Shielded virtual machines are specialized VM instances designed with enhanced security features to protect against advanced threats like rootkits and bootkits.
Understanding Shielded VMs
At their core, shielded virtual machines prioritize the integrity and verifiability of their boot process and underlying system state. Unlike standard virtual machines, shielded VMs incorporate specific security measures that ensure the instance boots correctly and that its foundational firmware has not been maliciously modified.
This heightened security makes them particularly suitable for running sensitive workloads or applications where system integrity is paramount.
Key Security Features
Shielded VMs leverage several security features to achieve their enhanced protection. A fundamental aspect is the integrity and verification of the instance's firmware.
Verified Firmware
A critical feature of shielded virtual machines is their use of verified firmware. As stated in the reference:
Shielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishing the root of trust for Secure Boot.
This means:
- The firmware (the initial software that runs when a VM starts) has a digital signature.
- This signature is created and verified by a trusted entity (in this case, Google's Certificate Authority).
- This verification process confirms that the firmware code has not been altered or tampered with since it was originally signed.
- Ensuring the firmware is unmodified is vital because it creates a reliable root of trust. This trust is the foundation upon which other security features, like Secure Boot, rely.
- The reference also mentions the use of the Unified Extensible Firmware Interface (UEFI) 2.3, a modern standard often used for this type of secure boot process.
Secure Boot
Building upon the trusted firmware, shielded VMs utilize Secure Boot. Secure Boot is a process that ensures the virtual machine only launches software that is trusted by the firmware. It typically works by checking the digital signatures of the operating system loader and other critical boot components. If a signature is invalid (meaning the software has been tampered with) or missing (meaning it's untrusted software), the VM will not boot, preventing malicious code from running during the boot process.
By combining verified firmware with Secure Boot, shielded VMs significantly reduce the attack surface presented by the boot chain itself.
Why Use Shielded VMs?
The primary benefit of using shielded virtual machines is significantly increased protection against attacks targeting the firmware and boot process, such as:
- Bootkits: Malware that infects the boot sector or boot loader to gain control before the operating system loads.
- Rootkits: Malware designed to gain unauthorized access to a computer or network while concealing its presence. Some rootkits can target the boot process.
By ensuring the integrity of the firmware and boot components, shielded VMs provide a stronger foundation for the security of the entire instance and the applications running on it.
