Help Center/ Elastic Cloud Server/ Technical White Paper/ QingTian System Security Technical White Paper/ QingTian Confidential Computing/ Isolation Dimension 2
Updated on 2025-10-17 GMT+08:00
View PDF
Share

Isolation Dimension 2

On the cloud infrastructure platform, providing integrity protection for the guest OS of VM instances has become a new security baseline. Currently, ECS provides UEFI secure boot and QingTian TPM features to support trusted boot and remote attestation that meet TCG standards. QingTian TPM, provided by the QingTian system, is a virtual device that complies with the TPM 2.0 specifications. The OS generally uses TPM to provide security features like disk encryption (such as Windows BitLocker) and data anti-tampering (such as Linux DM-Verity).

However, general-purpose guest VM OSs (such as Rich OS) usually have a large TCB, which often leads to a large attack surface. In addition, there are still many challenges in protecting the integrity of the guest OS at runtime. In this isolation dimension, we refer to the design method of isolating tenant VMs from the cloud system in isolation dimension 1 to use QingTian Enclave to run sensitive applications of tenants. It isolates the guest OS from the trust boundary of QingTian Enclave and completely isolates the runtime environment of sensitive applications from that of the guest OS. This design ensures that security threats in the guest OS do not affect the security of applications and data in the Enclave environment.

Figure 1 Isolation dimension 2

QingTian Enclave is an isolated VM runtime environment created from an ECS. It connects to the parent instance through a dedicated vsock secure channel. Based on the assumption that the guest OS of the parent instance is untrusted, QingTian Enclave uses the following methods to enhance security in this isolation dimension:

  • Strong isolation: QingTian Enclave and the customer's parent instance are isolated based on hardware-assisted virtualization and in-house VRAM memory management. The Enclave and parent instance do not share physical memory or CPU cores. They are connected only through a hypervisor-protected dedicated local channel vsock. Even if the guest OS of the primary instance has security vulnerabilities or the super administrator is attacked, the attacker who controls the guest OS of the primary instance cannot access the code and data in the QingTian Enclave environment.
  • Minimum attack surface: QingTian Enclave does not support network interface attachments and SSH interactive access, and does not provide network interfaces and persistent storage. A QingTian Enclave OS is a Huawei Cloud-developed security OS that has been streamlined to the minimum requirements. Customers can also customize their own Enclave OSs.
  • Anti-tampering: When QingTian Enclave is started, QingTian Hypervisor verifies the digital signature of the Enclave image and measures the Enclave image file and the public key certificate of the digital signature. The measurement results are saved to QingTian Security Module (QTSM). QTSM provides TPM-like trusted measurement and remote attestation. The difference is that QTSM redefines the trusted measurement attributes and attestation security protocols based on ECS scenarios.
  • Key protection: QTSM runs in the isolated compute environment provided by QingTian Cards, generates a random attestation key pair based on the TRNG hardware engine, and applies for an attestation public key certificate from QingTian Attestation PKI. After the hardware-enhanced identity authentication is successful, QingTian Attestation PKI issues an attestation public key certificate to QTSM. QTSM also supports hourly rotation of attestation certificates, further reducing the risk of key leakage.

QingTian Enclave supports remote attestation protocols. When establishing trust with external parties, Enclave applications can provide cryptographic attestation of Enclave identity and runtime environment measurements to the parties through the attestation protocol. Huawei Cloud Key Management Service (KMS) and Identity and Access Management (IAM) inherently support QingTian Enclave attestation. QingTian Enclave application developers can use the open-source Enclave SDK to access KMS APIs. These APIs allow them to obtain data encryption/decryption keys or secure random numbers and ensures E2E security. IAM administrators can use preset IAM authorization policies or guardrail policies to enforce attestation-based conditional access control on KMS APIs.

In addition, QingTian Enclave is a developer-friendly platform in terms of usability and application compatibility. Developers can easily develop QingTian Enclave applications without CPU microarchitecture expertise and advanced cryptography knowledge. QingTian Enclave supports both x86 and Arm architectures. Developers can use their familiar language frameworks to build QingTian Enclave images using container images.

QingTian Enclave enables customers to create a highly isolated and enhanced compute environment within the ECS VM environment, so that customers can isolate their system components based on different trust levels. QingTian Enclave has been favored by many cloud customers since its launch. Production applications built based on QingTian Enclave include vHSM, vault credential management, and MPC wallets. For the cloud native confidential container solution, we also support configuring the QingTian Enclave device plugin in Kubernetes so that customer pods and containers can access the QingTian Enclave device driver. The device plugin applies to Cloud Container Engine (CCE) or customer-managed Kubernetes nodes. In addition, we provide a variety of QingTian Enclave open-source tools (such as qproxy) and security solutions to help more customers smoothly migrate to the QingTian Enclave environment without reconstructing application code and building systems.

Application scenarios of QingTian Enclave: QingTian Enclave provides an extremely isolated runtime environment for applications with the minimum attack surface. This environment does not allow elastic network interface (ENI) attachments and storage volume mounting, neither support network protocol stacks and persistent storage. It can access external networks only through the vsock channel connected to the primary instance and the network proxy of the primary instance. Even if the guest OS of the primary instance is completely attacked, the application code and data security in the Enclave environment are not affected. If users want to attach ENIs or mount storage volumes in the isolation environment, or intend to access GPU devices, QingTian Enclave is not a good choice. In this case, ECSs that support QingTian TPM are recommended.