WAWEL: Architecture for Scalable Attestation of Heterogeneous Virtual Execution Environments

Abstract

Existing attestation mechanisms lack scalability and support for heterogeneous virtual execution environment, such as virtual machines and containers executed inside or outside hardware isolation on different vendors' hardware in clouds managed by various organizations. To overcome these limitations, hardware vendors and cloud providers implement proprietary mechanisms (Intel DCAP, Amazon NitroTPM, Google Titan) to support their offerings. However, due to their plurality, the attestation becomes cumbersome because it increases maintenance and integration costs and reduces portability required in hybrid- and multi-cloud deployments. We introduce Wawel, a framework that enables scalable attestation of heterogeneous virtual execution environments. Wawel can be plugged into existing hardware-specific attestation mechanisms, offering a unified attestation interface. Wawel supports the widely adopted open trusted platform module attestation standard. We implemented a prototype and integrated it with three different virtual execution environments. It supports runtime integrity attestation with Linux integrity measurement architecture and legacy applications requiring zero-code changes. Our evaluation demonstrated that the \sys prototype achieves good performance and scalability despite additional level of indirections between the virtual execution environment and hardware root of trust.