| CPC G06F 9/45558 (2013.01) [G06F 9/45545 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45575 (2013.01); G06F 2009/45587 (2013.01)] | 20 Claims |
|
1. A method of secure attestation of a workload deployed on a host of a virtualized computing system, wherein the host includes virtualization software on which the workload is deployed, and the host further includes a hardware security module and memory, the method comprising:
loading code specified by the workload into the memory, wherein the code includes instructions for establishing an encrypted communication channel between the workload and the hardware security module;
after loading the code into the memory, executing the code to establish the encrypted communication channel;
accessing, by the hardware security module via the encrypted communication channel, contents of the memory that include the code;
generating an attestation report by the hardware security module, based at least on the accessed contents of the memory;
transmitting the attestation report from the hardware security module to a trust authority;
in response to verification of the attestation report by the trust authority, receiving a secret from the trust authority at the hardware security module; and
transmitting the received secret from the hardware security module to the workload, wherein the workload uses the secret to gain access to sensitive information.
|