Description
The Confidential Computing microconference focuses on solutions to the development of using the state of the art encyption technologies for live encryption of data, and how to utilize the technologies from AMD (SEV), Intel (TDX), s390 and ARM Secure Virtualization for secure computation of VMs, containers and more.
-
Joerg Roedel (SUSE)21/09/2021, 07:00
-
Wei Wang (Intel Corp.)21/09/2021, 07:05
The Intel Trust Domain Extension (TDX) technology extends VMX and MKTME to enhance guest data security by isolating guests from host software, including VMM/hypervisor. Live migration support for such isolated guests (i.e. TDs) facilitates the deployment of TD guests in the cloud.
Go to contribution page
This talk presents the QEMU/KVM design of TDX live migration and initial PoC results for the migration... -
Ashish Kalra21/09/2021, 07:30
Discussion on Live Migration of AMD SEV encrypted VMs.
Link to the latest posted (KVM) patch for SEV live migration :
https://lore.kernel.org/lkml/cover.1623174621.git.ashish.kalra@amd.com/Discussions on Guest APIs, specifically if the APIs can cover both
Go to contribution page
AMD SEV and Intel TDX platforms and exploring common interfaces
which can be re-used for both the above platforms, for example,... -
Andi Kleen, Sathyanarayanan Kuppuswamy, Elena Reshetova21/09/2021, 08:00
Intel TDX is an upcoming confidential computing platform for running encrypted guests on untrusted hosts on Intel servers. It requires para virtualization to do any required emulation inside the guest. There are some unique challenges, in particular in hardening the Linux guest code against untrusted host input through MMIO, port and other IO, which is a new security challenge for Linux. The...
Go to contribution page -
Ashish Kalra21/09/2021, 08:35
Debug Support for AMD SEV Encrypted VMs.
Discussion on QEMU debug support for memory encrypted guests like AMD SEV/Intel TDX.
Debug requires access to the guest pages, which are encrypted when SEV/TDX is enabled.Discussion on exploring common interfaces which can be re-used for both
Go to contribution page
AMD SEV and Intel TDX platforms with regard to encrypted guest memory access for
debug in... -
Samuel Ortiz21/09/2021, 08:55
Nowadays, containers are a private and public cloud commodity. Isolating and protecting containerized workloads not only from each other but also from the infrastructure owner is becoming a necessity.
In this presentation we will describe how we’re planning to use confidential computing hardware implementations to build a confidential containers software stack. By combining the hardware...
Go to contribution page -
Jakob Naucke (IBM Corp.)21/09/2021, 09:20
As confidential computing gains traction, several technologies that are based on a secure hypervisor are emerging.
Besides SEV (AMD), PEF (Power), and TDX (Intel), IBM Z's Secure Execution enables running a guest that even an administrator cannot look into or tamper with.
At the same time, it becomes desirable to run an OCI container workload in a secure context.The Kata Containers...
Go to contribution page -
Marc Orr (Google)21/09/2021, 09:50
We’ll enumerate pain points that we’ve encountered in deploying (or trying to deploy) Linux CVMs on Google’s public cloud, called Google Compute Engine (GCE), which is built on top of Linux. Example pain points include RMP violations crashing host machines, kexec and kdump not working on SNP-enabled hosts, guest kernel SWIOTLB bugs, incomplete/lacking test infrastructure, and more! Then, as a...
Go to contribution page -
Jim Cadden (IBM Research), James Bottomley (IBM Research)21/09/2021, 10:15
Attestation is an important step in the setup of a confidential enclave in a public cloud environment. Through this process a guest owner can externally validate the software being run in their enclave before any confidential information is exposed. In this talk, we discuss the design and challenges of measuring and validating a guest enclave, and safely injecting guest owner secrets into the...
Go to contribution page -
Stefan Deml, Andras Slemmer (decentriq)21/09/2021, 10:40
Confidential Computing can enable several use-cases which rely on the ability to run computations remotely on sensitive data securely without having to trust the infrastructure provider. One required building block for this is verifiable control flow integrity on the remote machine: ensuring that the running compute is doing what it's supposed to.
With hand-written Intel SGX the code...
Go to contribution page -
Encryption technologies which protect data while in transit (SSL, VPNs) and at rest (disk encryption) are available and used for a long time already. Encryption technologies for data while it is processed are a recent addition to CPUs from various vendors. Examples are AMD SEV, Intel TDX and IBM Secure Execution on s390x.
The Linux kernel recently gained support for SEV-ES to protect data...
Go to contribution page -
Encryption technologies which protect data while in transit (SSL, VPNs) and at rest (disk encryption) are available and used for a long time already. Encryption technologies for data while it is processed are a recent addition to CPUs from various vendors. Examples are AMD SEV, Intel TDX and IBM Secure Execution on s390x.
The Linux kernel recently gained support for SEV-ES to protect data...
Go to contribution page
