Project Description

When considering the protection of data in the cloud, it is vital that the data remains protected at all times. Encryption forms a vital part of this protection with encrypted communications between endpoints and service as well as at-rest encryption within databases, filesystems and other storage.

However, services and containers need to make use of data. They need to have access to the raw, unencrypted data when processing it. This leaves the data open to a number of different potential vulnerabilities including hypervisor based attacks and cross-vm attacks. Also, the software installed within a VM or container could be compromised to steal or misappropriate the data.

Confidential Computing can be used to help harden against these types of attacks, using technologies such as AMD SEV-SNP and Intel TDX to provide hardware-based encryption of the memory space used by guest virtual machines (among other things). One of the key features Confidential Computing technologies provide is the ability to remotely verify an attesation of the state of the VM: a remote, reliant party can verify that a workload is running on an uncompromised Confidential Computing server, and that the integrity of the software running in the VM is assured.

A comprehensive stack of software and services is required for full support of Confidential Computing virtual machines running linux guests on linux hosts. Much of this is currently under development or nearing completion. However, it is not entirely clear how all the pieces of the puzzle fit together.

Goal for this Hackweek

The goal is to try to get a complete Confidential Computing stack up and running. This will consist of an AMD SEV-SNP host that runs an encrypted guest virtual machine. The VM disk will be encrypted using a key protected by a virtual TPM. The TPM will use a root key that can only be obtained if the VM can prove it is running in a Confidential Computing environment.

Most of the parts required for this stack already exist either as patchsets, PRs or are already upstream. Some parts do not yet exist and many of the interfaces between the different components are yet to be defined.

The tasks to meet the goal include:

• Setting up a test environment on an AMD SEV-SNP system with a kernel that supports SEV-SNP.
• Creating a guest image with a kernel that supports SEV-SNP guest changes + SVSM.
• Pulling together the current open coconut-SVSM PRs for vTPM and attestation report generation.
• Extending coconut-SVSM/QEMU to exchange an attestation report on VM launch to provide evidence of environment and firmware integrity.
• Exchange of key material between QEMU, SVSM and with an external key service.
• Encryption of guest using TPM protected FDE key.

The major part that is missing is the external key service. This requires verification of the attestation report against a policy, then release of a key based on the result of the verification. Intel's "Trust Authority" (previously "Project Amber") is designed to solve this problem but does not currently support AMD SEV-SNP. A goal for this project is to start development of an open source basic attestation service that can be used in place of this.

Resources

The coconut organisation that holds repositories for host and guest linux kernels that support AMD SEV-SNP as well as for coconut-SVSM: https://github.com/coconut-svsm

vTPM PR for coconut-SVSM: https://github.com/coconut-svsm/svsm/pull/135

Attestation PR for coconut-SVSM: https://github.com/coconut-svsm/svsm/pull/69

Intel Trust Authority: https://www.intel.com/content/www/us/en/security/trust-authority.html