Leveraging hardware-assisted TEEs to protect host secrets in an OS-level virtualization environment

Protecting long-term secrets using AMD SEV

Student: Martin Radev

Advisor: Christian Epple April 30, 2020

Disk encryption provides protection against unauthorized access by having data on disk always be stored encrypted. Current disk encryption methods require that a user has to provide before or after boot a cryptographic key which is stored in the Kernel’s physical memory in plain text. The latter is necessary since the kernel is responsible for reading from and writing to disk during the its lifetime. This approach is susceptible to cold boot attacks where the unauthorized user can also read directly the physical memory to locate the cryptographic key. With the growing trend of using Non-Volatile RAM (NVRAM) this allows an attacker with physical access to steal both the physical memory and the encrypted disk, and just then scrape physical memory.

In 2016, AMD introduced the Secure Encrypted Virtualization (SEV) extension which enables the creation of Virtual Machines (VM) protected from the Hypervisor (HV) through physical memory encryption. Later AMD released the Encrypted State (SEV- ES) extension which also encrypts the VMs register state. The encrytion key used for decryption is stored in the SRAM of the Platform Security Processor (PSP) and is never accessible by the HV or the Guest. The PSP is responsible for transparently decrypting and encrypting the VMs memory when accessed by the VM. Because the PSP stores crit- ical information for the execution of the VM, The relocation of the VM to another CPU follows a multi-stage process with the collaboration of the HV and the VM user.

This goal of this Master thesis is to design and develop a Proof-of-Concept solution for storing disk encryption keys and other long terms secrets within a SEV-protected VM. With this approach, the encryption decryption of sensitive data would be delegated to the SEV-protected VM. The VM would communicate the decrypted or encrypted information back to the HV without ever disclosing the long-term secret. This design provides ad- ditional hardening against cold boot attacks since an attacker would have to extract the secret key from the VM while it is still running.

The first goal in this Master thesis is to design an interface for delegating encryption and decryption operations to a SEV-protected VM. The VM would run a supported Linux distribution and have the necessary modifications to support this work. The second goal in this Master thesis is to design a minimal kernel to run within a SEV-protected VM and handle the encryption and decryption operations. Such an approach would be interesting since it would require less memory to operate, it would reduce complexity in the VM’s kernel and would likely offer better performance.

1

Linux is a prevalent kernel containing millions lines of complex code, whose correctness
and security is difficult to verify. In the Linux kernel, thousands of bugs are discovered
each year and hundreds are considered having a security impact.

One security-critical component of the Linux kernel is the Kernel Crypto API (KCAPI),
which is used by various security-related components to store encryption keys and
to perform cryptographic operations. If an attacker can exploit a memory disclosure
vulnerability in Linux to steal the encryption keys, the attacker may be able to read
the content of encrypted storage mediums, or to read and modify messages over
encrypted communication channels. For this reason, various academic solutions have
been proposed for protecting cryptographic secrets in Linux, but their applicability and
performance can vary significantly.

This thesis researches, designs and implements a new solution — SE-Vault — for
protecting cryptographic secrets by storing the secrets in a Trusted Execution Environ-
ment (TEE) and by performing the cryptographic transformations within it. The TEE is
built as a Virtual Machine (VM) whose memory is encrypted with the AMD Secure
Encrypted Virtualization (SEV) hardware feature. By using SEV, SE-Vault transparently
addresses memory disclosure attacks through hardware-assisted memory encryption,
and additionally hardens the cryptographic component against other attack vectors.

In this work, two implementations of the TEE are presented: one using a Linux VM with
built-in SEV support, and one using the seL4 microkernel to which I added SEV support.
Both implementations use the Vhost and VirtIO interfaces for efficient communication
of encryption keys and encryption requests. An empirical security and performance
evaluation shows that SE-Vault can protect various Host cryptographic secrets against
memory disclosure attacks, and can outperform significantly other similar solutions in
request throughput. The solution can protect disk encryption keys, keys registered to
the KCAPI and OpenSSL keys, while performance is degraded by around 50%.