Cosmian VM

Cosmian VM are Linux-based system images preconfigured to verify Confidential VM trustworthiness and integrity at anytime. The images are based either on Ubuntu 22.04 or RHEL 9, and can then be used as regular Linux distribution on most cloud providers such as Google Cloud Platform (GCP), Microsoft Azure and Amazon Web Services (AWS).

Cosmian VM image provides the following features:

• Confidentiality: the whole environment runs in a Trusted Execution Environment (TEE) with encrypted memory
• Verifiability: user can verify the integrity of executables at any time and compare against a reference snapshot
• Genericity: compatible with AMD SEV-SNP and Intel TDX in addition to TPM and vTPM
• No code modification: no need for third party library or any specific adaptation of applications
• Simplicity: manual configuration reduced at its bare minimum

Threat Model

Cosmian VM is designed to secure your application against passive (honest-but-curious) and active (malicious) cloud provider staff member

The foundation of Cosmian VM relies on the following components:

• Trusted Execution Environment (TEE) such as AMD SEV-SNP or Intel TDX for memory encryption
• Trusted Platform Module (TPM) or vTPM (virtual TPM) to store secrets and attest the content of some memory region
• Integrity Measurement Architecture (IMA), a Linux kernel module used to maintain a measurement log of all executables

In addition, Cosmian VM image contains the following software:

• cosmian_vm_agent: an agent running in the confidential VM to forward attestations, collaterals (e.g. root certificates) and measurement log
• cosmian_certtool to ease the generation of Let’s Encrypt certificates if needed
• cosmian_fstool to ease the generation of LUKS container with secret key stored in the TPM/vTPM

Our client CLI cosmian_vm can be used to interact with cosmian_vm_agent and verify the trustworthiness of a specific instance launched with Cosmian VM as base image.

Audit

Cosmian VM image construction process can be found in this repository: https://github.com/Cosmian/cosmian_vm/packer

Table of contents

• Setup flow
• Snapshot of the system
• Verification of the remote instance
• Cloud providers support
• AWS images
• Azure images
• GCP images
• Marketplace Image content

Setup flow

A confidential VM is instantiated from a cloud provider platform, including Cosmian VM solution. After installing all dependencies, a snapshot of the VM is done and integrity checks can be performed on the running application, in order to verify the running code and infrastructure.

Snapshot of the system

The snapshot of the system is a crucial step performed by cosmian_vm_agent to produce a JSON file with:

• TEE policy
• TPM policy
• List of measured files and their hash digests

It’s a one-time process done before you decide to freeze the system, the content will be compared with TEE attestation, TPM/vTPM attestation and IMA measurement log to verify the trustworthiness of the remote instance.

Verification of the remote instance

Verification process of the Cosmian VM is performed using client CLI cosmian_vm which will check:

• IMA (Integrity Measurement Architecture) measurement log with the list of executable and configuration file’s hash digest, to be compared against the snapshot
• TPM (Trusted Platform Module) attestation of the IMA measurement log
• TEE (Trusted Execution Environment) trustworthiness to ensure the instance is running on secure hardware using encrypted memory

Simple flowMore detailed flow

Cloud providers support

Cosmian VM already supports AMD SEV-SNP and Intel TDX but it might depend on the cloud provider. Cosmian base images are build from the following cloud provider images:

Replace X.Y.Z in the 3 following tables by the last Cosmian base image version.

AWS images

	Official image	OS image	OS version	Cosmian base image
AWS - AMD SEV	ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-20240523.1	Ubuntu	24.04	base-image-X-Y-Z-ubuntu-sev
AWS - AMD SEV	RHEL-9.3.0_HVM-20240117-x86_64-49-Hourly2-GP3	Redhat	9.3	base-image-X-Y-Z-ubuntu-sev

Azure images

	Official image	OS image	OS version	Cosmian base image	Version
Azure - Intel TDX	Canonical-0001-com-ubuntu-confidential-vm-jammy-22_04-lts-cvm	Ubuntu	22.04.202404090	base-image-ubuntu-tdx	X.Y.Z
Azure - AMD SEV	Canonical-0001-com-ubuntu-confidential-vm-jammy-22_04-lts-cvm	Ubuntu	22.04.202404090	base-image-ubuntu-sev	X.Y.Z
Azure - AMD SEV	Redhat-rhel-cvm-9_3_cvm_sev_snp	Redhat	9.3.2023111017	base-image-rhel-sev	X.Y.Z

GCP images

	Official image	OS image	OS version	Cosmian base image
GCP - Intel TDX	ubuntu-2204-tdx-v20240220	Ubuntu	22.04	base-image-X-Y-Z-ubuntu-tdx
GCP - AMD SEV	ubuntu-2404-noble-amd64-v20240523a	Ubuntu	24.04	base-image-X-Y-Z-ubuntu-sev
GCP - AMD SEV	rhel-9-v20240515	Redhat	9.3	base-image-X-Y-Z-rhel-sev

Marketplace Image content

The Cosmian VM image build on the marketplaces of GCP, Azure or AWS contains four major executables:

• cosmian_vm_agent is designed to be deployed on the Cosmian VM. It serves on demand the collaterals used to verify the trustworthiness of the Cosmian VM such as the IMA file, the TEE quote or the TPM quote
• cosmian_certtool is designed to generate a certificate signed by Let’s Encrypt or an RATLS certificate
• cosmian_fstool is designed to generate a LUKS container and enroll the TPM to be automatically started on reboot
• cosmian_vm is a CLI designed to be used on your own host. It queries the cosmian_vm_agent in order to get the collaterals used to verify the trustworthiness of the Cosmian VM

This image:

• contains the fully configured IMA
• contains the fully configured SELinux
• disables the auto-update (to avoid any modification of the Cosmian VM after having snapshoted it)
• contains the fully configured cosmian_vm_agent

This is a abstract of the updated file tree:

.
├── etc
│   ├── apt
│   │    └── apt.conf.d
│   │       └── 10periodic
│   ├── cosmian_vm
│   │   └── agent.toml
│   ├── default
│   │   └── grub
│   ├── ima
│   │   └── ima-policy
│   └── systemd
│       └── system
│           ├── cosmian_vm_agent.service
│           └── mount_luks.service
├── root
│   ├── mount_luks.sh
├── usr
│   └── sbin
│       ├── cosmian_certtool
│       ├── cosmian_fstool
│       └── cosmian_vm_agent
└── var
    └── lib
        └── cosmian_vm
            ├── container   <--- LUKS container
            ├── tmp
            └── data        <--- LUKS container mounted
                ├── cert.pem
                └── cert.key