Hardware-based Security for Virtual Trusted Platform Modules
This addresses security concerns for virtualized environments needing multiple TPMs, but it is incremental as it builds on existing hardware-based principles.
The paper tackles the security weakness of virtual Trusted Platform Modules (TPMs) by proposing hardware-based binding for virtual Platform Configuration Registers (PCRs) to maintain a hardware root of trust, and it implements and evaluates two binding variants on FPGA with performance results.
Virtual Trusted Platform modules (TPMs) were proposed as a software-based alternative to the hardware-based TPMs to allow the use of their cryptographic functionalities in scenarios where multiple TPMs are required in a single platform, such as in virtualized environments. However, virtualizing TPMs, especially virutalizing the Platform Configuration Registers (PCRs), strikes against one of the core principles of Trusted Computing, namely the need for a hardware-based root of trust. In this paper we show how strength of hardware-based security can be gained in virtual PCRs by binding them to their corresponding hardware PCRs. We propose two approaches for such a binding. For this purpose, the first variant uses binary hash trees, whereas the other variant uses incremental hashing. In addition, we present an FPGA-based implementation of both variants and evaluate their performance.