The Confidential Computing Consortium (CCC) welcomes a new project: The COCONUT
Secure VM Service Module (COCONUT-SVSM), which aims to be a game-changer for secure
service provision within confidential virtual machines (CVMs). This is a significant step forward
for the project.
Published by SUSE in March 2023 the project built an active developer community with major
industry players contributing, including AMD, Microsoft, IBM, Intel, Redhat and Google. By
joining the CCC the project gains enhanced visibility and even more collaboration opportunities
within the confidential computing community and is set for further community growth.
Building a Secure Foundation for Confidential VMs
COCONUT-SVSM was started by SUSE and is now hosted by the Linux Foundation (LF),
known for fostering open-source collaboration. This choice reflects the project’s commitment to
open development and community involvement. COCONUT-SVSM aims to become a platform
that delivers essential services to CVMs. These services, which can not be provided by the host
VMM in a secure way, include:
- Virtual TPM emulation: This functionality provides a secure Trusted Platform Modulewithin the CVM, enabling functionalities like secure key generation and storage, but alsoenable full remote attestation of workloads.
- UEFI variable store: This secure storage area safeguards critical configuration data forthe CVM and enables secure boot on some platforms.
- Live migration for CVMs: This feature allows for seamless movement of running CVMsacross different physical hosts without compromising security.
The key advantage of COCONUT-SVSM lies in its secure execution environment. It operates
within the trust boundary of the CVM, but is still isolated from the actual operating system. This
isolation ensures that even if the underlying system gets compromised, the security of services
offered by COCONUT-SVSM remains intact
Benefits for Confidential Computing
This integration will enable users to enhance their confidential VM setups with features like:
- Secure Remote Attestation: This allows for verifying the integrity and trustworthiness of the execution environment, a crucial requirement for running sensitive workloads and protecting data.
- End-To-End Data Security: Users can guarantee that their data is always encrypted and never visible to any unauthorized party during storage, transmission, and processing.
Ultimately, these features empower users to fully protect their data even in untrusted
environments like the public cloud. This paves the way for secure cloud deployments and
confidential computing adoption across various industries.
Industry Leaders Support COCONUT-SVSM
COCONUT-SVSM is gaining traction within the tech industry, with key partners recognizing its
potential to advance confidential computing. Here’s what some industry leaders have to say
about COCONUT-SVSM:
AMD
“SUSE and AMD have a long history of collaborating on the development of the Linux
ecosystem and confidential computing technologies for AMD EPYC Processors” said
Frank Gorishek, corporate vice president, Software Development, AMD. “We are thrilled
to see COCONUT-SVSM join the CCC as an open source implementation of the AMD
SVSM specification for SEV-SNP. AMD is committed to open source technologies such
as COCONUT-SVSM as a catalyst for collaborative innovation on transformative
technologies such as confidential compute.”
Microsoft
“A secure environment like COCONUT-SVSM can play a valuable role in confidential
computing.” a spokesperson from Microsoft Hyper-V said. ”It can hold secrets and
provide virtualization services seamlessly to improve the usability of CVMs.”
Open Governance and Continued Growth
The COCONUT-SVSM project fosters open collaboration. SUSE’s Jörg Rödel, as the founding
developer, is the current lead maintainer. In the future, a broader project leadership will be
established by a Technical Steering Committee (TSC) consisting of at least 3 lead people to
ensure diverse perspectives guide the project’s direction.
The project community collaborates via its GitHub organization, a mailing list and in weekly
community meetings. There the project’s future, current challenges, and contributions from a
broad developer base are discussed.
Every developer passionate about confidential computing and secure service provisioning is
invited to start contributing to COCONUT-SVSM and support the continued growth of the
project.
The Meaning Behind the Name
The name COCONUT is a play on the term “CoCo,” a common abbreviation for confidential
computing. The “coconut” metaphor reflects the project’s focus on robust security, symbolizing a
hard-to-crack shell protecting the integrity of sensitive data.
By joining the Confidential Computing Consortium, COCONUT-SVSM is set to make significant
contributions to the field of confidential computing. The community excited to see the project
flourish within the CCC and invite all those interested in secure virtualization technology to join
the thriving COCONUT-SVSM project. Together, we can bring confidential computing and
end-to-end data protection forward for a wide range of industries and applications.
