MCPKI-based certificate chain extension scheme for vTPM

Abstract

To meet the trust requirements of complex environments such as cloud platforms, physical trust modules are often virtualized into virtual Trusted Platform Module (vTPM) to function as the root of trust for each virtual machine or container. In remote attestation, vTPM utilize hardware-TPM-based certificate chain extension schemes to ensure its trustworthiness. Existing vTPM certificate chain extension schemes must turn to Privacy Certificates Authority (PCA) for new certificate during every attestation, however, result in excessive computational and communication overheads. To address this issue, this paper proposes a vTPM certificate chain extension scheme based on Multi-Certificate Public Key Infrastructure (MCPKI). This scheme allows unsigned sub-certificates to have the same legitimacy and identity as the root certificate through certificates correlation. In this way, vTPM can have multiple certificates with valid identity and only need to apply to PCA once, which reduces the performance loss caused by repetitive validation in traditional certificate chain extension schemes and enhances the efficiency of Privacy CA certificate issuance. Furthermore, certificate generation is handled by the local vTPM, reducing communication overheads. A new trusted third-party Verification Certificate Authority (VCA) is introduced to share the validation workload of Privacy CA and reduce the reliance on Privacy CA in certificate chain extension. The experiment results demonstrate that this scheme outperforms traditional certificate chain extension schemes in scenarios with multiple certificates requirement.