Login

Linux Plumbers Conference 2021

20–24 Sept 2021
US/Pacific timezone

2021

Session

Confidential Computing MC

21 Sept 2021, 07:00

Description

The Confidential Computing microconference focuses on solutions to the development of using the state of the art encyption technologies for live encryption of data, and how to utilize the technologies from AMD (SEV), Intel (TDX), s390 and ARM Secure Virtualization for secure computation of VMs, containers and more.

Presentation materials

There are no materials yet.
255. Confidential Computing MC Welcome
Joerg Roedel (SUSE)
21/09/2021, 07:00
42. Live Migration of TD Guest
Wei Wang (Intel Corp.)
21/09/2021, 07:05

The Intel Trust Domain Extension (TDX) technology extends VMX and MKTME to enhance guest data security by isolating guests from host software, including VMM/hypervisor. Live migration support for such isolated guests (i.e. TDs) facilitates the deployment of TD guests in the cloud.
This talk presents the QEMU/KVM design of TDX live migration and initial PoC results for the migration...
38. Live Migration of Confidential VMs
Ashish Kalra
21/09/2021, 07:30

Discussion on Live Migration of AMD SEV encrypted VMs.

Link to the latest posted (KVM) patch for SEV live migration :
https://lore.kernel.org/lkml/cover.1623174621.git.ashish.kalra@amd.com/

Discussions on Guest APIs, specifically if the APIs can cover both
AMD SEV and Intel TDX platforms and exploring common interfaces
which can be re-used for both the above platforms, for example,...
53. TDX Linux guest
Andi Kleen, Sathyanarayanan Kuppuswamy, Elena Reshetova
21/09/2021, 08:00

Intel TDX is an upcoming confidential computing platform for running encrypted guests on untrusted hosts on Intel servers. It requires para virtualization to do any required emulation inside the guest. There are some unique challenges, in particular in hardening the Linux guest code against untrusted host input through MMIO, port and other IO, which is a new security challenge for Linux. The...
39. Debug Support for Confidential VMs
Ashish Kalra
21/09/2021, 08:35

Debug Support for AMD SEV Encrypted VMs.

Discussion on QEMU debug support for memory encrypted guests like AMD SEV/Intel TDX.
Debug requires access to the guest pages, which are encrypted when SEV/TDX is enabled.

Discussion on exploring common interfaces which can be re-used for both
AMD SEV and Intel TDX platforms with regard to encrypted guest memory access for
debug in...
25. Running Confidential Containers
Samuel Ortiz
21/09/2021, 08:55

Nowadays, containers are a private and public cloud commodity. Isolating and protecting containerized workloads not only from each other but also from the infrastructure owner is becoming a necessity.

In this presentation we will describe how we’re planning to use confidential computing hardware implementations to build a confidential containers software stack. By combining the hardware...
73. Confidential Computing with Secure Execution (IBM Z)
Jakob Naucke (IBM Corp.)
21/09/2021, 09:20

As confidential computing gains traction, several technologies that are based on a secure hypervisor are emerging.
Besides SEV (AMD), PEF (Power), and TDX (Intel), IBM Z's Secure Execution enables running a guest that even an administrator cannot look into or tamper with.
At the same time, it becomes desirable to run an OCI container workload in a secure context.

The Kata Containers...
110. Deploying CVMs at scale via Linux
Marc Orr (Google)
21/09/2021, 09:50

We’ll enumerate pain points that we’ve encountered in deploying (or trying to deploy) Linux CVMs on Google’s public cloud, called Google Compute Engine (GCE), which is built on top of Linux. Example pain points include RMP violations crashing host machines, kexec and kdump not working on SNP-enabled hosts, guest kernel SWIOTLB bugs, incomplete/lacking test infrastructure, and more! Then, as a...
197. Attestation and Secret Injection for Confidential VMs & Containers/Pods
Jim Cadden (IBM Research), James Bottomley (IBM Research)
21/09/2021, 10:15

Attestation is an important step in the setup of a confidential enclave in a public cloud environment. Through this process a guest owner can externally validate the software being run in their enclave before any confidential information is exposed. In this talk, we discuss the design and challenges of measuring and validating a guest enclave, and safely injecting guest owner secrets into the...
245. Securing trusted boot of confidential VMs
Stefan Deml, Andras Slemmer (decentriq)
21/09/2021, 10:40

Confidential Computing can enable several use-cases which rely on the ability to run computations remotely on sensitive data securely without having to trust the infrastructure provider. One required building block for this is verifiable control flow integrity on the remote machine: ensuring that the running compute is doing what it's supposed to.

With hand-written Intel SGX the code...
9. Confidential Computing Microconference

Encryption technologies which protect data while in transit (SSL, VPNs) and at rest (disk encryption) are available and used for a long time already. Encryption technologies for data while it is processed are a recent addition to CPUs from various vendors. Examples are AMD SEV, Intel TDX and IBM Secure Execution on s390x.

The Linux kernel recently gained support for SEV-ES to protect data...
Building timetable...

Diamond Sponsor

Platinum Sponsor

Gold Sponsors

Silver Sponsors

Speaker Gift Sponsor

T-Shirt Sponsor

Conference Services provided by

Powered by Indico