KVM Forum 2021 has ended
Virtual Event | September 15-16, 2021
View More Details

The Sched app allows you to build your schedule but is not a substitute for your event registration. In addition, you must be registered for KVM Forum to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

This schedule is automatically displayed in Coordinated Universal Time (UTC)Please select from the drop-down menu to the right to see the schedule in your preferred timezone above "Filter by Date."
Back To Schedule
Thursday, September 16 • 13:35 - 14:00
Securing Linux VM boot with AMD SEV measurement - Dov Murik & Hubertus Franke, IBM Research

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Booting Linux guests with AMD SEV using a kernel and initrd supplied by the VMM currently breaks the Confidential Computing promise: the binaries are supplied by the VMM which is outside the trusted domain.  However, this mode of guest booting is convenient for both the platform provider and the guest owner, as usually the kernel and initrd binaries are not confidential. We introduce a way to harness SEV memory measurement and secret injection at startup to verify that the kernel and initrd supplied by the VMM are indeed approved by the guest owner, thus making this way of booting SEV guests secure for Confidential Computing workloads. The presentation will explain the boot process in the VMM and guest, the added integrity checks added in OVMF, and layouts of secret injection memory areas.  We will present the current upstream status of OVMF and QEMU patches, as well as cover possible attack scenarios and mitigations.

avatar for Dov Murik

Dov Murik

Research Staff Member, IBM
Dov Murik is a Research Staff Member in IBM Research, working on various aspects of information and system security, and recently focusing on confidential computing. Previously he worked on malware detection, phishing prevention, and AI security. Before that he was part of IBM Trusteer... Read More →
avatar for Hubertus Franke

Hubertus Franke

Distinguished Research Staff Member, IBM Research
Dr. Hubertus Franke is a Distinguished Research Staff Member at the IBM T.J.Watson Research Center since 1993. His area of current work and interests are the area of operating systems, virtualization, processor architectures, cloud runtimes and security. Some time back he has also... Read More →

Thursday September 16, 2021 13:35 - 14:00 UTC
  KVM Track 1
  • Presentation Slides Attached Yes