基於 SEV-SNP 和 pKVM 的機密虛擬機器的網路 I/O 的 測量和最佳化

Abstract

機密虛擬機器是一個興盛的實現機密運算的方式。然而，過去的研究始終缺乏對網路功能的透徹的討論。在這篇論文中，我們討論了數個機密虛擬機器中值得注意的網路相關的問題。首先，我們檢視了現代網路虛擬化技術 ─ 如 vhost-user、DPDK virtio-net 驅動程式、基於 VFIO 的 device passthrough ─ 與 Arm pKVM 和 AMD SEV-SNP 機密虛擬機器的相容性，並且測量了他們的效能表現。在測量的過程中，我們發現了一個機會能夠最佳化使用 device passthrough 的機密虛擬機器的開機速度。透過只將 bounce buffer 映射到 IOMMU 上便足以支援 CVM 使用 device passthrough，並將開機速度加快 66%。最後，我們進行了首個對於機密虛擬機器系統中的數據分享機制使用情形的安全性分析。我們發現一個先前在 Bifrost 中提出的機制 ── Zero-Copy Encryption Deduplication (ZCED)，在使用上會產生一個行為：Prolonged Data Exposure，進而導致作業系統核心的網路協定疊在使用 ZCED 時被納入可信計算基中。由於作業系統核心的網路協定疊相當複雜，這會導致使用 ZCED 時有潛在風險。為了在不損及效能及相容性的前提下減輕此風險，我們提出了一個新的針對機密虛擬機器的網路架構 ── VSOCK-net。VSOCK-net 使用了 VSOCK 取代了作業系統核心中的網路協定疊，並以 sockmap 有效地處理了 TCP 和 VSOCK 間的封包重定向。量測檢果顯示 VSOCK-net 相比基準設定有著高至 97% 的進步。

Confidential Virtual Machines (CVM) is a popular approach to enabling confidential computing. However, one essential functionality – networking – lacks thorough discussion in prior research. In this thesis, we address several topics regarding networking in CVM systems that deserve further study. We first examine the compatibility of the modern networking virtualization technologies – such as vhost-user, the DPDK virtio-net driver, and VFIO-based device passthrough – with the Arm pKVM and AMD SEV-SNP CVMs and evaluate their performance characteristics. During the evaluation, we identify an opportunity to improve the start-up time of device passthrough CVMs by mapping only the bounce buffer to IOMMU, which is sufficient to support device passthrough and yields up to a 66% improvement. Finally, we perform the first comprehensive security analysis on data sharing mechanisms in CVM systems. We discover that Zero-Copy Encryption Deduplication (ZCED), an optimized data sharing mechanism proposed in Bifrost, causes a behavior: prolonged data exposure, which extends the trusted computing base (TCB) to include the kernel TCP/IP network stack. The complexity of the kernel TCP/IP network stack incus potential security risk. To mitigate the risk without sacrificing the performance and the compatibility, we propose a new network architecture for CVM systems: VSOCK-net, which replaces the kernel network stack with VSOCK and leverages sockmap to efficiently handle packet redirection between VSOCK and TCP sockets. The evaluation shows that VSOCK-net delivers improvements of up to 97% compared to the baseline.