VPSBG

Introducing: Measured Boot & Secure Server Images

6 min read

We at VPSBG value your privacy and data security, which is why it is essential for us to provide a hosting platform that reflects this. In order to trust your infrastructure, you must trust how it boots, which is why we now officially support Measured Boot and Unified Kernel Images (UKI)!

These new introductions offer stronger guarantees about the integrity of the disk and the software that is running within your virtual environment, cryptographically measuring the UEFI firmware and the Unified Kernel Image (which contains the kernel, initial filesystem and boot parameters) before the virtual machine starts.

Not only that, but we are also adding support for custom and secure server images, allowing you to easily migrate to a trusted environment with a single click. Together, all of these new capabilities make it easier to deploy secure, reproducible and verifiable infrastructure.

Importance of Measured Boot

With the introduction of AI and the constant increase in utilization, companies and cloud power users need to ensure data security for their businesses and projects. With Measured Boot, they have the opportunity to run sensitive workloads on a cloud virtual machine that is secure and reliable, enabling them to confirm and verify:

  • The exact UEFI firmware and UKI the system started
  • The exact disk image the system booted (with additional tools, such as dm-verity)
  • That unauthorized modifications were not made to the operating system
  • That sensitive workloads are running on infrastructure whose integrity can be independently checked
  • That secure infrastructure pipelines can be built
  • That the hosting provider hasn’t tampered with their infrastructure
  • That nothing has been altered within the system or the boot pattern

What is Measured Boot?

When a virtual machine boots, it needs to load the UEFI firmware, a kernel, an initial filesystem and boot parameters before the operating system itself can start. Normally, you trust that these components haven't been modified in-between boots... but you have no proof.

Measured Boot changes this. Before the virtual machine starts, the AMD Secure Processor (PSP) computes a cryptographic hash (called "launch measurement") of the firmware and boot payload loaded into RAM. This measurement is included in a hardware-signed attestation report that the VM owner can retrieve and verify. Since the report is signed by a key embedded in the AMD processor itself, it cannot be forged neither by the hosting provider, nor by anyone with access to the physical server.

If anything changes, such as a different kernel or a modified command line, then the measurement changes. By pre-calculating the expected measurement before uploading their image and comparing it against the live attestation report after each boot, the owner can independently detect any unauthorized modification.

Unified Kernel Images (UKI)

In order to simplify the boot process and to offer even greater integrity, we are also introducing Unified Kernel Images (UKI). In its essence, a UKI bundles up several boot components into a single binary that includes information about the Linux kernel, the initramfs and boot configuration parameters.

This simplifies both deployment and verification. Instead of managing three separate files and worrying about whether each was loaded correctly, the owner builds one UKI, uploads it and the attestation measurement covers everything inside it. The command line, which can include critical security parameters like the "dm-verity" root hash of the OS partition, is sealed inside the UKI and cannot be modified without changing the measurement.

UKIs can be built using standard Linux tooling such as "ukify", which is part of systemd.

How does Measured Boot work?

Measured boot establishes a chain of trust that initiates at system startup and finishes once the virtual machine is online.

  1. 1
    Deployment
    VM launch is requested via our client area
  2. 2
    Initialization
    Hypervisor loads UEFI firmware and UKI file into guest memory (RAM)
  3. 3
    Computation
    The AMD Secure Processor computes the launch measurement before the VM starts
  4. 4
    Boot
    VM starts and UEFI firmware hands off to the kernel inside the UKI
  5. 5
    Optional: Disk Verification
    Kernel verifies OS disk integrity using the embedded dm-verity root hash
  6. 6
    Optional: Disk Verification Success
    Operating system starts only if disk verification passes
  7. 7
    Attestation Report
    Owner retrieves the hardware-signed attestation report and compares it to their expected measurement

Secure Boot vs Measured Boot

While often mentioned together, Secure Boot and Measured Boot solve different problems.

TechnologyWhat it doesWhy it matters
Secure BootEnsures only signed and trusted boot components are executedPrevents unauthorized boot code from running
Measured BootRecords a cryptographic measurement of the boot payloadEnables verification of exactly what software started

In general, Secure Boot prevents unsigned components from executing at all during startup, while Measured Boot records a cryptographic measurement that lets you verify exactly which components were loaded. Secure Boot relies on key management - whoever controls the signing keys controls what can boot. Measured Boot relies on AMD's hardware root of trust, which neither the VM owner nor the hosting provider can influence.

Custom Server Images

In addition to Measured Boot and UKI support, we are also introducing support for custom server images (not to be confused with Custom ISO support) giving you full control over kernel versions, system configuration, security and much more, while also allowing you to easily migrate to our infrastructure. 

Here are the requirements:

Format

.raw or .qcow2

Boot

UEFI-compatible (GPT partition table)

Size

Must not exceed your plan's disk allocation

IMPORTANT: Networking must be configured statically within the image, or have cloud-init installed and enabled to pick up our network configuration drive automatically.

Use Cases

But while powerful, where can Measured Boot have the biggest impact? In general, Measured Boot can be very beneficial for confidential workloads such as financial services, machine learning and data processing, where verifying the integrity of the running environment is critical.

But that’s not all, secrets like encryption keys, API credentials, database access tokens can also be made to release after the server’s boot process has been verified. For example, if the boot image was tampered with, the measurement changes, secrets are never delivered and a supposed attacker gets a running VM with no access to anything valuable.

It can also find use in secure software supply chains, where teams can build reproducible operating system images and verify deployed servers boot with those particular images. By building reproducible OS images, recording their expected measurements and verifying on every deployment that exactly that image booted, they can guarantee that the deployed server is identical to what was tested and approved.

Finally, it is also incredibly useful for organizations that need to be operating under strict regulations and compliances like government institutions. Measured Boot enables "zero-trust" hosting. Organizations that cannot or do not want to trust their hosting provider can independently verify the attestation report. The proof is rooted in AMD hardware, and the provider cannot forge it, even with full physical access to the server.

To Blog
SHARE
Copied!
Copy to clipboard

Deploy a powerful and secure Cloud VPS!

Configure