An organization's virtualization team wants to replicate the security features of a discrete chip for multiple hosted guests, including key storage and measurement functions. Which method best addresses these requirements while maintaining a high level of hardware abstraction?
Maintain a centralized secrets repository that stores all cryptographic materials for every guest
Place a dedicated physical security device on each system and share it among the hosted guests
Configure a hypervisor-managed module that emulates hardware security features for each instance
Use a library in the guest operating system for key storage and measurement tracking
A hypervisor-managed module emulates hardware-level functionality and can provide cryptographic operations, secure key storage, and attestation to each hosted instance, mirroring the capabilities of a discrete security chip. A hardware-based module shared among guests does not adequately scale, a simple software-based library may lack essential integrity measurements, and a separate vault offers encryption but does not provide the same boot measurement or hardware-like abstraction.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a hypervisor-managed module?
Open an interactive chat with Bash
What is attestation in the context of virtualization?
Open an interactive chat with Bash
How does a hypervisor-managed module differ from a centralized secrets repository?