如何使用 GCP Shielded VM 的加密和签名密钥

Question

I am wondering how signing key and encryption key of a gcp shielded VM instance can be used? I am thinking of using the encryption key (ekPub) to encrypt an arbitrary blob of data and be sure only the the associated gcp instance can decrypt it. But I am not sure how to ask vTPM to decrypt the encrypted data?

Answer 1

Shielded VM and Confidential computing are 2 different features on Google Cloud.

Shielded VM check at startup is any component has been tampered and can lead to a dataleak (through malware/backdoor)

Confidential Computing automatically create a cryptographic key at startup. This key is used to cipher all the data in memory. The data are only decipher inside the CPU, while processing.

When the data are written on disk, the data are get from encrypted memory, decipher in the CPU and written in plain text on the disk, which is automatically encrypted (but by another process, not by the CPU)

You have nothing to do, it's automatic!

Answer 2

Background and Definitions

The endorsement key (EK) is a key on TPM2.0 that is used for attestation. The EK typically comes with a certificate signed by the manufacturer (note, not available on GCE instances) stating that the TPM is a genuine TPM[1]. However, the TCG had privacy concerns around attestation with one signing key. So, they decided to make the endorsement key an encryption key. The ActivateCredential flow[2] is typically used to trust a new signing key. This sidesteps the privacy concerns by allowing the use of a privacy CA to create an AK cert endorsing that the EK and AK are on the same TPM. GCE creates an AK by default that allows users to avoid this process by using the get-shielded-identity API.

Decryption

There are a few ways to encrypt data using the endorsement key.

Since the EK is restricted [3], you have to jump through some hoops to easily use it. Restricted here means the key cannot be used for general decryption. Rather, they are used for storage/wrapping TPM objects. A storage key is typically a restricted decryption key.

Here are some ways you can get around this problem:

1. Use TPM2_Import and TPM2_Unseal (Part 3 of the TPM spec [3])

TPM2_Import has the TPM decrypt an external blob (public and private) with a storage key. Then, the user can load that object under the storage key and use. TPM2_Unseal returns the secret within the sealed blob. The flow is roughly the following:

1. A remote entity creates a blob containing a private part and a corresponding public part. The private part contains the original secret to decrypt.
2. Remote entity uses an EK to wrap a seed for a known KDF that derives a symmetric and HMAC key.
3. Use seed and KDF derived key to encrypt the private part. This is the "duplicate" blob.
4. Send duplicate, public, and encrypted seed to the VM.
5. TPM2_Import on duplicate, public, and encrypted seed with handle for the EK.
6. TPM2_Load on public and outPrivate (decrypted private) from TPM2_Import.
7. TPM2_Unseal on the object handle, secret will be in outData.

This is all done for you in https://github.com/google/go-tpm-tools . All you need is to pass in the PEM, decode it, and parse it into a public key. Then you can use server.CreateImportBlob . Send the output blob to the VM. On the client side, use EndorsementKeyRSA (or EndorsementKeyECC ) to create a go-tpm-tools key. Use key.Import with the blob.

Specifically, see https://pkg.go.dev/github.com/google/go-tpm-tools/server#CreateImportBlob and https://pkg.go.dev/github.com/google/go-tpm-tools/tpm2tools#Key.Import

Note package tpm2tools was recently renamed client, but this is not yet a public release.

2. Use TPM2_ActivateCredential (TPM spec, Part 3)

ActivateCredential allows you to verify a key is co-resident with another. Again, while this is typically used for attestation, you can use this to create an asymmetric key pair for general decryption.

1. In this scenario, the VM would generate an unrestricted decryption key on the TPM.
2. The server then generates the ActivateCredential challenge with the known templates of the EK and the decryption key.
3. If the decryption key's properties match, the TPM can fetch the challenge secret and return it to the server.
4. The server, upon receiving the successful response, can rely on the corresponding public key generated in the challenge and encrypt data to the VM.

One thing you may notice is, if you only want to decrypt a few times, you can just use the challenge secret as the plaintext.

You would need to stitch this together usinghttps://pkg.go.dev/github.com/google/go-tpm/tpm2/credactivation and https://pkg.go.dev/github.com/google/go-tpm/tpm2#ActivateCredential , as I don't currently know of tooling that supports this out of the box.

References

[1] EK specification: https://trustedcomputinggroup.org/resource/tcg-ek-credential-profile-for-tpm-family-2-0/

[2] Credential activation: https://github.com/google/go-attestation/blob/master/docs/credential-activation.md

[3] TPM spec: https://trustedcomputinggroup.org/resource/tpm-library-specification