简体繁体 English

来宾所有者在 Google 机密虚拟机中如何生成磁盘加密密钥？

[英]How is the Disk Encryption Key generated by the guest owner in Google confidential VMs?

原文 2020-07-29 20:30:51 4 3 google-cloud-platform/ confidential-vm-tag

according to the AMD SEV API specification [1], the guest owner authenticates the AMD platform and verifies the integrity measurement of the launched VM guest, and later encrypts the disk encryption key and sends it to the guest (this flow is shown in Appendix A).根据 AMD SEV API 规范 [1]，来宾所有者对 AMD 平台进行身份验证并验证启动的 VM 来宾的完整性测量，然后加密磁盘加密密钥并将其发送给来宾（此流程如附录 A 所示）。 However, when searching through the docs of Google confidential VM [2] I could not find any information about either authenticating the platform or sending the wrapped disk encryption keys to the guest.但是，在搜索 Google 机密 VM [2] 的文档时，我找不到任何有关验证平台或将打包的磁盘加密密钥发送给来宾的信息。

My specific question is: in the Google Confidential VM implementation, which party generates the disk encryption key?我的具体问题是：在 Google Confidential VM 实施中，由哪一方生成磁盘加密密钥？ How can the guest owner verify the launch and generate the disk encryption key?来宾所有者如何验证启动并生成磁盘加密密钥？ If the key is generated by the firmware under the platform provider's control, Google Cloud Platform (GCP) in this case, then the user does not gain any additional security/privacy protection from GCP insiders (as claimed in the docs [2]).如果密钥是由平台提供商控制下的固件生成的，在这种情况下是谷歌云平台（GCP），那么用户不会从 GCP 内部人员那里获得任何额外的安全/隐私保护（如文档 [2] 中所述）。

PS A bug in the docs: to get support one is advised to post on Stack Overflow with the "confidential-vm-tag" [3], however, no such tag exists as of 2020-07-29. PS 文档中的一个错误：为了获得支持，建议使用“confidential-vm-tag”[3] 在 Stack Overflow 上发布，但是，截至 2020 年 7 月 29 日，不存在这样的标签。

[1] AMD Secure Encrypted Virtualisation API v0.24 https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.pdf [1] AMD 安全加密虚拟化 API v0.24 https://www.amd.com/system/files/TechDocs/55766_SEV-KM_API_Specification.Z437009419374E4DEE

[2]https://cloud.google.com/compute/confidential-vm/docs/about-cvm [2]https://cloud.google.com/compute/confidential-vm/docs/about-cvm

[3] https://cloud.google.com/compute/confidential-vm/docs/getting-support [3] https://cloud.google.com/compute/confidential-vm/docs/getting-support

3 个解决方案

Technically , the answer to the questions depends on which of three available approaches is chosen:从技术上讲，问题的答案取决于选择了三种可用方法中的哪一种：

Google-managed keys; Google 管理的密钥；
Customer-managed;客户管理；
Customer-supplied.客户提供。

Practically , data protection issues are rarely purely technical.实际上，数据保护问题很少是纯粹的技术问题。 Crucial points are the data sensitivity level and Data Protection and Privacy agreement between the customer and the cloud provider.关键点是客户与云提供商之间的数据敏感度级别以及数据保护和隐私协议。 In other words, whether the customer can trust Google in terms of data protection, or due to the existing compliance policies the Cloud is considered as a hostile environment.换句话说，客户是否可以在数据保护方面信任谷歌，或者由于现有的合规政策，云被认为是一个敌对的环境。

Google-managed keys (default). Google 管理的密钥（默认）。 Google uses its infrastructure to generate and manage keys for the customer automatically. Google 使用其基础架构自动为客户生成和管理密钥。 The customer has no control over the encryption keys.客户无法控制加密密钥。
Customer-managed keys (CMEK).客户管理的密钥(CMEK)。 Google uses its infrastructure to create, maintain and rotate keys for the customer. Google 使用其基础架构为客户创建、维护和轮换密钥。 But CMEK gives the customer control over the keys via Cloud KMS .但 CMEK 让客户通过Cloud KMS控制密钥。 KMS used for CMEK is a cloud-hosted service that helps customers to ensure the lifecycle of encryption keys: generate, rotate, disable, revoke.用于 CMEK 的 KMS 是一项云托管服务，可帮助客户确保加密密钥的生命周期：生成、轮换、禁用、撤销。 Thus the customer gets more control over protected data, because the customer, for instance, can quickly terminate access to data by disabling or destroying the CMEK key.因此，客户可以更好地控制受保护的数据，因为例如，客户可以通过禁用或销毁 CMEK 密钥来快速终止对数据的访问。
Customer-supplied keys (CSEK).客户提供的密钥(CSEK)。 Data is encrypted using the keys owned by the customer.使用客户拥有的密钥对数据进行加密。 These keys are not sent to Google, but are stored and managed outside of the Google Cloud Platform.这些密钥不会发送给 Google，而是在 Google Cloud Platform 之外存储和管理。 Key maintenance, rotation and deprecation is the responsibility of the customer.密钥维护、轮换和弃用是客户的责任。

The downside of the customer-managed or customer-supplied keys is that access to the encrypted data can be lost due to an unintentional deletion or loss of the key.客户管理或客户提供的密钥的缺点是，由于无意删除或丢失密钥，可能会丢失对加密数据的访问。

Cloud HSM .云 HSM 。 Encryption keys can be securely stored on a fully managed Hardware Security Modules in Google datacenters.加密密钥可以安全地存储在 Google 数据中心内完全托管的硬件安全模块中。 Customers are provided with strong guarantees that their keys cannot leave the boundary of certified HSMs, and that their keys cannot be accessed by malicious persons or insiders.向客户提供强有力的保证，即他们的密钥不会离开经过认证的 HSM 的边界，并且他们的密钥不会被恶意人员或内部人员访问。 Permissions on key resources are managed with IAM.对关键资源的权限由 IAM 管理。

Update更新

The document [1] provided by AMD is a technical preview. AMD 提供的文档[1]是技术预览版。 It shouldn't be considered as an established standard.它不应被视为既定标准。 That is why the cloud providers are not required to strictly follow this specification, and the offering "Confidential VM" based on a technical preview is reasonably in Beta.这就是为什么云提供商不需要严格遵守这个规范，并且基于技术预览提供的“机密虚拟机”在 Beta 中是合理的。

For those who is concerned in verifying the platform by following the example implementation from the AMD's technical preview, Google provides a validation mechanism对于那些关心通过遵循 AMD 技术预览中的示例实现来验证平台的人，谷歌提供了一种验证机制

Google Cloud > Confidential VM > Doc > Validating Confidential VMs using Cloud Monitoring : Google Cloud > Confidential VM > Doc > Validating Confidential VMs using Cloud Monitoring ：

Cloud Monitoring and Cloud Logging let you monitor and validate your Confidential VM instances. Cloud Monitoring 和 Cloud Logging 可让您监控和验证您的机密虚拟机实例。
Integrity monitoring is a feature of both Shielded VM and Confidential VM that helps you understand and make decisions about the state of your VM instances.完整性监控是受防护 VM 和机密 VM 的一项功能，可帮助您了解 VM 实例的 state 并做出决定。
You can view integrity reports in Cloud Monitoring and set alerts on integrity failures .您可以在 Stackdriver Monitoring 中查看完整性报告并设置完整性失败警报。 You can review the details of integrity monitoring results in Cloud Logging.您可以在 Cloud Logging 中查看完整性监控结果的详细信息。
Confidential VM generates a unique type of integrity validation event, called a launch attestation report event .机密 VM 生成一种独特类型的完整性验证事件，称为启动证明报告事件。 Every time an AMD Secure Encrypted Virtualization (SEV) -based Confidential VM boots, a launch attestation report event is generated as part of the integrity validation events for the VM.每次启动基于 AMD 安全加密虚拟化 (SEV) 的机密 VM 时，都会生成启动证明报告事件作为 VM 完整性验证事件的一部分。

AMD SEV does not deal with the generation of disk encryption keys. AMD SEV 不处理磁盘加密密钥的生成。 Within the CSEK approach the keys are generated by the customer.在 CSEK 方法中，密钥由客户生成。 The AMD SEV role is to provide a safe environment with the encrypted memory in order to protect the customer supplied key while in use . AMD SEV 的作用是使用加密的 memory 提供安全环境，以便在使用时保护客户提供的密钥。 To safely encrypt memory, AMD SEV relies on the 2nd Gen AMD EPYC™ processors.为了安全地加密 memory，AMD SEV 依赖于第二代 AMD EPYC™ 处理器。 "These keys are generated by the AMD Secure Processor during VM creation and reside solely within it , making them unavailable to Google or any VMs running on the host ." “这些密钥是由 AMD 安全处理器在创建 VM 期间生成的，并且仅驻留在其中，因此Google 或主机上运行的任何 VM 都无法使用它们。”

Please see links below for more details:请查看以下链接了解更多详情：
Google Cloud Blog > Introducing Google Cloud Confidential Computing with Confidential VMs Google Cloud 博客 > 使用机密虚拟机介绍 Google Cloud 机密计算
Google Cloud > Confidential VM > Doc > Confidential VMs and Compute Engine Google Cloud > 机密虚拟机 > 文档 > 机密虚拟机和计算引擎
Google Cloud > Compute Engine > Doc > Encrypt disks with customer-supplied encryption keys Google Cloud > Compute Engine > Doc > 使用客户提供的加密密钥加密磁盘
SUSE > AMD Secure Encrypted Virtualization (AMD-SEV) Guide SUSE > AMD 安全加密虚拟化 (AMD-SEV) 指南

mebius99's answer is correct. mebius99 的回答是正确的。 I think, based on your reply, that you expect something unique for Confidential VMs.我认为，根据您的回复，您期望机密虚拟机有一些独特的东西。 This is not the case, and ultimately why Confidential VMs are so powerful...you don't need to drastically change your existing tooling/orchestration.事实并非如此，这也是机密虚拟机如此强大的最终原因……您无需彻底改变现有的工具/编排。 Google's implementation is flexible so you can use disk encryption in a variety of ways... But Google does not allow users to give the LAUNCH_SECRET per the AMD doc. Google 的实施很灵活，因此您可以通过多种方式使用磁盘加密……但 Google 不允许用户根据 AMD 文档提供 LAUNCH_SECRET。

I don't think this is "going against the spec", Appendix A of the AMD spec says AMD 规范的附录 A 说，我不认为这“违反规范”

The following flow charts are provided to illustrate how the usage of the SEV API might be implemented.提供以下流程图来说明 SEV API 的使用可能如何实现。 Note that these are only examples and there may be other implementation strategies.请注意，这些只是示例，可能还有其他实施策略。

Unless I am completely missing the boat on what you are asking...除非我完全错过了你所要求的船......

I totally agree with Nico.我完全同意尼科。 One way would be to extract PDH and PEK keys from Confidential VM but so far, I have not found any way to do this.一种方法是从机密 VM 中提取 PDH 和 PEK 密钥，但到目前为止，我还没有找到任何方法来做到这一点。