The Service VM is a lightweight, bare-metal virtual machine specifically designed to run various services for other virtual machines. It fulfills the following requirements:
The secret is an encrypted random array that can only be decrypted by pVM Firmware. It is incorporated into the CDI values calculation of each VM loaded by pVM Firmware to ensure consistent CDI values for the VM across all reboots.
The RKP VM is a key dependency of the Service VM. It is a virtual machine that undergoes validation by the RKP Server and acts as a remotely provisioned component for verifying the integrity of other virtual machines.
The RKP VM is recognized and attested by the RKP server, which acts as a trusted entity responsible for verifying the DICE chain of the RKP VM. This verification ensures that the RKP VM is operating on a genuine device. Additionally, the RKP VM is validated by the pVM Firmware, as part of the verified boot process.
Once the RKP VM is successfully attested, it assumes the role of a trusted platform to attest client VMs. It leverages its trusted status to validate the integrity of the DICE chain associated with each client VM. This validation process verifies that the client VMs are running in the expected Microdroid VM environment, and certifies the payload executed within the VM. Currently, only Microdroid VMs are supported.