Virtual machine validation

摘要

A system, method, and computer program product for providing validation of the compliance of a trusted host environment with a requirement of a virtual machine (VM). The system includes: a store component for cryptographically storing configuration data associated with the trusted host environment in at least one cryptographic data structure; a send component, responsive to the store component storing the configuration data, for sending the at least one cryptographic data structure to a control component; an analyze component, responsive to the control component receiving the at least one cryptographic data structure, for analyzing the at least one cryptographic data structure; a compare component, responsive to the analyze component determining the configuration data, for comparing the configuration data with the requirement; and a verify component, responsive to the compare component determining that the configuration data matches the requirement, for allowing verification of the VM.

主权项

1. A method of validating compliance of a trusted host environment with a requirement of a virtual machine (VM), the method comprising:
cryptographically storing configuration data generated by the VM during bring-up of the VM in the trusted host environment in at least one cryptographic data structure of a computer memory of a computer system; following bring-up of the VM running in the trusted host environment and in response to receiving the at least one cryptographic data structure, processing hardware of the computer system analyzing the at least one cryptographic data structure to determine the configuration data, wherein the configuration data determined by the analyzing includes event details of bring-up of the VM and actual configuration register values; the processing hardware simulating events utilizing the event details determined by the analyzing to establish simulation configuration register values; in response to determining the configuration data, the processing hardware comparing the configuration data with the requirement, wherein the comparing includes comparing the actual configuration register values with the simulated configuration register values; the processing hardware signaling that the host environment is not trusted responsive to determining that the actual configuration register values do not match the simulated configuration register values; and in response to determining that the configuration data matches the requirement, the processing hardware allowing verification of the VM fully brought up and running in the trusted host environment.