CCxTrust: Confidential Computing Platform Based on TEE and TPM Collaborative Trust
Confidential Computing has emerged to address data security challenges in cloud-centric deployments by protecting data in use through hardware-level isolation. However, reliance on a single hardware root of trust (RoT) limits user confidence in cloud platforms, especially for high-performance AI ser...
Gespeichert in:
| Hauptverfasser: | , , , , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Shang, Ketong Lin, Jiangnan Qin, Yu Shen, Muyan Ma, Hongzhan Feng, Wei Feng, Dengguo |
| description | Confidential Computing has emerged to address data security challenges in
cloud-centric deployments by protecting data in use through hardware-level
isolation. However, reliance on a single hardware root of trust (RoT) limits
user confidence in cloud platforms, especially for high-performance AI
services, where end-to-end protection of sensitive models and data is critical.
Furthermore, the lack of interoperability and a unified trust model in
multi-cloud environments prevents the establishment of a cross-platform,
cross-cloud chain of trust, creating a significant trust gap for users with
high privacy requirements. To address the challenges mentioned above, this
paper proposes CCxTrust (Confidential Computing with Trust), a confidential
computing platform leveraging collaborative roots of trust from TEE and TPM.
CCxTrust combines the black-box RoT embedded in the CPU-TEE with the flexible
white-box RoT of TPM to establish a collaborative trust framework. The platform
implements independent Roots of Trust for Measurement (RTM) for TEE and TPM,
and a collaborative Root of Trust for Report (RTR) for composite attestation.
The Root of Trust for Storage (RTS) is solely supported by TPM. We also present
the design and implementation of a confidential TPM supporting multiple modes
for secure use within confidential virtual machines. Additionally, we propose a
composite attestation protocol integrating TEE and TPM to enhance security and
attestation efficiency, which is proven secure under the PCL protocol security
model. We implemented a prototype of CCxTrust on a confidential computing
server with AMD SEV-SNP and TPM chips, requiring minimal modifications to the
TPM and guest Linux kernel. The composite attestation efficiency improved by
24% without significant overhead, while Confidential TPM performance showed a
16.47% reduction compared to standard TPM. |
| doi_str_mv | 10.48550/arxiv.2412.03842 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_2412_03842</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2412_03842</sourcerecordid><originalsourceid>FETCH-arxiv_primary_2412_038423</originalsourceid><addsrcrecordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMjE00jMwtjAx4mQIcnauCCkqLS6xUnDOz0vLTEnNK8lMzAFycgtKSzLz0hUCchJL0vKLchWcEotTUxTy8xRCXF0VEvNSFEICfIHqcnISk_KLEksyy1IVwCbxMLCmJeYUp_JCaW4GeTfXEGcPXbDt8QVFmbmJRZXxIFfEg11hTFgFABNUPGA</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>CCxTrust: Confidential Computing Platform Based on TEE and TPM Collaborative Trust</title><source>arXiv.org</source><creator>Shang, Ketong ; Lin, Jiangnan ; Qin, Yu ; Shen, Muyan ; Ma, Hongzhan ; Feng, Wei ; Feng, Dengguo</creator><creatorcontrib>Shang, Ketong ; Lin, Jiangnan ; Qin, Yu ; Shen, Muyan ; Ma, Hongzhan ; Feng, Wei ; Feng, Dengguo</creatorcontrib><description>Confidential Computing has emerged to address data security challenges in
cloud-centric deployments by protecting data in use through hardware-level
isolation. However, reliance on a single hardware root of trust (RoT) limits
user confidence in cloud platforms, especially for high-performance AI
services, where end-to-end protection of sensitive models and data is critical.
Furthermore, the lack of interoperability and a unified trust model in
multi-cloud environments prevents the establishment of a cross-platform,
cross-cloud chain of trust, creating a significant trust gap for users with
high privacy requirements. To address the challenges mentioned above, this
paper proposes CCxTrust (Confidential Computing with Trust), a confidential
computing platform leveraging collaborative roots of trust from TEE and TPM.
CCxTrust combines the black-box RoT embedded in the CPU-TEE with the flexible
white-box RoT of TPM to establish a collaborative trust framework. The platform
implements independent Roots of Trust for Measurement (RTM) for TEE and TPM,
and a collaborative Root of Trust for Report (RTR) for composite attestation.
The Root of Trust for Storage (RTS) is solely supported by TPM. We also present
the design and implementation of a confidential TPM supporting multiple modes
for secure use within confidential virtual machines. Additionally, we propose a
composite attestation protocol integrating TEE and TPM to enhance security and
attestation efficiency, which is proven secure under the PCL protocol security
model. We implemented a prototype of CCxTrust on a confidential computing
server with AMD SEV-SNP and TPM chips, requiring minimal modifications to the
TPM and guest Linux kernel. The composite attestation efficiency improved by
24% without significant overhead, while Confidential TPM performance showed a
16.47% reduction compared to standard TPM.</description><identifier>DOI: 10.48550/arxiv.2412.03842</identifier><language>eng</language><subject>Computer Science - Cryptography and Security</subject><creationdate>2024-12</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,776,881</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/2412.03842$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.2412.03842$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Shang, Ketong</creatorcontrib><creatorcontrib>Lin, Jiangnan</creatorcontrib><creatorcontrib>Qin, Yu</creatorcontrib><creatorcontrib>Shen, Muyan</creatorcontrib><creatorcontrib>Ma, Hongzhan</creatorcontrib><creatorcontrib>Feng, Wei</creatorcontrib><creatorcontrib>Feng, Dengguo</creatorcontrib><title>CCxTrust: Confidential Computing Platform Based on TEE and TPM Collaborative Trust</title><description>Confidential Computing has emerged to address data security challenges in
cloud-centric deployments by protecting data in use through hardware-level
isolation. However, reliance on a single hardware root of trust (RoT) limits
user confidence in cloud platforms, especially for high-performance AI
services, where end-to-end protection of sensitive models and data is critical.
Furthermore, the lack of interoperability and a unified trust model in
multi-cloud environments prevents the establishment of a cross-platform,
cross-cloud chain of trust, creating a significant trust gap for users with
high privacy requirements. To address the challenges mentioned above, this
paper proposes CCxTrust (Confidential Computing with Trust), a confidential
computing platform leveraging collaborative roots of trust from TEE and TPM.
CCxTrust combines the black-box RoT embedded in the CPU-TEE with the flexible
white-box RoT of TPM to establish a collaborative trust framework. The platform
implements independent Roots of Trust for Measurement (RTM) for TEE and TPM,
and a collaborative Root of Trust for Report (RTR) for composite attestation.
The Root of Trust for Storage (RTS) is solely supported by TPM. We also present
the design and implementation of a confidential TPM supporting multiple modes
for secure use within confidential virtual machines. Additionally, we propose a
composite attestation protocol integrating TEE and TPM to enhance security and
attestation efficiency, which is proven secure under the PCL protocol security
model. We implemented a prototype of CCxTrust on a confidential computing
server with AMD SEV-SNP and TPM chips, requiring minimal modifications to the
TPM and guest Linux kernel. The composite attestation efficiency improved by
24% without significant overhead, while Confidential TPM performance showed a
16.47% reduction compared to standard TPM.</description><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNpjYJA0NNAzsTA1NdBPLKrILNMzMjE00jMwtjAx4mQIcnauCCkqLS6xUnDOz0vLTEnNK8lMzAFycgtKSzLz0hUCchJL0vKLchWcEotTUxTy8xRCXF0VEvNSFEICfIHqcnISk_KLEksyy1IVwCbxMLCmJeYUp_JCaW4GeTfXEGcPXbDt8QVFmbmJRZXxIFfEg11hTFgFABNUPGA</recordid><startdate>20241204</startdate><enddate>20241204</enddate><creator>Shang, Ketong</creator><creator>Lin, Jiangnan</creator><creator>Qin, Yu</creator><creator>Shen, Muyan</creator><creator>Ma, Hongzhan</creator><creator>Feng, Wei</creator><creator>Feng, Dengguo</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20241204</creationdate><title>CCxTrust: Confidential Computing Platform Based on TEE and TPM Collaborative Trust</title><author>Shang, Ketong ; Lin, Jiangnan ; Qin, Yu ; Shen, Muyan ; Ma, Hongzhan ; Feng, Wei ; Feng, Dengguo</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-arxiv_primary_2412_038423</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Shang, Ketong</creatorcontrib><creatorcontrib>Lin, Jiangnan</creatorcontrib><creatorcontrib>Qin, Yu</creatorcontrib><creatorcontrib>Shen, Muyan</creatorcontrib><creatorcontrib>Ma, Hongzhan</creatorcontrib><creatorcontrib>Feng, Wei</creatorcontrib><creatorcontrib>Feng, Dengguo</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Shang, Ketong</au><au>Lin, Jiangnan</au><au>Qin, Yu</au><au>Shen, Muyan</au><au>Ma, Hongzhan</au><au>Feng, Wei</au><au>Feng, Dengguo</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>CCxTrust: Confidential Computing Platform Based on TEE and TPM Collaborative Trust</atitle><date>2024-12-04</date><risdate>2024</risdate><abstract>Confidential Computing has emerged to address data security challenges in
cloud-centric deployments by protecting data in use through hardware-level
isolation. However, reliance on a single hardware root of trust (RoT) limits
user confidence in cloud platforms, especially for high-performance AI
services, where end-to-end protection of sensitive models and data is critical.
Furthermore, the lack of interoperability and a unified trust model in
multi-cloud environments prevents the establishment of a cross-platform,
cross-cloud chain of trust, creating a significant trust gap for users with
high privacy requirements. To address the challenges mentioned above, this
paper proposes CCxTrust (Confidential Computing with Trust), a confidential
computing platform leveraging collaborative roots of trust from TEE and TPM.
CCxTrust combines the black-box RoT embedded in the CPU-TEE with the flexible
white-box RoT of TPM to establish a collaborative trust framework. The platform
implements independent Roots of Trust for Measurement (RTM) for TEE and TPM,
and a collaborative Root of Trust for Report (RTR) for composite attestation.
The Root of Trust for Storage (RTS) is solely supported by TPM. We also present
the design and implementation of a confidential TPM supporting multiple modes
for secure use within confidential virtual machines. Additionally, we propose a
composite attestation protocol integrating TEE and TPM to enhance security and
attestation efficiency, which is proven secure under the PCL protocol security
model. We implemented a prototype of CCxTrust on a confidential computing
server with AMD SEV-SNP and TPM chips, requiring minimal modifications to the
TPM and guest Linux kernel. The composite attestation efficiency improved by
24% without significant overhead, while Confidential TPM performance showed a
16.47% reduction compared to standard TPM.</abstract><doi>10.48550/arxiv.2412.03842</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.2412.03842 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_2412_03842 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security |
| title | CCxTrust: Confidential Computing Platform Based on TEE and TPM Collaborative Trust |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-24T06%3A07%3A32IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=CCxTrust:%20Confidential%20Computing%20Platform%20Based%20on%20TEE%20and%20TPM%20Collaborative%20Trust&rft.au=Shang,%20Ketong&rft.date=2024-12-04&rft_id=info:doi/10.48550/arxiv.2412.03842&rft_dat=%3Carxiv_GOX%3E2412_03842%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |