Mitigation-page

MID-024: Encrypted VM Isolation

Mitigation Tier: Leading

Description

VM’s inherent memory isolation provides many protections for memory that is specifically allocated to that VM, there are still opportunities for attacks launched from the hypervisor or any other system component with access to the physical memory. By virtue of virtual machines (VMs) being run on the same hardware, potential exploits and data leaks are present through hardware or device architecture vulnerabilities.

Encrypting VMs and VM-related information can help maintain VM isolation in the presence of an untrustworthy hypervisor by keeping each VMs data confidential during execution. The added encryption makes it such that the VM’s memory space is protected against unauthorized reads by the hypervisor or any other VM. Only undecipherable could be seen from any context other than the intended guest VM that memory belongs to.

Cloud computing uses cases are driving the adoption of these confidential computing features in newer processors. They build upon the RAM encryption functionality (described further in MID-065) that creates encrypted enclaves in memory associated with a particular execution context (thread, process, etc.) such that the contents of that memory are encrypted automatically by the CPU before being written to RAM and automatically decrypted when read in and placed in the CPU’s cache and registers.

IEC 62443 4-2 Mappings

  • CR 4.1 – Information confidentiality

  • CR 2.1 – Authorization enforcement (1) Authorization enforcement for all users (humans, software processes and devices)

References

[1] Intel. “Trust Domain Security Guidance for Developers.” intel.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/trusted-domain-security-guidance-for-developers.html

[2] ARM. “Learn the architecture - Realm Management Extension.” arm.com. Accessed: Aug. 28, 2024. [Online.] Available: https://developer.arm.com/documentation/den0126/0100/Overview

[3] M Scapicchio and M. Kozinski. “What is confidential computing?.” ibm.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.ibm.com/topics/confidential-computing

[4] Microsoft. “Azure confidential computing.” microsoft.com. Accessed: Aug. 28, 2024. [Online.] Available: https://azure.microsoft.com/en-us/solutions/confidential-compute

[5] Intel. “Intel Confidential Computing Solutions.” intel.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.intel.com/content/www/us/en/security/confidential-computing.html

[6] AMD. “AMD Secure Encrypted Virtualization (SEV).” amd.com. Accessed: Aug. 28, 2024. [Online.] Available: https://www.amd.com/en/developer/sev.html