-
Jianxiong Gao13/09/2022, 10:00
Confidential compute is developing fast. However, at Google we are facing challenges regarding the maintenance and support of guest distros. In particular, we’re finding it difficult to maintain an efficient way of communicating with different distros and hard to test, validate, and merge fixes into guest distros.
Backporting fixes
Go to contribution page
Customers do not always run the guest with the latest... -
Michael Roth (AMD)13/09/2022, 10:20
Unmapped Private Memory (UPM) has been proposed as a new way to manage private guest memory for KVM guests. This session is intended to address any outstanding items related to the development/planning of Unmapped Private Memory support (UPM) for confidential guests. Some potential topics are listed below (though the actual agenda will be centered around topics that are still outstanding at...
Go to contribution page -
Dov Murik (IBM), Tobin Feldman-Fitzthum (IBM)13/09/2022, 10:40
Confidential Computing technologies offer guest memory encryption, but there’s no standard way to securely start a confidential VM with encrypted disk. Such VMs must unlock the disk inside the guest, so the passphrase is not accessible to the host. However, in TDX and SEV-SNP guest attestation and secure secret injection depend on guest kernel features, so grub cannot be used for unlocking....
Go to contribution page -
Peter Gonda (Google)13/09/2022, 11:00
Device Identifier Composition Engine (DICE) is a measured boot solution for systems without a TPM or similar hardware based capabilities. DICE is a layered approach meaning that each layer or software component of a boot takes inputs from the previous layer, its measurement and certificate, and then generates the same for the next phase of the boot. The output of this layering provides a...
Go to contribution page -
Elena Reshetova (Intel)13/09/2022, 11:20
A lot of effort in past couple of years has been spent in enabling various CC HW technologies (AMD SEV, Intel TDX) to be able to support Linux guests. However in order to be able to provide an adequate level of security for CC Linux guests (regardless of the underlying chosen HW technology), we need to collaborate together to harden the core Linux kernel codebase, as well as drivers that are...
Go to contribution page -
Mr Samuel Ortiz (Rivos)13/09/2022, 12:10
While a lot of efforts are being put towards platform enabling for confidential computing, there's one fundamental part of the technology that we ignore more often than not: Attestation.
Without having a way to verify that the data we're trying to protect with confidential computing platforms is generated by a TCB that we know and validate, the whole confidential computing trust model falls...
Go to contribution page -
Jacky Li (Google), Marc Orr (Google)13/09/2022, 12:30
We will present an evaluation of concurrent boot time of CVMs running under AMD’s SEV-SNP technology. Specifically we will discuss how booting SNP VMs concurrently can significantly slow down each other due to software bottlenecks in managing the RMP page state.
Then, we will discuss different mitigations that we’ve identified ranging from reducing lock contention to rate limiting Page...
Go to contribution page -
Sagi Shahar (Google)13/09/2022, 12:50
The new TDX architecture makes changes to the hardware and the host and guest software stacks.
All of these components are being developed simultaneously and are constantly changing. As the host kernel changes, we need a system to test its functionality which is independent from the guest enlightenment changes and doesn’t rely on a fully functional system which doesn’t exist yet.We...
Go to contribution page -
Ashish Kalra13/09/2022, 13:10
Discussion about SEV-SNP support for Restricted Interrupt Injection and Alternate Interrupt Injection. These features enforce additional interrupt and event injection security protections designed to help protect against malicious injection attacks. Safe isolation between an SNP-protected guest and its host environment requires restrictions on the type of exception and interrupt dispatch that...
Go to contribution page
Choose timezone
Your profile timezone:
