受防護網狀架構與受防護的 VM 概觀Guarded fabric and shielded VMs overview

適用于: Windows Server 2019、Windows Server (半年通道) 、Windows Server 2016Applies to: Windows Server 2019, Windows Server (Semi-Annual Channel), Windows Server 2016

受防護網狀架構概觀Overview of the guarded fabric

虛擬化安全性是 Hyper-v 的主要投資領域。Virtualization security is a major investment area in Hyper-V. 除了保護主機或其他虛擬機器不受執行惡意軟體的虛擬機器影響之外,我們也需要保護虛擬機器不會因為主機遭到入侵而受到危害。In addition to protecting hosts or other virtual machines from a virtual machine running malicious software, we also need to protect virtual machines from a compromised host. 這是現今每個虛擬化平臺的基本風險,無論是 Hyper-v、VMware 或任何其他虛擬化平臺。This is a fundamental danger for every virtualization platform today, whether it's Hyper-V, VMware or any other. 道理很簡單,如果虛擬機器離開組織 (無論是惡意或意外),該虛擬機器就可在任何其他系統上執行。Quite simply, if a virtual machine gets out of an organization (either maliciously or accidentally), that virtual machine can be run on any other system. 保護您組織中的高價值資產 (例如網域控制站、敏感性檔案伺服器及 HR 系統) 是第一優先考量。Protecting high value assets in your organization, such as domain controllers, sensitive file servers, and HR systems, is a top priority.

為了協助防範遭入侵的虛擬化網狀架構,Windows Server 2016 Hyper-v 引進了受防護的 Vm。To help protect against compromised virtualization fabric, Windows Server 2016 Hyper-V introduced shielded VMs. 受防護的 VM 是第2代 VM (在具有虛擬 TPM 的 Windows Server 2012 和更新版本) 上支援,並使用 BitLocker 進行加密,而且只能在網狀架構中狀況良好且已核准的主機上執行。A shielded VM is a generation 2 VM (supported on Windows Server 2012 and later) that has a virtual TPM, is encrypted using BitLocker, and can run only on healthy and approved hosts in the fabric. 受防護的 VM 和受防護網狀架構可讓雲端服務提供者或企業私人雲端系統管理員為租用戶 VM 提供更安全的環境。Shielded VMs and guarded fabric enable cloud service providers or enterprise private cloud administrators to provide a more secure environment for tenant VMs.

受防護網狀架構包含:A guarded fabric consists of:

  • 1 項主機守護者服務 (HGS) (通常是有 3 個節點的叢集)1 Host Guardian Service (HGS) (typically, a cluster of 3 nodes)
  • 1 或多部受防護主機1 or more guarded hosts
  • 一組受防護的虛擬機器。A set of shielded virtual machines. 以下圖表說明「主機守護者服務」如何使用證明以確保只有已知且有效的主機可以啟動受防護的 VM,以及如何使用金鑰保護來安全地發行受防護的 VM 的金鑰。The diagram below shows how the Host Guardian Service uses attestation to ensure that only known, valid hosts can start the shielded VMs, and key protection to securely release the keys for shielded VMs.

當租用戶建立在受防護網狀架構上執行的受防護的 VM 時,Hyper-V 主機和受防護的 VM 本身會由 HGS 保護。When a tenant creates shielded VMs that run on a guarded fabric, the Hyper-V hosts and the shielded VMs themselves are protected by the HGS. HGS 提供兩種不同的服務:證明和金鑰保護。The HGS provides two distinct services: attestation and key protection. 「證明」服務可確保僅有受信任的 Hyper-V 主機可以執行受防護的 VM,而「金鑰保護」服務可提供將它們開機,並即時移轉到其他受防護主機時所需的金鑰。The Attestation service ensures only trusted Hyper-V hosts can run shielded VMs while the Key Protection Service provides the keys necessary to power them on and to live migrate them to other guarded hosts.

受防護主機網狀架構

影片:受防護虛擬機器的簡介Video: Introduction to shielded virtual machines

受防護網狀架構解決方案中的證明模式Attestation modes in the Guarded Fabric solution

HGS 針對受防護網狀架構支援不同的證明模式:The HGS supports different attestation modes for a guarded fabric:

  • TPM-信任的證明 (以硬體為基礎的) TPM-trusted attestation (hardware-based)
  • 根據非對稱金鑰組的主機金鑰證明 () Host key attestation (based on asymmetric key pairs)

建議使用 TPM 信任證明,因為它提供更強的保證 (如下表中所述),但它要求您的 Hyper-V 主機要有 TPM 2.0。TPM-trusted attestation is recommended because it offers stronger assurances, as explained in the following table, but it requires that your Hyper-V hosts have TPM 2.0. 如果您目前沒有 TPM 2.0 或任何 TPM,則可以使用主機金鑰證明。If you currently do not have TPM 2.0 or any TPM, you can use host key attestation. 如果您決定在取得新硬體時移動 TPM 信任證明,您可以在「主機守護者服務」上切換證明模式,而且這幾乎不會中斷您的網狀架構。If you decide to move to TPM-trusted attestation when you acquire new hardware, you can switch the attestation mode on the Host Guardian Service with little or no interruption to your fabric.

您選擇的主機證明模式Attestation mode you choose for hosts 主機保證Host assurances
TPM 信任證明: 提供可能的最強保護,但也要求更多的設定步驟。TPM-trusted attestation: Offers the strongest possible protections but also requires more configuration steps. 主機硬體和固件必須包含已啟用安全開機的 TPM 2.0 和 UEFI 2.3.1。Host hardware and firmware must include TPM 2.0 and UEFI 2.3.1 with Secure Boot enabled. 受防護的主機會根據其 TPM 身分識別、測量開機順序和程式碼完整性原則進行核准,以確保它們只會執行核准的程式碼。Guarded hosts are approved based on their TPM identity, Measured Boot sequence, and code integrity policies to ensure they only run approved code.
主機金鑰證明: 旨在支援無法使用 TPM 2.0 的現有主機硬體。Host key attestation: Intended to support existing host hardware where TPM 2.0 is not available. 需要較少的設定步驟,並與一般伺服器硬體相容。Requires fewer configuration steps and is compatible with commonplace server hardware. 受防護主機的核准是根據擁有金鑰。Guarded hosts are approved based on possession of the key.

從 Windows Server 2019 開始,另一個名為「系統 管理-信任證明」的 模式已被取代。Another mode named Admin-trusted attestation is deprecated beginning with Windows Server 2019. 此模式是以指定 Active Directory Domain Services (AD DS) 安全性群組中的受防護主機成員資格為基礎。This mode was based on guarded host membership in a designated Active Directory Domain Services (AD DS) security group. 主機金鑰證明提供類似的主機識別,而且更容易設定。Host key attestation provide similar host identification and is easier to set up.

主機守護者服務提供的保證Assurances provided by the Host Guardian Service

HGS 與建立受防護的 VM 的方法搭配使用,協助提供以下保證。HGS, together with the methods for creating shielded VMs, help provide the following assurances.

VM 的保證類型Type of assurance for VMs 受防護的 VM 保證,來自金鑰保護服務以及受防護的 VM 建立方法Shielded VM assurances, from Key Protection Service and from creation methods for shielded VMs
BitLocker 加密的磁碟 (作業系統磁碟和資料磁碟)BitLocker encrypted disks (OS disks and data disks) 受防護的 VM 會使用 BitLocker 保護其磁碟。Shielded VMs use BitLocker to protect their disks. 用來啟動 VM 和解密磁片所需的 BitLocker 金鑰,會受到受防護的 VM 虛擬 TPM 的保護,該虛擬 TPM 使用業界經過驗證的技術,例如安全測量的開機。The BitLocker keys needed to boot the VM and decrypt the disks are protected by the shielded VM's virtual TPM using industry-proven technologies such as secure measured boot. 雖然受防護的 VM 僅會自動加密並保護作業系統磁碟,您也可以加密資料磁碟機 (附加至受防護的 VM 的資料磁碟機)。While shielded VMs only automatically encrypt and protect the operating system disk, you can encrypt data drives attached to the shielded VM as well.
從「信任的」範本磁片/映射部署新的受防護 VmDeployment of new shielded VMs from "trusted" template disks/images 部署新的受防護的 VM 時,租用戶可指定他們所信任的範本磁碟。When deploying new shielded VMs, tenants are able to specify which template disks they trust. 受防護的範本磁碟在其內容被視為可信任時,會有以該時間點計算的簽章。Shielded template disks have signatures that are computed at a point in time when their content is deemed trustworthy. 磁碟簽章接著會儲存在簽章目錄中,在建立受防護的 VM 時,租用戶可安全地提供給網狀架構。The disk signatures are then stored in a signature catalog, which tenants securely provide to the fabric when creating shielded VMs. 在受防護的 VM 佈建期間,會再次計算磁碟的簽章,並與目錄中信任的簽章比較。During provisioning of shielded VMs, the signature of the disk is computed again and compared to the trusted signatures in the catalog. 如果簽章相符,則會部署受防護的 VM。If the signatures match, the shielded VM is deployed. 如果簽章不相符,則會將受防護的範本磁碟視為不受信任,且部署會失敗。If the signatures do not match, the shielded template disk is deemed untrustworthy and deployment fails.
受防護的 VM 建立後的密碼及其他機密資料保護Protection of passwords and other secrets when a shielded VM is created 建立 Vm 時,必須確保 VM 密碼(例如受信任的磁片簽章、RDP 憑證和 VM 本機系統管理員帳戶的密碼)不會洩漏到網狀架構。When creating VMs, it is necessary to ensure that VM secrets, such as the trusted disk signatures, RDP certificates, and the password of the VM's local Administrator account, are not divulged to the fabric. 這些機密資料會儲存在稱為防護資料檔案 (PDK 檔案) 的加密檔案中,它受到租用戶金鑰保護,並且由租用戶上傳至網狀架構。These secrets are stored in an encrypted file called a shielding data file (a .PDK file), which is protected by tenant keys and uploaded to the fabric by the tenant. 當受防護的 VM 建立後,租用戶選取要使用的防護資料,這些機密資料只會在受防護網狀架構中安全地提供給受信任的元件。When a shielded VM is created, the tenant selects the shielding data to use which securely provides these secrets only to the trusted components within the guarded fabric.
VM 可啟動位置的租用戶控制Tenant control of where the VM can be started 防護資料也包含受防護網狀架構清單,特定受防護的 VM 可在其上執行。Shielding data also contains a list of the guarded fabrics on which a particular shielded VM is permitted to run. 這非常實用,例如,受防護的 VM 通常位於內部部署的私人雲端,但可能需要移轉至另一個 (公用或私人) 雲端以供災害復原用途使用。This is useful, for example, in cases where a shielded VM typically resides in an on-premises private cloud but may need to be migrated to another (public or private) cloud for disaster recovery purposes. 目標雲端或網狀架構必須支援受防護的 VM,且受防護的 VM 必須允許網狀架構執行它。The target cloud or fabric must support shielded VMs and the shielded VM must permit that fabric to run it.

什麼是防護資料,以及它為何是必要的?What is shielding data and why is it necessary?

防護資料檔案 (也稱為佈建資料檔案或 PDK 檔案) 是一種加密檔案,租用戶或 VM 擁有者會建立該檔案以保護重要的 VM 組態資訊,例如系統管理員密碼、RDP 及其他身分識別相關的憑證、網域加入認證等等。A shielding data file (also called a provisioning data file or PDK file) is an encrypted file that a tenant or VM owner creates to protect important VM configuration information, such as the administrator password, RDP and other identity-related certificates, domain-join credentials, and so on. 建立受防護的 VM 時,網狀架構系統管理員會使用防護資料檔案,但無法檢視或使用檔案中包含的資訊。A fabric administrator uses the shielding data file when creating a shielded VM, but is unable to view or use the information contained in the file.

其中,防護資料檔案會包含機密資料,例如:Among others, a shielding data files contain secrets such as:

  • 系統管理員認證Administrator credentials
  • 回應檔案 (unattend.xml)An answer file (unattend.xml)
  • 一種安全性原則,可判斷使用此防護資料建立的 Vm 是否設定為受防護或加密支援A security policy that determines whether VMs created using this shielding data are configured as shielded or encryption supported
    • 請記住,設定為受防護的 VM 會防止網狀架構系統管理員存取,而支援加密的 VM 則不會Remember, VMs configured as shielded are protected from fabric admins whereas encryption supported VMs are not
  • 保護與 VM 通訊之遠端桌面的 RDP 憑證An RDP certificate to secure remote desktop communication with the VM
  • 允許新的 VM 從中建立的磁碟區簽章目錄,其中包含受信任、已簽署的範本磁碟簽章清單A volume signature catalog that contains a list of trusted, signed template-disk signatures that a new VM is allowed to be created from
  • 金鑰保護裝置 (或 KP),定義受防護的 VM 被授權在哪些受防護網狀架構上執行A Key Protector (or KP) that defines which guarded fabrics a shielded VM is authorized to run on

提供保證的防護資料檔案 (PDK 檔案),讓 VM 能以租用戶想要的方式建立。The shielding data file (PDK file) provides assurances that the VM will be created in the way the tenant intended. 例如,當租用戶在防護資料檔案中放入回應檔案 (unattend.xml) 並傳遞給主機服務提供者時,主機服務提供者無法檢視或變更該回應檔案。For example, when the tenant places an answer file (unattend.xml) in the shielding data file and delivers it to the hosting provider, the hosting provider cannot view or make changes to that answer file. 同樣地,主機服務提供者無法在建立受防護的 VM 時替換不同的 VHDX,因為防護資料檔案包含可從中建立受防護的 VM 的信任磁碟簽章。Similarly, the hosting provider cannot substitute a different VHDX when creating the shielded VM, because the shielding data file contains the signatures of the trusted disks that shielded VMs can be created from.

下圖說明防護資料檔案和相關的組態項目。The following figure shows the shielding data file and related configuration elements.

顯示防護資料檔案和相關設定元素的圖例。

受防護網狀架構可執行的虛擬機器類型為何?What are the types of virtual machines that a guarded fabric can run?

受防護網狀架構能夠以三種可能方式的其中之一執行 VM:Guarded fabrics are capable of running VMs in one of three possible ways:

  1. 一般的 VM 供應項目,不提供舊版本 Hyper-V 以外的保護A normal VM offering no protections above and beyond previous versions of Hyper-V
  2. 支援加密的 VM,可由網狀架構系統管理員設定保護An encryption-supported VM whose protections can be configured by a fabric admin
  3. 受防護的 VM,所有的保護均會開啟,並且無法由網狀架構系統管理員停用A shielded VM whose protections are all switched on and cannot be disabled by a fabric admin

支援加密的 VM 是專供在網狀架構系統管理員完全受信任時使用。Encryption-supported VMs are intended for use where the fabric administrators are fully trusted. 例如,企業可能會部署受防護網狀架構,以確保 VM 磁碟在靜止時會加密,以符合法規規定。For example, an enterprise might deploy a guarded fabric in order to ensure VM disks are encrypted at-rest for compliance purposes. 網狀架構系統管理員可以繼續使用便利的管理功能,例如 VM 主控台連線、PowerShell Direct,和其他日常的管理功能及疑難排解工具。Fabric administrators can continue to use convenient management features, such VM console connections, PowerShell Direct, and other day-to-day management and troubleshooting tools.

受防護的 VM 是專供在 VM 的資料和狀態必須受到的保護網狀架構中使用,避免網狀架構系統管理員以及可能在 Hyper-V 主機上執行之不受信任軟體的影響。Shielded VMs are intended for use in fabrics where the data and state of the VM must be protected from both fabric administrators and untrusted software that might be running on the Hyper-V hosts. 例如,受防護的 VM 將一律不允許 VM 主控台連線,而網狀架構系統管理員可在支援加密的 VM 上開啟或關閉這項保護。For example, shielded VMs will never permit a VM console connection whereas a fabric administrator can turn this protection on or off for encryption supported VMs.

下表摘要說明加密支援和受防護的 Vm 之間的差異。The following table summarizes the differences between encryption-supported and shielded VMs.

功能Capability 支援第 2 代加密Generation 2 Encryption Supported 第 2 代防護Generation 2 Shielded
安全開機Secure Boot 是,必要但可設定Yes, required but configurable 是,必要且強制執行Yes, required and enforced
VtpmVtpm 是,必要但可設定Yes, required but configurable 是,必要且強制執行Yes, required and enforced
加密 VM 狀態和即時移轉流量Encrypt VM state and live migration traffic 是,必要但可設定Yes, required but configurable 是,必要且強制執行Yes, required and enforced
整合元件Integration components 可由網狀架構系統管理員設定Configurable by fabric admin 封鎖特定整合元件 (例如資料交換、PowerShell Direct)Certain integration components blocked (e.g. data exchange, PowerShell Direct)
虛擬機器連線 (主控台)、HID 裝置 (例如鍵盤、滑鼠)Virtual Machine Connection (Console), HID devices (e.g. keyboard, mouse) 開啟,無法停用On, cannot be disabled 從 Windows Server 1803 版開始的主機上啟用;在舊版主機上停用Enabled on hosts beginning with Windows Server version 1803; Disabled on earlier hosts
COM/序列通訊埠COM/Serial ports 支援Supported 停用 (無法啟用)Disabled (cannot be enabled)
將偵錯工具 (附加至 VM 進程) 1Attach a debugger (to the VM process)1 支援Supported 停用 (無法啟用)Disabled (cannot be enabled)

1 將直接附加至進程(例如 WinDbg.exe)的傳統偵錯工具封鎖了受防護的 vm,因為 VM 的背景工作進程 ( # A1) 是受保護的進程 LIGHT (PPL) 。1 Traditional debuggers that attach directly to a process, such as WinDbg.exe, are blocked for shielded VMs because the VM's worker process (VMWP.exe) is a protected process light (PPL). 替代的偵錯工具(例如 LiveKd.exe 所使用的技術)不會遭到封鎖。Alternative debugging techniques, such as those used by LiveKd.exe, are not blocked. 與受防護的 Vm 不同的是,加密支援的 Vm 的背景工作進程不會以 PPL 的形式執行,因此 WinDbg.exe 之類的傳統偵錯工具會繼續正常運作。Unlike shielded VMs, the worker process for encryption supported VMs does not run as a PPL so traditional debuggers like WinDbg.exe will continue to function normally.

受防護的 VM 和支援加密的 VM 皆會繼續支援一般的網狀架構管理功能,例如即時移轉、Hyper-V 複本、VM 檢查點等等。Both shielded VMs and encryption-supported VMs continue to support commonplace fabric management capabilities, such as Live Migration, Hyper-V replica, VM checkpoints, and so on.

作用中的主機守護者服務:如何開啟受防護的 VMThe Host Guardian Service in action: How a shielded VM is powered on

防護資料檔案

  1. VM01 已開啟。VM01 is powered on. 在受防護主機能夠開啟受防護的 VM 之前,它必須先明確證明其狀況良好。Before a guarded host can power on a shielded VM, it must first be affirmatively attested that it is healthy. 若要證明其狀況良好,它必須向金鑰保護服務 (KPS) 提供健康情況的憑證。To prove it is healthy, it must present a certificate of health to the Key Protection service (KPS). 健康情況的憑證是透過證明程序取得。The certificate of health is obtained through the attestation process.

  2. 主機要求證明。Host requests attestation. 受防護主機會要求證明。The guarded host requests attestation. 證明模式取決於「主機守護者服務」:The mode of attestation is dictated by the Host Guardian Service:

    • TPM 信任的證明: hyper-v 主機傳送的資訊包括:TPM-trusted attestation: Hyper-V host sends information that includes:

      • TPM 識別資訊 (其簽署金鑰)TPM-identifying information (its endorsement key)

      • 最近開機順序期間所啟動程序的相關資訊 (TCG 記錄檔)Information about processes that were started during the most recent boot sequence (the TCG log)

      • 已套用於主機上的程式碼完整性 (CI) 原則的相關資訊。Information about the Code Integrity (CI) policy that was applied on the host.

        主機啟動後便會發生證明,之後每隔 8 小時發生。Attestation happens when the host starts and every 8 hours thereafter. 如果基於某些原因,主機在 VM 嘗試啟動時沒有證明憑證,這也會觸發證明。If for some reason a host doesn't have an attestation certificate when a VM tries to start, this also triggers attestation.

    • 主機金鑰證明: hyper-v 主機會傳送金鑰組的公開一半。Host key attestation: Hyper-V host sends the public half of the key pair. HGS 會驗證主機金鑰是否已註冊。HGS validates the host key is registered.

    • 系統管理信任證明:Hyper-V 主機會傳送 Kerberos 票證,用來識別主機所在的安全性群組。Admin-trusted attestation: Hyper-V host sends a Kerberos ticket, which identifies the security groups that the host is in. HGS 會驗證主機所屬的安全性群組是由受信任的 HGS 系統管理員在先前所設定。HGS validates that the host belongs to a security group that was configured earlier by the trusted HGS admin.

  3. 證明成功 (或失敗)。Attestation succeeds (or fails). 證明模式會決定成功證明主機狀況良好所需的檢查。The attestation mode determines which checks are needed to successfully attest the host is healthy. 使用 TPM 信任證明時,會驗證主機的 TPM 身分識別、開機測量和程式碼完整性原則。With TPM-trusted attestation, the host's TPM identity, boot measurements, and code integrity policy are validated. 使用主機金鑰證明,只會驗證主機金鑰的註冊。With host key attestation, only registration of the host key is validated.

  4. 證明憑證傳送給主機。Attestation certificate sent to host. 假設證明成功,就會將健康情況憑證傳送至主機,而主機會被視為「受防護」 (有權執行受防護的 Vm) 。Assuming attestation was successful, a health certificate is sent to the host and the host is considered "guarded" (authorized to run shielded VMs). 主機會使用健康情況憑證來授權金鑰保護服務以安全地發行和受防護的 VM 搭配使用的金鑰The host uses the health certificate to authorize the Key Protection Service to securely release the keys needed to work with shielded VMs

  5. 主機要求 VM 金鑰。Host requests VM key. 受防護主機沒有開啟受防護的 VM (在此案例中為 VM01) 所需的金鑰。Guarded host do not have the keys needed to power on a shielded VM (VM01 in this case). 若要取得必要金鑰,受防護主機必須向 KPS 提供下列項目:To obtain the necessary keys, the guarded host must provide the following to KPS:

    • 目前的健康情況憑證The current health certificate
    • 加密的機密資料 (金鑰保護裝置或 KP),其中包含開啟 VM01 所需的金鑰。An encrypted secret (a Key Protector or KP) that contains the keys necessary to power on VM01. 機密資料是使用只有 KPS 知道的其他金鑰來加密。The secret is encrypted using other keys that only KPS knows.
  6. 金鑰發行。Release of key. KPS 會檢查健康情況憑證以判斷其有效性。KPS examines the health certificate to determine its validity. 憑證必須尚未過期,且 KPS 必須信任發出憑證的證明服務。The certificate must not have expired and KPS must trust the attestation service that issued it.

  7. 金鑰傳回至主機。Key is returned to host. 如果健康情況憑證有效,KPS 會嘗試解密機密資料,並安全地傳回開啟 VM 所需的金鑰。If the health certificate is valid, KPS attempts to decrypt the secret and securely return the keys needed to power on the VM. 請注意,金鑰會加密為受防護主機的 VBS。Note that the keys are encrypted to the guarded host's VBS.

  8. 主機開啟 VM01。Host powers on VM01.

受防護網狀架構與受防護的 VM 詞彙Guarded fabric and shielded VM glossary

詞彙Term 定義Definition
主機守護者服務 (HGS)Host Guardian Service (HGS) 安裝於裸機伺服器安全叢集上的 Windows Server 角色,可測量 Hyper-V 主機的健康情況,並在開啟或即時移轉受防護的 VM 時對狀況良好的 Hyper-V 主機發行金鑰。A Windows Server role that is installed on a secured cluster of bare-metal servers that is able to measure the health of a Hyper-V host and release keys to healthy Hyper-V hosts when powering-on or live migrating shielded VMs. 這兩項功能是受防護的 VM 解決方案的基礎,並分別稱為 證明服務金鑰保護服務These two capabilities are fundamental to a shielded VM solution and are referred to as the Attestation service and Key Protection Service respectively.
受防護主機guarded host 可執行受防護的 VM 的 Hyper-V 主機。A Hyper-V host on which shielded VMs can run. 主機在被 HGS 證明服務視為狀況良好時,才會被視為 受保護A host can only be considered guarded when it has been deemed healthy by HGS' Attestation service. 受防護的 VM 無法在尚未證明或證明失敗的 Hyper-V 主機上開啟或即時移轉至該主機。Shielded VMs cannot be powered-on or live migrated to a Hyper-V host that has not yet attested or that failed attestation.
受防護網狀架構guarded fabric 這是一個集合詞彙,用於描述 Hyper-V 主機的網狀架構,以及它們可管理和執行受防護的 VM 主機守護者服務。This is the collective term used to describe a fabric of Hyper-V hosts and their Host Guardian Service that has the ability to manage and run shielded VMs.
受防護的虛擬機器 (VM)shielded virtual machine (VM) 僅能在受防護主機上執行的虛擬機器,並且可防範惡意網狀架構系統管理員及主機惡意程式碼檢查、竄改及竊盜。A virtual machine that can only run on guarded hosts and is protected from inspection, tampering and theft from malicious fabric admins and host malware.
網狀架構系統管理員fabric administrator 可管理虛擬機器的公用或私人雲端系統管理員。A public or private cloud administrator that can manage virtual machines. 在受防護網狀架構內容中,網狀架構系統管理員不具有受防護的 VM,或是決定受防護的 VM 可在哪些主機上執行之原則的存取權限。In the context of a guarded fabric, a fabric administrator does not have access to shielded VMs, or the policies that determine which hosts shielded VMs can run on.
HGS 系統管理員HGS administrator 公用或私人雲端中受信任的系統管理員,有權管理受防護主機 (即為可執行受防護的 VM 的主機) 的原則和密碼編譯內容。A trusted administrator in the public or private cloud that has the authority to manage the policies and cryptographic material for guarded hosts, that is, hosts on which a shielded VM can run.
佈建資料檔案或防護資料檔案 (PDK 檔案)provisioning data file or shielding data file (PDK file) 租用戶或使用者建立的加密檔案,用來保存重要的 VM 組態資訊,並保護該資訊防止其他人存取。An encrypted file that a tenant or user creates to hold important VM configuration information and to protect that information from access by others. 例如,防護資料檔案可以包含 VM 建立時指派給本機 Administrator 帳戶的密碼。For example, a shielding data file can contain the password that will be assigned to the local Administrator account when the VM is created.
虛擬化安全性 (VBS)Virtualization-based Security (VBS) 以 Hyper-v 為基礎的處理和儲存環境,受系統管理員保護。A Hyper-V based processing and storage environment that is protected from administrators. 「虛擬安全模式」提供系統儲存作業系統金鑰的能力,該金鑰不會對作業系統管理員顯示。Virtual Secure Mode provides the system with the ability to store operating system keys that are not visible to an operating system administrator.
虛擬 TPMvirtual TPM 信賴平台模組 (TPM) 的虛擬化版本。A virtualized version of a Trusted Platform Module (TPM). 從 Windows Server 2016 中的 Hyper-v 開始,您可以提供虛擬 TPM 2.0 裝置,讓虛擬機器可以加密,就像實體 TPM 允許加密實體電腦一樣。Beginning with Hyper-V in Windows Server 2016, you can provide a virtual TPM 2.0 device so that virtual machines can be encrypted, just as a physical TPM allows a physical machine to be encrypted.

其他參考資料Additional References