introducing shielded vms - · pdf filecontoso.com virtual machine manager domain ... raw code...
TRANSCRIPT
EXPERTS LIVE
SUMMER NIGHT
Introducing Shielded VMs
Raymond P.L. Comvalius
@nextxpert
Sander Berkouwer
@sanderberkouwer
EXPERTS LIVE
SUMMER NIGHT
Raymond Comvalius
IT Infrastructure Architect
Microsoft MVP
Microsoft Certified Trainer
Independent since 1998
EXPERTS LIVE
SUMMER NIGHT
Sander Berkouwer
Senior Consultant
Microsoft MVP
Veeam Vanguard
Microsoft Certified Trainer
EXPERTS LIVE
SUMMER NIGHT What is the issue?
Who owns your Virtual Machines (VMs)?
Ten immutable laws of security:“Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”
Is this still true?
EXPERTS LIVE
SUMMER NIGHT Destination Shielded VM
Separate the tenant from the fabric
▪FabricVM
Host
▪TenantVM
EXPERTS LIVE
SUMMER NIGHT Wasn’t BitLocker the solution?
Encrypted Virtual Machine
Questions
■vTPM to the rescue?
■Can we trust the VM host?
■What about Live Migration?
■Hyper-V Integration Tools as backdoors
EXPERTS LIVE
SUMMER NIGHT TPM and vTPM
The Trusted Platform Module (TPM) is our
digital safe, used for:
■BitLocker Drive Encryption
■Secure Boot / Measured Boot
■TPM v1.2 vs. TPM v2.0
EXPERTS LIVE
SUMMER NIGHT vTPM
Part of the VM Resource State
Available since Windows 10 Anniversary
Update (1607)
Runs in Isolated User Mode
(Virtualization-based Security)
Does NOT require a physical TPM
EXPERTS LIVE
SUMMER NIGHT Virtualization Based Security
Kernel
Windows Platform Services
Apps
Kernel
SystemContainer
Iso
late
dU
ser
Mo
de
Tru
stle
t#
2
Tru
stle
t#
3
Hypervisor
Device Hardware
Windows Operating System
Hyper-VHyper-V
EXPERTS LIVE
SUMMER NIGHT The Host Guardian Service (HGS)
An external authority in a guarded fabric that verifies the health of guarded hosts, and controls the release of keys required to start or live migrate a Shielded VM.
A way to verify a host is in a healthy state.
A process to securely release keys to healthy hosts.
EXPERTS LIVE
SUMMER NIGHT Guarded Hosts
Windows Server 2016 Datacenter Hyper-V hosts capable of running Shielded VMs if and only if they can prove they are running in a known, trusted state to an external authority.
A place to run Shielded VMs, that is free from malicious software.
secure.contoso.com
Host Guardian Service Cluster
contoso.com
Virtual Machine Manager
Domain Controller(s)
Hyper-V Hosts
Microsoft SQL Server
secure.contoso.com
Host Guardian Service Cluster
contoso.com
Virtual Machine Manager
Domain Controller(s)
Hyper-V Hosts
Microsoft SQL Server
Windows Azure Pack
Service Provider Foundation
secure.contoso.com
Host Guardian Service Cluster
contoso.com
Virtual Machine Manager
Domain Controller(s)
Hyper-V and Guarded Hosts
Microsoft SQL Server
Windows Azure Pack
Service Provider Foundation
secure.contoso.com
Host Guardian Service Cluster
contoso.com
Virtual Machine Manager
Domain Controller(s)
Hyper-V and Guarded Hosts
Microsoft SQL Server
Windows Azure Pack
Service Provider Foundation
EXPERTS LIVE
SUMMER NIGHT
Let’s build a Guarded FabricStep-by-step deployment from the ground up
using TPM-based attestation
EXPERTS LIVE
SUMMER NIGHT #1: Capture the Platform Identifier
TPM ReadinessBefore the platform identity can be captured, the TPM must be ready. This describes a TPM which is enabled in the system firmware and fully configured. Windows will automatically configure a TPM if it is enabled but not yet configured.
Capture the TPM Endorsement KeyThe platform identifier is technically called the Endorsement Key or EKPUB for short.
(Get-PlatformIdentifier -Name '<HostName>').InnerXml | Out-file <Path><HostName>.xml -Encoding UTF8
HGS DropboxWe will drop files in an SMB share that the HGS administrator will read from when configuring the attestation service. It is recommended a standard and secure procedure be built around the hand-off from Fabric to HGS Administrator.
EXPERTS LIVE
SUMMER NIGHT #2: Create a CI Policy (Device Guard)
Code Integrity Policy FormatsRaw code integrity policies are XML files that are human readable and can be modified using standard cmdlets. Before these policies can be used by HGS or enforced by Windows, they must be converted to a binary P7B file format. We recommend keeping a copy of the XML around for auditing and ease of updating later on.
Updating Code Integrity PoliciesDepending on the strictness of the policy, you may need to update the active policy every time Windows Updates are installed or new software is added to the machine. Code Integrity features an audit mode which logs non-compliance instead of forcing system and application failure.
EXPERTS LIVE
SUMMER NIGHT #3: Capture a Hardware Baseline
Capturing Updated BaselinesA new hardware baseline may be required if new hardware is installed, firmware is updated, secure boot settings are changed, or the system is downgraded to an old version of Windows.
Get-HgsAttestationBaselinePolicy -Path ‘<filepath>.tcglog’
Baseline ContentsSubject to change in each release.
Currently contains various UEFI keys, DBX and Launch Authorities—these settings control UEFI Secure Boot and ensure the system boots a trusted operating system.
EXPERTS LIVE
SUMMER NIGHT #4: Generate a Signed Template Disk
Template Disk WizardWizard used to create the encrypted template disk. A certificate is provided as a proof of the source.
When you click Generate, the wizard will enable BitLocker on the template disk, compute the hash of the disk, and create the Volume Signature Catalog, which is stored in the VHDX metadata.
Why a disk signature?The disk signature is computed over the entire contents of the disk. If anything changes on the disk, the signature will also change. This allows users to strongly identify which disks they trust by specifying the appropriate signature.
Alternate Management ModelsThe fabric administrator does not have to be the
sole author of template disks. A trusted 3rd party
or even the tenants can create disks so long as the
fabric administrator uploads and enables them in
System Center Virtual Machine Manager.
EXPERTS LIVE
SUMMER NIGHT #5: Download Guardian from HGS
A Guardian is the cryptographic representation of a specific guarded fabricShielded VMs can be configured with one or more guardians.
Each Guardian effectively permits that Shielded VM to run on healthy hosts on that guarded fabric.
EXPERTS LIVE
SUMMER NIGHT SEGUE: What’s this Shielding Data then (.PDK file)
A bundle of resources, scripts,
and authorizations used to
provision a Shielded VM away
from prying eyes. Created by
the tenant, signed and
encrypted with his/her keys.
EXPERTS LIVE
SUMMER NIGHT #6: Generate Shielding DataGuardian SecurityGuardians are very important entities that contain the certificates necessary to run Shielded VMs. We recommend creating these from certificates born and stored in a Hardware Security Module (HSM).
unattend.XML CreationThere are special requirements for an unattend.xml that will be used for Shielded VM deployment. These support special placeholder values and must enable RDP as well as trigger a reboot at the end of the specialization process.
EXPERTS LIVE
SUMMER NIGHT #7 (optional): Configure
VMM for Shielded VMsHow does a Hyper-V host become guarded?
A regular Hyper-V host is converted to a guarded host by enabling the Shielded VM Hyper-V Support feature. The host will still not be able to run Shielded VMs until the entire Guarded Fabric is configured.
Deploy code integrity policies directly in VMM.
Notice in the same screen where you can change a cluster node to function as a guarded host, you may also deploy a code integrity policy.
EXPERTS LIVE
SUMMER NIGHT Concluding
Shielded VMs
Not just an encrypted disk
Template Disk + Shielding Data
Attestation Modes
Admin-trusted Attestation Mode
Hardware-trusted Attestation Mode