公开(公告)号：US20220222098A1

公开(公告)日：2022-07-14

申请号：US17148428

申请日：2021-01-13

Applicant: VMware, Inc.

Inventor： Abhishek SRIVASTAVA ,  David A. DUNN ,  Jesse POOL ,  Adrian DRZEWIECKI

IPC: G06F9/455 ,  G06F9/50

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes storing, in a trust authority, a pre-defined attestation report for a workload executing in a virtual machine (VM) managed by the virtualization layer, the pre-defined attestation report including a hash of at least a portion of an image of the VM; receiving, at the trust authority from a security module of a host in which the VM executes, an attestation report generated by measuring memory of the VM; comparing the attestation report with the pre-defined attestation report; and generating an indication of validity for the workload based on a result of the comparison.

公开(公告)号：US20220222099A1

公开(公告)日：2022-07-14

申请号：US17148445

申请日：2021-01-13

Applicant: VMware, Inc.

Inventor： Abhishek SRIVASTAVA ,  David A. DUNN ,  Jesse POOL ,  Adrian DRZEWIECKI

IPC: G06F9/455 ,  G06F9/38

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes: launching, in cooperation with a security module of a host, a guest as a virtual machine (VM) managed by the virtualization layer, the security module generating an attestation report from at least a portion of the VM loaded into memory of the host; sending the attestation report from the security module to a trust authority; receiving, in response to verification of the attestation report by the trust authority, a secret from the trust authority at the security module; and providing the secret from the security module to the guest.

公开(公告)号：US20220222100A1

公开(公告)日：2022-07-14

申请号：US17148461

申请日：2021-01-13

Applicant: VMware, Inc.

Inventor： Abhishek SRIVASTAVA ,  David A. DUNN ,  Jesse POOL ,  Adrian DRZEWIECKI

IPC: G06F9/455 ,  G06F9/50 ,  G06F21/60

Abstract: An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes: launching, in cooperation with a security module of a host, a guest as a virtual machine (VM) managed by the virtualization layer, the security module generating an attestation report from at least a portion of the VM loaded into memory of the host; receiving, at the guest from a trust authority, a secret in response to verification of the attestation report; obtaining, at the guest from an entity, at least one key using transport layer security (TLS) data in the secret to verify identity of the guest to the entity; and using, at the guest, the at least one key to access or verify at least one disk attached thereto

公开(公告)号：US20220066806A1

公开(公告)日：2022-03-03

申请号：US17002233

申请日：2020-08-25

Applicant: VMware, Inc.

Inventor： Arunachalam RAMANATHAN ,  Yanlei ZHAO ,  Anurekh SAXENA ,  Yury BASKAKOV ,  Jeffrey W. SHELDON ,  Gabriel TARASUK-LEVIN ,  David A. DUNN ,  Sreekanth SETTY

IPC: G06F9/455 ,  G06F9/50 ,  G06F12/1027

Abstract: A virtual machine (VM) is migrated from a source host to a destination host in a virtualized computing system, the VM having a plurality of virtual central processing units (CPUs). The method includes copying, by VM migration software executing in the source host and the destination host, memory of the VM from the source host to the destination host by installing, at the source host, write traces spanning all of the memory and then copying the memory from the source host to the destination host over a plurality of iterations; and performing switch-over, by the VM migration software, to quiesce the VM in the source host and resume the VM in the destination host. The VM migration software installs write traces using less than all of the virtual CPUs, and using trace granularity larger than a smallest page granularity.