> Shielded VMs use a combination of firmware-based UEFI Secure Boot and vTPM—a virtual Trusted Platform Module, which can generate and store "sealed" encryption keys. Those keys are used for Secure Boot, which ensures that the VM will only run authenticated software, and for Measured Boot, which checks against previous baselines of the virtual machine's configuration ... Both Secure Boot and Measured Boot can help defend against rootkits that might execute during the operating system startup, as well as kernel-level malware ... making it difficult if not impossible to gain access to the contents of a virtual machine's drives unless the operating system boots in a "known-good" state. If the VM's operating system, boot loader, or firmware image is compromised, the system won't reboot—so an attacker won't be able to decrypt the virtual disks.
> TPM 2.0 became an ISO standard in 2015, a Windows 10 security requirement in 2018 ... This talk will cover Intel’s collaboration ... to create a set of usable APIs. Design and craftsmanship of APIs with intuitive, predictable behavior can increase developer adoption and the likelihood of critical infrastructure functioning as intended
> Shielded VMs use a combination of firmware-based UEFI Secure Boot and vTPM—a virtual Trusted Platform Module, which can generate and store "sealed" encryption keys. Those keys are used for Secure Boot, which ensures that the VM will only run authenticated software, and for Measured Boot, which checks against previous baselines of the virtual machine's configuration ... Both Secure Boot and Measured Boot can help defend against rootkits that might execute during the operating system startup, as well as kernel-level malware ... making it difficult if not impossible to gain access to the contents of a virtual machine's drives unless the operating system boots in a "known-good" state. If the VM's operating system, boot loader, or firmware image is compromised, the system won't reboot—so an attacker won't be able to decrypt the virtual disks.
Here's a talk by the author of the Intel TPM2 Software Stack (TSS) used in the simulator, https://www.platformsecuritysummit.com/2018/speaker/tricca/
> TPM 2.0 became an ISO standard in 2015, a Windows 10 security requirement in 2018 ... This talk will cover Intel’s collaboration ... to create a set of usable APIs. Design and craftsmanship of APIs with intuitive, predictable behavior can increase developer adoption and the likelihood of critical infrastructure functioning as intended