使用基于 TPM 的证明授权受保护的主机Authorize guarded hosts using TPM-based attestation

适用于: Windows Server 2019、Windows Server (半年频道) 、Windows Server 2016Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

TPM 模式使用 TPM 标识符 (也称为平台标识符或认可密钥 [ EKpub ]) ,以开始确定特定的主机是否授权为 "受保护"。TPM mode uses a TPM identifier (also called a platform identifier or endorsement key [EKpub]) to begin determining whether a particular host is authorized as "guarded." 此证明模式使用安全启动和代码完整性度量,以确保给定的 Hyper-v 主机处于正常状态,并且仅运行受信任的代码。This mode of attestation uses Secure Boot and code integrity measurements to ensure that a given Hyper-V host is in a healthy state and is running only trusted code. 为了证明证明哪些内容不正常,必须捕获以下项目:In order for attestation to understand what is and is not healthy, you must capture the following artifacts:

  1. TPM 标识符 (EKpub) TPM identifier (EKpub)

    • 此信息对于每个 Hyper-v 主机都是唯一的This information is unique to each Hyper-V host
  2. TPM 基线 (启动度量) TPM baseline (boot measurements)

    • 这适用于在同一硬件类上运行的所有 Hyper-v 主机This is applicable to all Hyper-V hosts that run on the same class of hardware
  3. 代码完整性策略 (允许的二进制文件的允许列表) Code integrity policy (an allowlist of allowed binaries)

    • 这适用于共享公用硬件和软件的所有 Hyper-v 主机This is applicable to all Hyper-V hosts that share common hardware and software

建议从 "引用主机" 捕获基线和 CI 策略,该 "引用主机" 代表数据中心内的每个独特的 Hyper-v 硬件配置类。We recommend that you capture the baseline and CI policy from a "reference host" that is representative of each unique class of Hyper-V hardware configuration within your datacenter. 从 Windows Server 版本1709开始,C:\Windows\schemas\CodeIntegrity\ExamplePolicies. 中包含了示例 CI 策略Beginning with Windows Server version 1709, sample CI policies are included at C:\Windows\schemas\CodeIntegrity\ExamplePolicies.

版本控制证明策略Versioned attestation policies

Windows Server 2019 引入了一种新的证明方法,称为 v2 证明,其中必须存在 TPM 证书才能将 EKPub 添加到 HGS。Windows Server 2019 introduces a new method for attestation, called v2 attestation, where a TPM certificate must be present in order to add the EKPub to HGS. Windows Server 2016 中使用的 v1 证明方法允许您通过在运行 Add-HgsAttestationTpmHost 或其他 TPM 证明 cmdlet 来捕获项目时指定-Force 标志来覆盖此安全检查。The v1 attestation method used in Windows Server 2016 allowed you to override this safety check by specifying the -Force flag when you run Add-HgsAttestationTpmHost or other TPM attestation cmdlets to capture the artifacts. 从 Windows Server 2019 开始,默认情况下使用 v2 证明,如果你需要在不使用证书的情况下注册 TPM,则在运行 Add-HgsAttestationTpmHost 时需要指定-PolicyVersion v1 标志。Beginning with Windows Server 2019, v2 attestation is used by default and you need to specify the -PolicyVersion v1 flag when you run Add-HgsAttestationTpmHost if you need to register a TPM without a certificate. -Force 标志不适用于 v2 证明。The -Force flag does not work with v2 attestation.

仅当所有项目 (EKPub + TPM 基准 + CI 策略) 使用同一版本的证明时,主机才能证明。A host can only attest if all artifacts (EKPub + TPM baseline + CI Policy) use the same version of attestation. 首先尝试 V2 证明,如果失败,则使用 v1 证明。V2 attestation is tried first, and if that fails, v1 attestation is used. 这意味着,如果需要使用 v1 证明注册 TPM 标识符,则在捕获 TPM 基线并创建 CI 策略时,还需要指定-PolicyVersion v1 标志来使用 v1 证明。This means if you need to register a TPM identifier by using v1 attestation, you need to also specify the -PolicyVersion v1 flag to use v1 attestation when you capture the TPM baseline and create the CI policy. 如果 TPM 基线和 CI 策略是使用 v2 证明创建的,稍后需要添加不包含 TPM 证书的受保护主机,则需要使用-PolicyVersion v1 标志重新创建每个项目。If the TPM baseline and CI policy were created by using v2 attestation and then later you need to add a guarded host without a TPM certificate, you need to re-create each artifact with the -PolicyVersion v1 flag.

捕获每个主机 (平台标识符或 EKpub) 的 TPM 标识符Capture the TPM identifier (platform identifier or EKpub) for each host

  1. 在 fabric 域中,确保每个主机上的 TPM 可供使用,即 TPM 已初始化并获得所有权。In the fabric domain, make sure the TPM on each host is ready for use - that is, the TPM is initialized and ownership obtained. 您可以通过在已提升权限的 Windows PowerShell 窗口中打开 TPM 管理控制台 () 或运行 Get tpm 来检查 tpm 的状态。You can check the status of the TPM by opening the TPM Management Console (tpm.msc) or by running Get-Tpm in an elevated Windows PowerShell window. 如果你的 TPM 未处于 " 就绪 " 状态,你将需要对其进行初始化并设置其所有权。If your TPM is not in the Ready state, you will need to initialize it and set its ownership. 此操作可在 TPM 管理控制台中或通过运行 " 初始化-TPM" 完成。This can be done in the TPM Management Console or by running Initialize-Tpm.

  2. 在每个受保护的主机上,在提升的 Windows PowerShell 控制台中运行以下命令以获取其 EKpub。On each guarded host, run the following command in an elevated Windows PowerShell console to obtain its EKpub. 对于 <HostName> ,请将唯一的主机名替换为标识此主机的合适名称-这可以是其主机名,也可以是构造清单服务 (使用的名称(如果可用) )。For <HostName>, substitute the unique host name with something suitable to identify this host - this can be its hostname or the name used by a fabric inventory service (if available). 为方便起见,请使用主机的名称命名输出文件。For convenience, name the output file using the host's name.

    (Get-PlatformIdentifier -Name '<HostName>').InnerXml | Out-file <Path><HostName>.xml -Encoding UTF8
    
  3. 对于将成为受保护主机的每个主机,请重复上述步骤,确保为每个 XML 文件指定一个唯一名称。Repeat the preceding steps for each host that will become a guarded host, being sure to give each XML file a unique name.

  4. 向 HGS 管理员提供生成的 XML 文件。Provide the resulting XML files to the HGS administrator.

  5. 在 HGS 域中,打开已提升权限的 Windows PowerShell 控制台,并运行以下命令。In the HGS domain, open an elevated Windows PowerShell console on an HGS server and run the following command. 为每个 XML 文件重复此命令。Repeat the command for each of the XML files.

    Add-HgsAttestationTpmHost -Path <Path><Filename>.xml -Name <HostName>
    

    备注

    如果在添加有关不受信任的认可密钥证书的 TPM 标识符 (EKCert) 时遇到错误,请确保已将 受信任的 TPM 根证书添加 到了 HGS 节点。If you encounter an error when adding a TPM identifier regarding an untrusted Endorsement Key Certificate (EKCert), ensure that the trusted TPM root certificates have been added to the HGS node. 此外,某些 TPM 供应商不使用 EKCerts。Additionally, some TPM vendors do not use EKCerts. 可以通过在记事本(如记事本)中打开 XML 文件来检查是否缺少 EKCert,并检查错误消息,指出找不到任何 EKCert。You can check if an EKCert is missing by opening the XML file in an editor such as Notepad and checking for an error message indicating no EKCert was found. 如果是这种情况,并且你信任计算机中的 TPM 是可信的,则可以使用参数向 -Force HGS 添加主机标识符。If this is the case, and you trust that the TPM in your machine is authentic, you can use the -Force parameter to add the host identifier to HGS. 在 Windows Server 2019 中,在使用时,还需要使用 -PolicyVersion v1 参数 -ForceIn Windows Server 2019, you need to also use the -PolicyVersion v1 parameter when using -Force. 这会创建与 Windows Server 2016 行为一致的策略,并将要求你在 -PolicyVersion v1 注册 CI 策略和 TPM 基线时使用。This creates a policy consistent with the Windows Server 2016 behavior and will require you to use -PolicyVersion v1 when registering the CI policy and the TPM baseline as well.

创建并应用代码完整性策略Create and apply a code integrity policy

代码完整性策略可帮助确保只允许运行你信任的可在主机上运行的可执行文件。A code integrity policy helps ensure that only the executables you trust to run on a host are allowed to run. 受信任的可执行文件外部的恶意软件和其他可执行文件将被阻止运行。Malware and other executables outside the trusted executables are prevented from running.

每个受保护的主机必须应用代码完整性策略,才能在 TPM 模式下运行受防护的 Vm。Each guarded host must have a code integrity policy applied in order to run shielded VMs in TPM mode. 你可以通过将其添加到 HGS 来指定你信任的确切代码完整性策略。You specify the exact code integrity policies you trust by adding them to HGS. 可以配置代码完整性策略,以强制实施策略、阻止任何不符合策略的软件,或者只是审核 (在策略中未定义的软件执行时记录事件) 。Code integrity policies can be configured to enforce the policy, blocking any software that does not comply with the policy, or simply audit (log an event when software not defined in the policy is executed).

从 Windows Server 版本1709开始,C:\Windows\schemas\CodeIntegrity\ExamplePolicies. 中的 Windows 提供了示例代码完整性策略Starting with Windows Server version 1709, sample code integrity policies are included with Windows at C:\Windows\schemas\CodeIntegrity\ExamplePolicies. 建议为 Windows Server 使用两个策略:Two policies are recommended for Windows Server:

  • AllowMicrosoft:允许由 Microsoft 签署的所有文件。AllowMicrosoft: Allows all files signed by Microsoft. 建议将此策略用于 SQL 或 Exchange 等服务器应用程序,或者如果服务器由 Microsoft 发布的代理进行监视,则建议使用此策略。This policy is recommended for server applications such as SQL or Exchange, or if the server is monitored by agents published by Microsoft.
  • DefaultWindows_Enforced:仅允许 Windows 中随附的文件,而不允许由 Microsoft 发布的其他应用程序,如 Office。DefaultWindows_Enforced: Allows only files that shipped in Windows and doesn't permit other applications released by Microsoft, such as Office. 对于仅运行内置服务器角色和功能(例如 Hyper-v)的服务器,建议使用此策略。This policy is recommended for servers that run only built-in server roles and features such as Hyper-V.

建议你首先在 audit (日志记录) 模式下创建 CI 策略,以查看它是否缺少任何内容,然后为主机生产工作负荷强制实施策略。It is recommended that you first create the CI policy in audit (logging) mode to see if it's missing anything, then enforce the policy for host production workloads.

如果使用 CIPolicy cmdlet 来生成自己的代码完整性策略,则需要确定要使用的规则级别。If you use the New-CIPolicy cmdlet to generate your own code integrity policy, you will need to decide the rule levels to use. 建议使用回退到哈希的主发布服务器级别,这样就可以在不更改 CI 策略的情况下更新已进行数字签名的大多数软件。We recommend a primary level of Publisher with fallback to Hash, which allows most digitally signed software to be updated without changing the CI policy. 同一发行者编写的新软件也可以安装在服务器上,而无需更改 CI 策略。New software written by the same publisher can also be installed on the server without changing the CI policy. 未进行数字签名的可执行文件将进行哈希处理-更新这些文件将需要你创建新的 CI 策略。Executables that are not digitally signed will be hashed -- updates to these files will require you to create a new CI policy. 有关可用 CI 策略规则级别的详细信息,请参阅 部署代码完整性策略:策略规则和文件规则 和 cmdlet 帮助。For more information about the available CI policy rule levels, see Deploy code integrity policies: policy rules and file rules and cmdlet help.

  1. 在引用主机上,生成新的代码完整性策略。On the reference host, generate a new code integrity policy. 以下命令在 发布服务器 级别上创建策略,并回退到 哈希The following commands create a policy at the Publisher level with fallback to Hash. 然后,它会将 XML 文件转换为二进制文件格式,Windows 和 HGS 需要分别应用和度量 CI 策略。It then converts the XML file to the binary file format Windows and HGS need to apply and measure the CI policy, respectively.

    New-CIPolicy -Level Publisher -Fallback Hash -FilePath 'C:\temp\HW1CodeIntegrity.xml' -UserPEs
    
    ConvertFrom-CIPolicy -XmlFilePath 'C:\temp\HW1CodeIntegrity.xml' -BinaryFilePath 'C:\temp\HW1CodeIntegrity.p7b'
    

    备注

    上述命令仅在审核模式下创建 CI 策略。The above command creates a CI policy in audit mode only. 它不会阻止未授权的二进制文件在主机上运行。It will not block unauthorized binaries from running on the host. 只应在生产中使用强制执行的策略。You should only use enforced policies in production.

  2. 使您的代码完整性策略文件 (XML 文件) 可以轻松地找到它。Keep your Code Integrity policy file (XML file) where you can easily find it. 稍后你将需要编辑此文件,以强制执行 CI 策略或合并以后对系统进行的更新。You will need to edit this file later to enforce the CI policy or merge in changes from future updates made to the system.

  3. 将 CI 策略应用到引用主机:Apply the CI policy to your reference host:

    1. 运行以下命令,将计算机配置为使用 CI 策略。Run the following command to configure the machine to use your CI policy. 你还可以将 CI 策略部署 组策略System Center Virtual Machine ManagerYou can also deploy the CI policy with Group Policy or System Center Virtual Machine Manager.

      Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{ FilePath = "C:\temp\HW1CodeIntegrity.p7b" }
      
    2. 重新启动主机以应用该策略。Restart the host to apply the policy.

  4. 通过运行典型的工作负荷来测试代码完整性策略。Test the code integrity policy by running a typical workload. 这可能包括正在运行的 Vm、任何构造管理代理、备份代理或计算机上的故障排除工具。This may include running VMs, any fabric management agents, backup agents, or troubleshooting tools on the machine. 检查是否存在任何代码完整性冲突,并在必要时更新 CI 策略。Check if there are any code integrity violations and update your CI policy if necessary.

  5. 通过对更新的 CI 策略 XML 文件运行以下命令,将 CI 策略更改为强制模式。Change your CI policy to enforced mode by running the following commands against your updated CI policy XML file.

    Set-RuleOption -FilePath 'C:\temp\HW1CodeIntegrity.xml' -Option 3 -Delete
    
    ConvertFrom-CIPolicy -XmlFilePath 'C:\temp\HW1CodeIntegrity.xml' -BinaryFilePath 'C:\temp\HW1CodeIntegrity_enforced.p7b'
    
  6. 使用以下命令将 CI 策略应用到具有相同硬件和软件配置的所有主机 () :Apply the CI policy to all of your hosts (with identical hardware and software configuration) using the following commands:

    Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{ FilePath = "C:\temp\HW1CodeIntegrity.p7b" }
    
    Restart-Computer
    

    备注

    将 CI 策略应用到主机和更新这些计算机上的任何软件时,请小心。Be careful when applying CI policies to hosts and when updating any software on these machines. 任何不符合 CI 策略的内核模式驱动程序都可能会阻止计算机启动。Any kernel mode drivers that are non-compliant with the CI Policy may prevent the machine from starting up.

  7. 在此示例中提供二进制文件 (, _ 并将) HW1CodeIntegrity。Provide the binary file (in this example, HW1CodeIntegrity_enforced.p7b) to the HGS administrator.

  8. 在 HGS 域中,将代码完整性策略复制到 HGS 服务器,并运行以下命令。In the HGS domain, copy the code integrity policy to an HGS server and run the following command.

    对于 <PolicyName> ,请指定 CI 策略的名称,该名称描述应用于的主机类型。For <PolicyName>, specify a name for the CI policy that describes the type of host it applies to. 最佳做法是在您的计算机的品牌/型号以及在其上运行的任何特殊软件配置后将其命名为。A best practice is to name it after the make/model of your machine and any special software configuration running on it.
    对于 <Path> ,指定代码完整性策略的路径和文件名。For <Path>, specify the path and filename of the code integrity policy.

    Add-HgsAttestationCIPolicy -Path <Path> -Name '<PolicyName>'
    

捕获每个独特硬件类的 TPM 基线Capture the TPM baseline for each unique class of hardware

你的数据中心结构中的每个独特硬件类都需要一个 TPM 基线。A TPM baseline is required for each unique class of hardware in your datacenter fabric. 再次使用 "引用主机"。Use a "reference host" again.

  1. 在引用主机上,请确保安装了 Hyper-v 角色和主机保护者 Hyper-v 支持功能。On the reference host, make sure that the Hyper-V role and the Host Guardian Hyper-V Support feature are installed.

    警告

    主机保护者 Hyper-v 支持功能可为可能与某些设备不兼容的代码完整性启用基于虚拟化的保护。The Host Guardian Hyper-V Support feature enables Virtualization-based protection of code integrity that may be incompatible with some devices. 在启用此功能之前,强烈建议在实验室中测试此配置。We strongly recommend testing this configuration in your lab before enabling this feature. 如果不这样做,可能会导致意外故障,其中包括数据丢失或蓝屏错误(也称为停止错误)。Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).

    Install-WindowsFeature Hyper-V, HostGuardian -IncludeManagementTools -Restart
    
  2. 若要捕获基线策略,请在提升的 Windows PowerShell 控制台中运行以下命令。To capture the baseline policy, run the following command in an elevated Windows PowerShell console.

    Get-HgsAttestationBaselinePolicy -Path 'HWConfig1.tcglog'
    

    备注

    如果引用主机未启用安全启动、有一个 IOMMU、启用和运行基于虚拟化的安全或已应用代码完整性策略,你将需要使用 -SkipValidation 标志。You will need to use the -SkipValidation flag if the reference host does not have Secure Boot enabled, an IOMMU present, Virtualization Based Security enabled and running, or a code integrity policy applied. 这些验证旨在让你了解在主机上运行受防护的 VM 的最低要求。These validations are designed to make you aware of the minimum requirements of running a shielded VM on the host. 使用-SkipValidation 标志不会更改 cmdlet 的输出;它仅静默处理错误。Using the -SkipValidation flag does not change the output of the cmdlet; it merely silences the errors.

  3. 向 HGS 管理员提供 TPM 基线 (TCGlog 文件) 。Provide the TPM baseline (TCGlog file) to the HGS administrator.

  4. 在 HGS 域中,将 TCGlog 文件复制到 HGS 服务器,并运行以下命令。In the HGS domain, copy the TCGlog file to an HGS server and run the following command. 通常情况下,会将策略命名为它所表示的硬件的类 (例如,"制造商型号修订" ) 。Typically, you will name the policy after the class of hardware it represents (for example, "Manufacturer Model Revision").

    Add-HgsAttestationTpmPolicy -Path <Filename>.tcglog -Name '<PolicyName>'
    

后续步骤Next step