Design and Implementation of Dual AIK Signing Scheme in Virtual TPM

In current Xen environment, platform attests its integrity to remote customer through signing the measurements of itself by Attestation Identity Key (AIK) from virtual TPM instance. They believe that this evidence of the platform is credible since the signature of AIK can not be faked. However, this approach ignores the privileged domain and its administrator. Since they could access arbitrary memory address of the platform, they could steal the AIK and forge the measurements therefore cheats the customer. In this paper, we design and implement a dual AIK signing scheme which makes use of the AIK from hardware TPM. Through signing the measurements of platform and upper-level virtual machine separately, rogue platform could not tamper with the integrity evidence of the platform. We also present a virtual AIK certificate mechanism and a new remote integrity attestation protocol for this dual AIK signing scheme. Finally, we perform a security analysis of our approach to show that it has built a correct trust model in the trusted virtualization platform and it is truly secure.