Michael Wolf writes:
It still runs in a VM on stock x86 hardware... what stops the NSA/provider from viewing the virtual CPU's state, retrieving the encryption keys, and decrypting the memory? "PRISM-Proof" my tail.
Preventing the provider from viewing the virtual CPU's state is the
main goal of their PrivateCore software. They encrypt the RAM that
contains the VM and they try to ensure that the key used to encrypt
it never leaves the CPU and that the providers don't get to see that
key.
Evidently right now they use a TPM for bootstrapping, so the weak link
is probably the TPM: the provider could try to reboot the host while
attacking the TPM in some way. If they had a completely fake or cracked
TPM that other people accepted as genuine, they could try to make it
boot the PrivateCore instance itself in a (provider-controlled) VM
pretending to be native hardware.
(The other potential weak link is exploiting the OS running inside the
VM. Then even if you don't know the crypto keys that encrypt the memory,
you can tell the OS to let you monitor its processes or disk.)
There should be at least a brief discussion of this in the liberationtech
archives.
--
Seth Schoen