CPC G06F 9/45558 (2013.01) [G06F 9/505 (2013.01); G06F 9/5077 (2013.01); G06F 21/53 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45595 (2013.01)] | 15 Claims |
1. A method of secure attestation of a workload deployed in a virtualized computing system, the virtualized computing system including a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts, the method comprising:
generating, by a trust authority running on a processor of the virtualization management server, a hash of at least a portion of an image of a virtual machine (VM) managed by the virtualization layer, and then storing, by the trust authority, a pre-defined attestation report that includes the hash generated by the trust authority;
receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report that the security module generated by hashing at least a portion of the image, wherein a portion of the image is encrypted; and
determining, by the trust authority, a match between the received attestation report and the pre-defined attestation report, and then transmitting, by the trust authority to the security module, a secret that is acquired from a key management service and used by the VM to access information from the encrypted portion of the image.
|