Do you know your hypervisor and firmware?
IBM Cloud VPC is built for secure cloud computing, and numerous platform planning, development, and operational characteristics assure that. However, since cloud security is usually a shared duty between the cloud service provider and the client, you must thoroughly grasp the levels of security your workloads operate on here with us. Its’ve included a few IBM Cloud VPC security components to help the virtual server clients safeguard their computing.
Start with the hypervisor
Any virtual server architecture needs a hypervisor to safeguard client workloads and cloud native applications. Everything from hardware and firmware to system software and configuration must be safeguarded from outside manipulation.
Firmware and hypervisor software are the lowest changeable code layers and good targets for supply chain and other privileged assaults. Endpoint security tools like antivirus and EDR software struggle to identify kernel-mode rootkits (bootkits), privileged threats. They rush before any defense mechanism that may conceal them. Thus, supply chain security is essential.
Qualification and testing before deployment are among IBM Cloud VPC’s procedures to ensure hardware, firmware, and software quality, integrity, and supply chain.
IBM Cloud VPC’s 3rd-generation solutions ensure platform integrity with ubiquitous code signing. This procedure digitally signs and authenticates firmware at origin before installation. Before processor initiation, a platform security module validates the firmware image’s integrity during system startup. The platform security module hardware becomes the system’s source of trust when the firmware authenticates the hypervisor and device software.
Configuring and testing devices
IBM Cloud Virtual Servers for VPC provide several profile choices (vCPU + RAM + bandwidth provisioning bundles) to satisfy clients’ workload needs. Profile types are regulated by product specifications. These product specs describe the server’s hardware, firmware, and configuration. Software encompasses host firmware and component devices. The server fleet uses these versioned product profiles produced and managed by a hardware leadership team.
New hardware and software in the IBM Cloud VPC environment are mapped to a product specification, which describes their configuration. The intake verification procedure confirms that the server’s physical composition fulfills the requirements before entering the fleet. The server is quarantined for examination and repair if its physical composition doesn’t fit the standard.
Device configuration and verification
This verification has two dimensions:
IBM Cloud Virtual Servers for VPC it must be signed by an authorized source before installation. This keeps servers running on certified firmware. IBM Cloud works with numerous vendors to sign it and set components to reject fraudulent firmware.
- Only IBM Cloud-approved it may be installed: The regulated specification is updated periodically to include qualifying firmware and delete old versions. This firmware check is done after server intake and before firmware updates.
- The product specs also control server settings: Some solutions need special UEFI setups, features, or constraints. Configurations are automated on servers based on the product specification. IBM Cloud’s monitoring and compliance infrastructure scans servers live.
Versioning and promoting specifications
As said, product specifications are key to IBM Cloud virtual server for VPC administration. Product specifications comprise server profile settings and are approved by the IBM Cloud product leader and governance-focused leadership team. They oversee the server’s authorized components, configuration, and firmware. Product leaders concentrate on value and market uniqueness, while the governance-focused leadership team seeks commonality.
- Keep in mind that specs change: As firmware versions change or server hardware expands to handle more vendor devices, these definition files change. Because of this, IBM Cloud VPC standard is versioned to track server lifecycle changes. Each server deployment records its specification version and the planned vs actual condition.
- Specifications must be promoted: A specification update may not be immediately effective in production. Instead, it undergoes development, integration, and staging before production. The rollout speed may vary depending on the devices or fixes.
- IBM Cloud VPC firmware updates in waves: Although some changes need downtime, it may be updated live. The clients seldom experience this owing to live migration. As it upgrades are produced, consumers may take time to migrate. A specification update promoted via the pipeline initiates the update through runtime systems. Change severity determines update speed.
IBM Cloud VPC virtual servers provide a hardware root of trust
IBM Cloud Virtual Servers for VPC have platform security module root of trust hardware. Before the main processor boots, the platform security module hardware verifies the platform firmware image’s validity and integrity. Verifies picture authenticity and signature with an authorized certificate. Platform security module saves platform firmware image copies. If the host firmware image is not signed with the permitted certificate, the platform security module replaces it with one of its images before initializing the main processor.
After initializing the main processor and installing the system firmware, the firmware authenticates the hypervisor’s bootloader in secure boot to create the next trust link. The firmware checks that the bootloader was signed with a valid key before loading. Enrolling public keys in the server’s key database authorizes them. After clearing and loading, the bootloader checks the kernel before running. Finally, the kernel checks all modules before loading them. System boot stops for every component that fails validation.
Secure boot and the platform security module combine to prevent supply chain threats and server privileges from injecting malicious software. IBM Cloud Virtual Servers for VPC can only boot firmware, bootloaders, kernels, and kernel modules certified with IBM Cloud certificates and those of previously authorized operating system providers.
- The aforementioned firmware configuration procedure checks firmware secure boot keys against the permitted list. Boot keys in the permitted keys database, banned keys, exchange key, and platform key.
- Secure boot allows adding kernel and kernel module signing keys to the first stage bootloader (shim), also known as the system owner key. Thus, IBM Cloud’s operating system setup ensures that only permitted keys are registered in the mok facility.
- After a server passes all tests and is permitted to start, an audit chain is built from the platform security module hardware to kernel modules.
How to use Verified hypervisors on IBM Cloud VPC virtual servers?
Hypervisor verification is enabled by default for supported IBM Cloud VPC Virtual Servers. To guarantee your virtual server instances operate on hypervisor-verified supported servers, choose a generation 3 virtual server profile (bx3d, cx3d, mx3d, or gx3). Customers may use generation 3 virtual servers to take use of these features, which are now available.