Abstract:The integration of trusted computing into virtual computing system can enable the hardware-based protection of trustworthiness in application areas such as cloud computing and network function virtualization (NFV).In a physical trusted platform module (pTPM) based virtual trusted platform module (vTPM), each virtual machine (VM) can be viewed as having its own private TPM.However, it is necessary to extend the trustworthiness of pTPM to vTPM so that a challenger can believe the vTPM is the root of trust of the VM.The existing techniques mainly use a certificate chain to build a trust link from pTPM to vTPM.But if these techniques were deployed in the scenario with frequent vTPM migrations, there would be very high cost of reacquiring new certificates for the migrated vTPM, moreover, pTPM couldn't revoke its trust extension in real time, and they couldn't provide forward security.This paper presents an approach of vTPM dynamic trust extension (DTE) to satisfy the requirements of frequent migrations.With DTE, vTPM is a delegation of the capability of signing attestation data from the underlying pTPM, with one valid time token issued by an authentication server (AS).DTE maintains a strong association between vTPM and its underlying pTPM, and has clear distinguishability between vTPM and pTPM because of the different security strength of the two types of TPM.In DTE, there is no need for vTPM to re-acquire identity key (IK) certificate(s) after migration, and pTPM can have a trust revocation in real time.Furthermore, DTE can provide forward security.Performance measurements and analysis of its prototype demonstrate that DTE is feasible.