GCP 中机密虚拟机的“sevLaunchAttestationReportEvent”日志条目中的“finalDigest”是如何计算的?
[英]How is the 'finalDigest' calculated in the 'sevLaunchAttestationReportEvent' log entry for confidential VMs in GCP?
问题描述
I've experimented with launching some confidential VM instances.
我已经尝试启动一些机密的 VM 实例。 The simple scenario includes:简单的场景包括:
- Launch an instance named 'Alice'.启动一个名为“Alice”的实例。
- Stop and relaunch instance 'Alice'.停止并重新启动实例“Alice”。
- Delete instance 'Alice', create a new VM instance named 'Alice'删除实例“Alice”,创建一个名为“Alice”的新虚拟机实例
I checked the 'sevLaunchAttestationReportEvent' log entry.我检查了“sevLaunchAttestationReportEvent”日志条目。 As expected, in all three cases the 'guestMemoryRegion' digest was identical in all cases.正如预期的那样,在所有三种情况下,“guestMemoryRegion”摘要在所有情况下都是相同的。
However, the 'finalDigest' was different in all three cases.但是,“finalDigest”在所有三种情况下都不同。 My questions are: A. How is the 'finalDigest' calculated?我的问题是: A. 'finalDigest' 是如何计算的? B. What is the purpose of a 'finalDigest' that is different at each launch of an identical VM image? B. 每次启动相同 VM 映像时都不同的“finalDigest”的目的是什么? C. Can the 'finalDigest' be pre-calculate before instantiation? C. 可以在实例化之前预先计算“finalDigest”吗?
Thanks.谢谢。
1 个解决方案
解决方案1
1 2020-09-03 17:20:13
First of all, a Confidential Virtual Machine runs on hosts based on the second generation of AMD Epyc processors, it is optimized for security workloads and includes inline memory encryption that ensures that data is encrypted while it's in RAM.首先,机密虚拟机在基于第二代 AMD Epyc 处理器的主机上运行,它针对安全工作负载进行了优化,并包括内联内存加密,可确保数据在 RAM 中时得到加密。 You can consult the following documentation to get further information.您可以查阅以下文档以获取更多信息。
Regarding your questions:关于您的问题:
A. How is the 'finalDigest' calculated? A. 'finalDigest' 是如何计算的? To calculate the digest value, a Digest Algorithm you can be use, those algorithms could be:要计算摘要值,您可以使用摘要算法,这些算法可以是:
- SHA-1 SHA-1
- SHA-256 SHA-256
- SHA-384 SHA-384
- SHA-512 SHA-512
- MD5 MD5
They are functions to take a large document and compute a "digest" (also called "hash"), this is typically used in a digital signing process.它们是获取大型文档并计算“摘要”(也称为“哈希”)的函数,这通常用于数字签名过程。
B. What is the purpose of a 'finalDigest' that is different at each launch of an identical VM image? B. 每次启动相同 VM 映像时都不同的“finalDigest”的目的是什么?
A message digest or hash function is used to turn input of arbitrary length into an output of fixed length and this output can then be used in place of the original input, and the digest can be changed every time that the VM instance is turned on because some changes were executed internally in the instance.消息摘要或哈希函数用于将任意长度的输入转换为固定长度的输出,然后可以使用此输出代替原始输入,并且每次打开 VM 实例时都可以更改摘要,因为一些更改是在实例内部执行的。 I mean, the hash algorithm takes into consideration those changes, even though a single byte is changed the digest or hash will change completely.我的意思是,散列算法考虑了这些变化,即使单个字节发生变化,摘要或散列也会完全改变。
C. Can the 'finalDigest' be pre-calculate before instantiation? C. 可以在实例化之前预先计算“finalDigest”吗? In my opinion this is not feasible because the digest algorithm is a one-way function, that is, a function which is practically infeasible to invert.在我看来,这是不可行的,因为摘要算法是一种单向函数,即实际上不可能求逆的函数。
You can get more information about the hash functions on this link .您可以在此链接上获得有关散列函数的更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.