trusted compute pools and parallels - intel cloud builders guide · kljkhu xs 7rgd\ ylvlelolw\ lqwr...

VirtualMachine 1

VirtualMachine 2

Guest OSsensitive

applications

Guest OSoffice

applications

HypervisorMeasured Launch Environment

Platform Hardware

memory processor chipset TPM

Intel® Xeon® 5600 Intel® Xeon® 5600

Intel® TXT and Intel® VT-x Support

Intel® TXT andIntel® VT-d Support

BIOS AC ModulePreboot TXT

Init Code

Intel® 5520 Chipset

Flash

TPMTPM Support

Intel® SoftwareSINIT AC Module

3rd Party SWMLE, Hosted OS

Apps, etc.

Platform InitTPM Init BIOS

MBR BootSector BootBlock BootManager

OS LoaderHypervisor Loaderand OS Kernel CodeTPM

Boot System Start

Running System (untrusted)

SENTER Trusted Hypervisorand OS Kernel Code

Hypervisor Loader

TPM

Trusted

Platform initializes System Load Booter (grub)starts, loads SINIT module,Parallels* Hypervisor, host

OS kernel and passescontrol to Parallels Secure

Hypervisor

Parallels SecureHypervisorprepares

environment forSMX, stops allCPUs and I/O

BSP jumps toSMX mode

usingGETSEC

[SENTER]instruction

BSP HWauthenticates

SINIT,measures it into

TPM PCR17

SINIT launched.Establishessecure execenvironment

SINIT measuresParallels Secure

Hypervisor to TPM PCR18.Parallels Secure Hypervisor

Loader is launched insecure environment

Parallels SecureHypervisor

verifies policy(verifies loaded

modules)

Parallels SecureHypervisor

wakes up all CPUsusing GETSEC

[WAKEUP]instruction

Parallels SecureHypervisor finishesbooting, initializes

power states support,and initializes VM0(parent partition)

Parallels SecureHypervisor

launches VM0(parent partition)

in Intel® VT-xnon-root mode

VM0 (parentpartition) nowruns the Host

OS in Intel VT-xnon-root mode

Host OS kernel isspecially modified

Parallels LinuxKernel that has built-

in Parallels VMService module

Parallels VMService module

uses vmcallinterface forHypervisor

communications

System is not trusted Intel® TXT launch Hypervisor

VM0 (Service VM) Child Partition

Virtualization Stack

Parallels*Dispatcher Parallels VM

Applications

Guest OS Applications

Ring 3

Host OS (Linux*)

Parallels Linux OS Kernel (VzKernel)

Parallels Tools

Guest OS

VMMDrivers Intel® VT-x Non-root

Intel VT-x RootMeasured Launch Code (Intel® TXT)Environments

Secure Hypervisor

Platform Hardware