Confidential computing directly addresses the question of trust between cloud providers and their customers, with guarantees of data security for guest machines enforced by the underlying hardware of the cloud. According to the Confidential Computing Consortium, confidential computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment.
The close technical collaboration between Canonical and Google Cloud ensures that Ubuntu is optimised for Google Cloud operations at scale. Confidential Computing requires multiple pieces to align and we are delighted to offer full Ubuntu support for this crucial capability with Google Cloud. Organizations gain peace of mind that large classes of attacks on cloud guests are mitigated by Confidential Computing.
From our partners:
Intel® Trust Domain Extensions (Intel® TDX)
As an active contributor in confidential computing domain, Intel introduced Intel® Trust Domain Extensions (TDX) to its confidential computing portfolio with the launch of its new 4th Gen Xeon enterprise processors in January, 2023. Intel® Trust Domain Extensions is a combination of hardware and software features that provide isolation and security for virtual machines (VMs) running on Intel processors. Intel® TDX introduces architectural innovations to enable the deployment of hardware-isolated virtual machines (VMs), known as trust domains (TDs). The primary objective of Intel® TDX is to create a robust isolation layer between TDs and the virtual-machine manager (VMM)/hypervisor, as well as other non-TD software, offering comprehensive protection against a wide spectrum of potential threats. These hardware-isolated TDs encompass several critical components, including the Secure-Arbitration Mode (SEAM), which hosts the Intel® TDX module, an Intel-provided, digitally-signed security-services module. Additional features of TDX include:
- the shared bit in the GPA,
- Secure EPT for address-translation integrity,
- the Physical-address-metadata table (PAMT) for page management,
- the Intel Total Memory Encryption-Multi Key (Intel TME-MK) engine for memory encryption and integrity,
- remote attestation
All of the features are integral to ensuring the security and trustworthiness of TD execution within the Intel® TDX system.
In essence, Intel® TDX, a feature accompanying the latest 4th Generation Intel® Xeon CPUs, empowers you to execute your workloads within a logically isolated hardware-based execution environment in Google Compute Engine C3 machines. This remarkable capability is achieved through TDX’s allocation of a dedicated segment of system memory, which undergoes real-time encryption via an advanced AES-128 encryption engine. Additionally, TDX introduces stringent access control measures that meticulously govern memory access, effectively thwarting external access, including from the cloud’s privileged system software.
How Ubuntu supports Intel® TDX
Intel® TDX requires multiple pieces in the operating system to align with Intel CPUs. Ubuntu supports Intel® TDX through the Linux Stack for Intel® TDX. The Linux stack, denoting the strata of software constituting the Linux operating system, encompasses critical layers:
- The kernel: At its nucleus, the kernel serves as the foundational pillar of the operating system, furnishing essential services upon which all other software builds.
- Device drivers: These specialised software components act as intermediaries, facilitating seamless communication between the operating system and the hardware devices within the system.
- System libraries: An arsenal of system libraries offers a repertoire of shared functions that find widespread utility across applications.
- Userspace applications: At the outermost realm, userspace applications emerge as the tangible interface through which users engage directly with the system’s functionalities.
How to start your Ubuntu Confidential VM with Intel® TDX on Google Cloud
To get started with confidential computing on Google Cloud Intel® TDX, in the Google Cloud CLI, use instance create subcommand and specify — confidential-compute-type=TDX to select new C3 machines series that uses 4th Gen Intel® Xeon Scalable CPUs and enable Intel® TDX technology. Such as:
gcloud alpha compute instances create INSTANCE_NAME \ --machine-type MACHINE_TYPE --zone us-central1-a \ --confidential-compute-type=TDX \ --on-host-maintenance=TERMINATE \ --image-family=IMAGE_FAMILY_NAME \ --image-project=IMAGE_PROJECT \ --project PROJECT_NAME
- MACHINE_TYPE is the C3 machine type to use.
- IMAGE_FAMILY_NAME is the name of the Confidential VM-supported image family to use, such as Ubuntu 22.04 LTS and Ubuntu 22.04 LTS Pro Server.
In a few seconds, you will enjoy the latest advancements in security technology.
Additional resources for confidential computing:
- Read our blog post: What is confidential computing? A high-level explanation for CISOs (https://canonical.com/blog/what-is-confidential-computing-a-high-level-explanation-for-cisos)
- Read our blog post: Confidential computing in public clouds: isolation and remote attestation explained (https://canonical.com/blog/confidential-computing-in-public-clouds-isolation-and-remote-attestation-explained)
By: Hugo Huang
Originally published at: Canonical Blog
For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!
Our humans need coffee too! Your support is highly appreciated, thank you!