Welcome to the Confidential Computing Consortium’s newsletter!
The start of the new year is the perfect opportunity to reflect about the year that has passed and what we have accomplished collectively in 2022. It has been a pivotal year for the CCC in many regards. Please check the updates from the Technical Advisory Committee, the Outreach Committee, the CCC projects, and the Special Interest Groups.
Cape Privacy and Canonical joined the Confidential Computing Consortium.
Cape Privacy is a confidential computing platform to easily run serverless functions on encrypted data. Cape empowers developers to build secure applications which protect the underlying data and code from the cloud.
Canonical is committed to enabling Ubuntu users to leverage the strong run-time confidentiality and integrity guarantees that confidential computing provides. The mission of the Confidential Computing Consortium of driving cross-industry open source software, standards and tools greatly resonates with us and we are really excited to have joined its members.
The Confidential Computing Consortium will be participating at the Confidential Computing devroom at FOSDEM. A social event is being sponsored by the CCC on the 4th of February.
State of Open Con
The Confidential Computing Consortium will have a table at the State of Open Con, a conference being organized by OpenUK in London on the 7-8th of February.
CCC Webinar: Confidential Computing in Financial Services
The next CCC webinar will happen on February 16 at 8:00 am PT. Featured speakers include Bessie Chu (Cape Privacy), Gavin Uhma (Cape Privacy), Mark F. Novak (JP Morgan Chase), and Richard Searle (Fortanix).
White Papers & Reports
The Confidential Computing Consortium has published the Common Terminology for Confidential Computing. As more companies and open source projects begin to use similar terms to describe similar paradigms that build upon hardware-based, attested Trusted Execution Environments (TEEs), it will be increasingly important that vendors use consistent terminology that describes the ways in which these new capabilities are applied within different functional domains.
Technical Advisory Committee
It was a busy year for the Technical Advisory Council (TAC). We had a number of goals for the year across the spectrum of maturing our projects to collaborating with other open organizations to acting on our diversity & inclusion plans. Attestation was a pronounced theme for the year. We revised the definition of Confidential Computing to include attestation as an essential element. The TAC approved the Veraison project which focuses on building blocks for attestation verification. We created the Attestation SIG last year and throughout 2022, it found its legs and created a good deal of content. You can browse our meeting recordings and presentations for a series of talks on Secure Channels and Attestation Formats. An outcome of this sharing led to two additional initiatives. CCC projects Gramine, Occlum, and Open Enclave SDK all rely on separate implementations of “Remote Attestation TLS.” The independent implementations were not interoperable. The Attestation SIG helped uncover and resolve variations arriving at a proposal to harmonize the implementations of those projects. Contributors to the SIG are also creating an Attested TLS proof of concept based on a similar design. We look forward to attestation of TEEs becoming a fundamental part of communications as Confidential Computing becomes pervasive.
Harmonization was not unique to the Attestation SIG. The TAC also engaged with a variety of organizations looking for opportunities for collaboration and coordination. We hosted speakers from RISC-V, MPC Alliance, IETF, TCG, CDCC, TrustedComputing.org, HomomorphicEncryption.org, PCI SIG WG, and the OCP Security SIG. In fact, most of our TAC meetings host a Tech Talk and our meetings have become a place for learning a variety of security related technical topics. As an open collaborative community, everyone is welcome to join our meetings or view the recordings. We hope to see you in one in 2023.
The TAC also had direct collateral outputs. In addition to revising our primary whitepaper, we also generated a new whitepaper which is going through final layout. That paper focuses on terminology to give greater clarity to the different ways Confidential Computing artifacts can be packaged and what that should imply to a consumer. We were also able to collectively form a response to the OSTP’s request for comments on Privacy Enhancing Technologies (PETs).
This government interaction suggested a broader need for similar discourse. The TAC subsequently approved the creation of a Governance, Risk, and Compliance SIG. This newly chartered SIG already has representation from representatives from Meta, Microsoft, Intel, NVidia, Arm, CSA, JPMorgan Chase, Anjuna and others.
Of course, as an open source organization, our main focus is on open source projects. This year the TAC provided projects with additional resources. Our focus on diversity and inclusion took a few forms. Each of the projects were introduced to D&I training specifically for open source provided by the Linux Foundation. We made Outreachy internships available and Veracruz and Enarx piloted this membership program for the rest of the CCC. As the year progressed we created other resources for projects – increasing funding for CI, creating conference travel funding for projects, and making additional security tooling available.
All in all it has been a very productive year for the Technical Advisory Council, our SIGs, and our projects. We have a number of ambitious goals coming together for 2023 and will communicate those in a future blog.
2022 was a year of two halves. While the effects of COVID restrictions were still being felt in the first half of the year, things really turned around in the summer, and by the end of the year life was back to pre-COVID levels in most regions of the world. The outreach committee had to be nimble and adapt to the changing circumstances. In some ways, some of the impetus was to lay the foundation to hit the ground running again in 2023.
The committee implemented multiple important initiatives during this time including:
- For the second year in a row, CCC sponsored the OC3 Summit, a virtual Open Confidential Computing Conference held in early 2022.
- Building brand awareness and visibility in industry events like RSA. We were able to negotiate a co-marketing arrangement at no cost, whereby RSA promoted the CCC on their website, and in promotions, and CCC did the same for RSA. We’ll have a similar arrangement with RSA in 2023 as well.
- Expanding our presence to Latin America, participating at Roadsec 2022 in Sao Paulo, the biggest hacker festival in Latin America.
- After a hiatus due to COVID, CCC had a presence at Black Hat USA, in Las Vegas. This included a meeting room where we received visitors wanting to learn and/or get engaged with CCC. In addition we also got exposure in some of the member booths at the show, by way of presentations, CCC handouts etc.
- We were also able to get brand visibility at the Crypto & Privacy Village at DEF CON 2022.
- Rekindled industry analyst interactions including recent briefing with ABI Research, and communications with Gartner, Forrester, IDC, 451 Research, OMDIA, Nemertes and other Tier 2/3 analyst firms
- Secured a speaking spot for the consortium in the Keynote segment of the upcoming OC3 event in March 2023
- Signed up a consultant to greatly increase our social media activities starting Jan 2023
- Shortlisted a consultant to help guide the committee to get Confidential Computing on Wikipedia
- Made good progress on content refresh of our website, with the updates scheduled to be rolled out in March 2023
The committee is very excited about the foundation that has been laid, and we are looking forward to a highly successful 2023!
- Implemented support for TLS, WASI networking, wasi-crypto, multithreading, lazy memory mapping, VFS, attestation, SGX2, EDMM, and made improvements to SEV-SNP support.
- Implemented nil backend, which allows development/testing of Enarx in multiple platforms, from MacOS and Windows to Raspberry Pi.
- Implemented attestation (Steward) and application registry (Drawbridge) integration.
- Implemented Kubernetes integration.
- Tested Enarx in various cloud environments: Alibaba Cloud, AWS, Azure, Equinix, PhoenixNAP. Support for Google Cloud and IBM Cloud coming soon.
- Made upstream contributions to various projects: Rust, Tokio, Wasmtime, Linux Kernel, and others.
- Published several demos as part of the Codex and Drawbridge repository: Cryptle (wordle clone), TCP echo server, chat application, ICU Monitor (healthcare example), and Confidential Trading (fintech example), among others.
- Published over 100 tutorials at Wasm Builders and helped this community to go from zero to over 1500 members during the year.
- Participated in Outreachy, LFX Mentorship, and Semester of Code programs, mentoring over 30 community members.
- Launched the Cryptle Hack Challenge and announced a winner who was able to find an exploit. The exploit and solution was presented at the Crypto & Privacy Village at DEFCON.
- Implemented an initial benchmarking framework using flame graphs to help measure optimizations of Enarx and WebAssembly support of various languages in an automated manner.
- Launched Try Enarx, a playground to run WebAssembly workloads using Enarx in multiple platforms using Intel SGX and AMD SEV.
- Developed a VS Code extension that facilitates setup of Enarx and developer tools, Enarx.toml creation/validation, local and remote application deployment, package publication to Drawbridge, and download of examples from Codex.
- Presented Enarx at the following conferences: FOSDEM, OC3, Open Source 101, FOSSASIA, Wasm Day / KubeCon Europe, RightsCon, Open Source Summit North America, Roadsec LATAM, SGX Community Day, SCaLE, Black Hat, DEFCON, Open Source Summit Europe, Linux Security Summit Europe, and All Things Open.
- Surpassed 1000 GitHub stars (from around 300 at the beginning of the year).
- Renewed website content and documentation.
- Published around 20 blog posts during the year.
- Top 3
- Three major releases in 2022, with the latest one v1.3.1 in Sep ’22.
- Major overhaul of memory management, file system, networking, ELF parsing and loading.
- Production deployment with IBM/Gematik e-prescription use case and PoC deployment with Intel OpenFL in Intel Labs/UPenn FL trial.
- Gramine releases are packaged for popular Linux distributions (Debian/Ubuntu and RHEL/CentOS).
- Started releasing an official Gramine Docker image.
- Simplified SGX signing key generation.
- Introduced integration with Azure Cloud.
- Introduced Redis and Pytorch examples at Azure Marketplace
- Added support in core Gramine for:
- musl C v1.2.2 and Glibc v2.35 standard libraries,
- Intel Advanced Matrix Extensions (AMX),
- CPU/NUMA topology sanitization,
- executable scripts (shebangs),
- Vtune profiling,
- more system calls and /proc and /sys system files.
- Presented Gramine in several venues:
- Gramine talk at FOSDEM’22,
- Gramine talk at a Confidential Computing Consortium (CCC) webinar,
- Gramine talk at Third SGX community Day,
- Gramine highlighted in several use cases and projects at the Open Confidential Computing Conference (OC3 2022) conference.
- Wrote several papers/blogs:
- Whitepaper “Computation offloading to hardware accelerators in Intel SGX and Gramine Library OS”,
- Blog post “How Open Source Gramine Accelerates Expanding Confidential Computing Market”,
- Azure Blog post “Developers guide to Gramine Open-Source Lib OS for running unmodified Linux Apps with Intel SGX”,
- A series of technical blog posts.
- Integrated Gramine in several projects:
- Integration with Open Federated Learning (OpenFL) framework,
- Integration with IBM/Gematik e-prescription solution,
- Reference solutions with Gramine as part of the Confidential Computing Zoo (CCZoo).
- Released the first stable version 1.0, which, among other things, delivers a significant performance boost with various switchless techniques
- Integrated a log-structured secure block device as the foundation for secure file I/O
- Reached the milestone of 1,000 Github stars
- Added oeapkman, a Linux tool for installing and using Alpine Linux static libraries within enclaves
- Added policy baseline configuration support to attestation verification APIs
- Added new logging APIs
- Upgraded to mbedTLS 2.28.1 and OpenSSL 1.1.1q
- Mitigated CVEs (see release notes)
- Increased max threads usable by enclaves from 32 to 1000
- Added support for POSIX mmap and munmap
- Enabled MUSL conf functions
- Integration with Veraison for the Proxy Attestation Service
- DarkNet Machine learning in WASM and with a Native Module
- Graviton support
- Fully implemented the Proxy attestation service (no longer need the “root enclaves”)
- Added Cargo.lock files into workspaces for supply chain security and reproducibility
- Support for linear pipelines of functions
- Integrated Icecap as a Realm OS
- Integrated the file system into our permissions system
- Transitioned off of Rustls and ring in favor of MbedTLS
- Integrations with other open source projects
- Parsec (CNCF) and mbedTLS (TrustedFirmware) — see also “attested TLS prototype” under the Attestation SIG
- Veracruz (CCC) CA/RA backend
- Project Oak (Google) – conversation in progress
- veraison/go-cose (among others)
- Notary v2 (CNCF)
- sigstore (OpenSSF)
- Partner engagements
- Huawei (HERS)
- EnactTrust (TPM-based enterprise device health monitoring)
- attracted new (very active) collaborators, especially:
- attracted new (very active) collaborators, especially:
- added new component repos (e.g., veraison/ear, veraison/ccatoken, veraison/rust-apiclient)
- reorganized old codebase into a leaner structure
- end-to-end demo using veraison services and attesters emulators
- more verification plugins: enacttrust, psa, cca, nitro
- design and implementation of standardized formats for endorsements/ref-values and trust anchors (CoRIM, CoMID, CoTS) and attestation result (AR4SI, EAR)
- Public talks
- FOSDEM (accepted, upcoming)
- IETF 115 hackathon
- IETF RATS WG
Special Interest Groups
- Content (available here)
- Secure Channel “Lectures”
- Attestation Formats (evidence, reference, results)
- RA-TLS Harmonization
- Attested TLS POC initiated
Governance, Risk and Compliance SIG
- Developed and agreed on the SIG charter
- Established a working relationship with the Cloud Security Alliance; a joint working group is getting underway
- Connected with NIST; expecting to start ongoing interactions in early January ‘23
- Collectively working on a response to ICO request for comments, focused on the use of confidential computing in data privacy applications (due by end of December, and we’re on track to meet this deadline)
- Happy with the current composition of the SIG, with representatives from Meta, Microsoft, Intel, NVidia, Arm, CSA, JPMorgan Chase, Anjuna.
The Confidential Computing Consortium is approaching 1000 followers on Twitter and LinkedIn. Please follow us in these channels to keep up-to-date with the latest news about Confidential Computing:
- Twitter: https://twitter.com/ConfidentialC2
- LinkedIn: https://www.linkedin.com/company/68617795