Himanshu Raj, David Robinson, Talha Bin Tariq, Paul England, Stefan Saroiu, and Alec Wolman
16 December 2011
This paper presents the Credo architecture to enable
trustworthy virtualization based cloud computing platforms.
A key feature of Credo is a small platform Trusted Computing
Base (TCB) for a customer VM that consists only of a
securely launched hypervisor and minimal hardware components,
without any privileged partitions and their administrators.
Credo achieves this reduction in TCB via emancipation,
a mechanism that provides VMs enhanced secrecy
and integrity protection guarantees from privileged partitions.
Trust in an emancipated VM is established via its measured
launch by the hypervisor and an attestation of a dynamically
established trust chain rooted in the Trusted Platform
Module (TPM). Experimental results from a prototype
implementation based on Hyper-V demonstrate that Credo
provides enhanced security guarantees to emancipated VMs
at a modest cost, most of which is a one-time startup cost
from a VM’s perspective, while adding only a small amount
of code to a VM’s TCB.