发明名称 |
Attestation protocol for securely booting a guest operating system |
摘要 |
In a cloud computing environment, a production server virtualization stack is minimized to present fewer security vulnerabilities to malicious software running within a guest virtual machine. The minimal virtualization stack includes support for those virtual devices necessary for the operation of a guest operating system, with the code base of those virtual devices further reduced. Further, a dedicated, isolated boot server provides functionality to securely boot a guest operating system. The boot server is isolated through use of an attestation protocol, by which the boot server presents a secret to a network switch to attest that the boot server is operating in a clean mode. The attestation protocol may further employ a secure co-processor to seal the secret, so that it is only accessible when the boot server is operating in the clean mode. |
申请公布号 |
US9477486(B2) |
申请公布日期 |
2016.10.25 |
申请号 |
US201414462113 |
申请日期 |
2014.08.18 |
申请人 |
Microsoft Technology Licensing, LLC |
发明人 |
Raj Himanshu;Saroiu Stefan;Wolman Alastair;England Paul;Nguyen Anh M.;Rayanchu Shravan |
分类号 |
G06F9/44;G06F9/45;G06F21/57;G06F21/50;G06F21/53;G06F9/455 |
主分类号 |
G06F9/44 |
代理机构 |
|
代理人 |
Wight Stephen A.;Yee Judy;Minhas Micky |
主权项 |
1. A method comprising:
receiving at a boot server device a first image file of a virtual machine (VM) from an external device, the first image file of the VM including a guest operating system (OS) to be booted; disabling a connection between the boot server device and the external device; booting the guest OS on the boot server device as a booted guest OS; saving a second image file of the VM, the second image file of the VM including the booted guest OS; restoring the connection between the boot server device and the external device, including employing an attestation protocol to attest to a particular software configuration of the boot server device by providing a second address for a network interface of the boot server device; and providing the second image file to the external device. |
地址 |
Redmond WA US |