM validates boot-level and pre-boot-level integrity of guest VMs in a cloud environment and also generates and protects the encryption keys.
The vTPM also enables the guest operating system to generate keys and other security codes for protecting the integrity of the environment before, during and after the boot-up process. Porter and Simakov described Google’s custom vTPM as being fully compatible with the Trusted Computing Group’s industry standard specifications for TPMs.
Secure Boot and Measured Boot are two other security features behind Shielded VMs. The former helps ensure that a VM only runs previously vetted, fully trusted software while the Measured Boot feature provides greater visibility into the integrity of the VM boot process, the two Google managers wrote.
In order to get a Shielded VM up and running, the TPM first verifies the production server hosting the VM is using known firmware when booting up. Once that step is complete the TPM then verifies that the server boots-up a secure, Google-approved operating system image and has the credentials required to load the host OS and hypervisor.
The virtual machine’s UEFI firmware ensures the image is configured properly and loads more software, which in turn installs a Shielded OS image into system memory before handing off execution control to the guest operating system, Porter and Simakov said.
The guest OS then continues loading digitally signed kernel drivers and validates them using the vTPM. “Once those steps are complete, you have a fully loaded Shielded VM up and running,” they said.