The Linux Foundation Projects
Skip to main content
All Posts By

Confidential Computing Consortium

Apr 10

The CIA Triad for Confidential Computing

By Blog No Comments

At the heart of cybersecurity, the CIA triad is a model designed to guide policies for information security within an organization. It consists of three fundamental principles:

Confidentiality: Ensures that sensitive information is accessed only by authorized parties and is protected against unauthorized access. Techniques such as data encryption, secure authentication, and access controls are employed to maintain confidentiality.

Integrity: Guarantees that information is reliable and accurate, safeguarding it from unauthorized modification. Integrity is upheld through mechanisms like checksums, cryptographic hashes, and digital signatures, ensuring that data remains unaltered from its original state unless modified by authorized entities.

Availability: Ensures that information and resources are available to authorized users when needed. This involves protecting against attacks that disrupt access to resources, such as DDoS attacks, and implementing disaster recovery plans to maintain service continuity.

Confidential Computing (CC) enhances the traditional CIA triad by focusing on protecting data in use—complementing existing measures that protect data at rest and in transit. By leveraging hardware-based security mechanisms such as Trusted Execution Environments (TEEs), CC enables sensitive data to be processed in isolated environments, thus offering a unique opportunity to reexamine and reinforce the principles of the CIA triad in modern computing scenarios.

Aligning with the CIA Triad

Confidentiality in Confidential Computing: The essence of Confidential Computing lies in its ability to ensure that data being processed remains confidential, even in shared or cloud environments. Through technologies like Intel SGX and TDX, AMD SEV-SNP, and ARM CCA provide hardware-based, attested Trusted Execution Environments (TEEs) which protect from unauthorized access, including operators of cloud services.

Integrity in Confidential Computing: CC technologies also play a crucial role in ensuring the integrity of data and code execution. Confidential Computing allows for the verification of software and data integrity before execution, ensuring that only authorized code runs within TEEs. This is instrumental in preventing unauthorized modifications and ensuring that computations are performed accurately.

Availability in Confidential Computing: While confidentiality and integrity are the primary focus of Confidential Computing, it also contributes to availability by enhancing the overall security posture. By mitigating the risk of data breaches and ensuring the integrity of computing processes, CC supports the uninterrupted availability of services, fostering trust and reliability in digital ecosystems.

Confidential Computing: A Journey Through the CIA Triad

Confidential Computing (CC) stands as a pivotal advancement in the realm of cybersecurity, offering robust mechanisms to protect data in use and reinforcing the principles of the CIA triad—Confidentiality, Integrity, and Availability—in novel and powerful ways. There are several key takeaways emerge:

Confidential Computing enhances the traditional CIA triad by introducing protections for data in use, alongside existing measures for data at rest and in transit. The evolution of CC technologies demonstrates a concerted effort to address the complexities of modern computing environments, ensuring that sensitive data can be processed securely and reliably.

Integrity and confidentiality are paramount in CC, with innovations providing mechanisms for verifying the authenticity and safeguarding the privacy of data during processing.

Availability, while indirectly impacted by CC, benefits from the improved security posture that CC technologies bring to digital infrastructures, supporting the reliability and accessibility of services.

As the landscape of digital threats continues to evolve, so too will the technologies and strategies employed to counter them. Confidential Computing represents a forward-thinking approach to cybersecurity, promising to play a crucial role in safeguarding the future of digital information processing.

Further Reading and Resources

To further explore the concepts and technologies discussed, the following resources serve as a starting point for those seeking to deepen their understanding of Confidential Computing and its significance in today’s cybersecurity landscape. By engaging with these materials, you’ll gain a more nuanced appreciation of the challenges and opportunities that Confidential Computing presents:

1. The Confidential Computing Consortium: An initiative by the Linux Foundation, this consortium brings together industry leaders to collaborate on open-source projects and standards for Confidential Computing.

2. NIST on Confidential Computing: The National Institute of Standards and Technology (NIST) provides resources and publications that address the technical aspects and standards related to Confidential Computing.

Mar 19

Collaborative Security: The Role of Open Source in Confidential Computing

By Blog No Comments

Authored by Sal Kimmich

Blog Post

As we continue our exploration of Confidential Computing, this week we focus on a crucial aspect that is often the unsung hero of technological advancement: open source. Specifically, we’ll examine how open-source initiatives are contributing significantly to the development and implementation of Confidential Computing.

Open Source: A Foundation for Innovation

Open-source software is built on the principle of collaboration and transparency. It allows developers from around the world to contribute to and review each other’s code, fostering innovation and rapid problem-solving. This collaborative approach is particularly beneficial in the realm of cybersecurity, where the sharing of knowledge and resources is key to staying ahead of threats.

Open Source in Confidential Computing

In the context of Confidential Computing, open source plays a pivotal role. Open-source projects provide the foundation for many Trusted Execution Environments (TEEs) and other secure computing technologies. By leveraging open-source software, developers can create more robust, secure, and versatile solutions for data protection.

Advantages of Open Source in Security

One of the main advantages of open source in the field of Confidential Computing is transparency. Open-source code can be inspected by anyone, which means vulnerabilities can be identified and addressed more quickly than in proprietary software. This transparency builds trust and reliability, essential components in any security solution.

Linux: A Testament to Open-Source Success

Reflecting on the impact of open source, we can’t overlook Linux, released in 1991 and now a cornerstone of open-source software. Linux’s success demonstrates how collaborative efforts can lead to robust and widely-used technology solutions. It’s a testament to the power of open-source communities in driving innovation.

Challenges and Opportunities

While open source offers many benefits, it also presents unique challenges, particularly in terms of coordination and quality control. However, these challenges are often outweighed by the opportunities for innovation and the rapid development cycle that open source enables.

Looking Ahead

As Confidential Computing continues to evolve, the role of open source will undoubtedly expand. Open-source communities will continue to be vital in developing secure, efficient, and adaptable solutions for data protection in an increasingly complex digital landscape.

Next Week’s Focus

Join us next week as we delve into the intricacies of data encryption in Confidential Computing. We’ll explore how encryption techniques are being enhanced and applied in new ways to protect data not just at rest and in transit, but also during processing.

Explore the four-part series on Confidential Computing—a vital innovation for data privacy and security. Dive in now!

Part I –  Introduction to Confidential Computing:  A Year Long Exploration

Part IIThe Evolution of Cybersecurity:  From Early Threats to Modern Challenges

Part IIIBasics of Trusted Execution Environments (TEEs):  The Heart of Confidential Computing

Mar 14

The Guide to Confidential Computing Sessions at KubeCon + CloudNativeCon Europe (March 20-21)

By Blog, Event No Comments

Confidential Computing is a transformative approach to protecting data in use, enabling computation in memory without exposing it to the rest of the system. As cloud-native technologies continue to evolve, KubeCon + CloudNativeCon Europe 2024 offers sessions at the forefront. This guide is your go-to resource for exploring the Confidential Computing offerings, ensuring you make the most of your conference experience.

Key Demos, Sessions and Posters 

Learn about Attested Containers for securing containerized workloads and other open source Confidential Computing demos at Intel’s booth, H5.

Poster Session: Kubernetes in the Confidential Computing Marvels: Unlocking SMPC Across Multi-Cloud Clusters

When: Wednesday, March 20 • 18:00 20:00

Who: Gilles Seghaier & Nayani Parameshwari, Astran

Find on KubeCon Schedule

Dive into the world of Secure Multiparty Computation (sMPC) with Kubernetes, exploring its application across multi-cloud clusters for enhanced data security.

Fortifying AI Security in Kubernetes with Confidential Containers (CoCo)

When: Thursday, March 21 • 14:30 15:05

Who: Suraj Deshmukh, Microsoft & Pradipta Banerjee, Red Hat

Find on KubeCon Schedule

A deep dive into securing AI models in Kubernetes using Confidential Containers, ensuring data privacy without sacrificing performance.

Memory Armor for SPIRE: Fortifying SPIRE with Confidential Containers (CoCo)

When: Thursday, March 21 • 17:25 18:00

Who: Matthew Bates, Stealth Security Startup & Suraj Deshmukh, Microsoft

Find on KubeCon Schedule 

Learn how Confidential Containers enhance the security of SPIRE servers, safeguarding sensitive signing keys against unauthorized access.

Confidential Containers for GPU Compute: Incorporating LLMs in a Lift-and-Shift Strategy for AI  

When: Thursday, March 21 • 16:30 17:05

Who: Zvonko Kaiser, NVIDIA

Find on KubeCon Schedule

An exploration of integrating confidential containers with GPU computing for AI/ML workloads, maintaining data confidentiality while leveraging computational power.

Additional Highlights

CRI-O Odyssey: Exploring New Frontiers in Container Runtimes

 An insight into the latest in container runtime technology, touching on Confidential Computing integration.

 Thursday, March 21 • 11:00 11:35

Towards a Cloud-Native, Scalable and Fault-Tolerant Platform for Digital Agriculture

A unique application of cloud-native technologies in agriculture, showcasing the potential of Kubernetes and Confidential Computing.

Wednesday, March 20 • 18:00 20:00

Confidential Computing at KubeCon

KubeCon + CloudNativeCon Europe 2024 offers an opportunity to immerse yourself in the world of Cloud and Compute. Whether you’re a developer, IT professional, or business leader, these sessions provide a wealth of knowledge and a unique chance to advance your understanding of the technology at the Confidential Computing Consortium and its critical role in the future of cloud-native technologies.

Bookmark this page and plan your schedule to make the most of the Confidential Computing sessions at KubeCon + CloudNativeCon Europe 2024. See you there!

Mar 06

The Evolution of Cybersecurity: From Early Threats to Modern Challenges

By Blog No Comments

Authored by Sal Kimmich

As we continue our journey through the world of Confidential Computing, it’s essential to understand the backdrop against which this technology has emerged. This week, we delve into the evolution of cybersecurity, tracing its journey from the early days of computing to the sophisticated landscape we navigate today.

The Early Days of Cybersecurity

Cybersecurity, in its infancy, was a game of cat and mouse between emerging technologies and the threats that shadowed them. The earliest computers, massive and isolated, faced minimal security concerns. However, as technology advanced and computers became interconnected, the need for robust cybersecurity measures became apparent.

The Birth of Computer Viruses and Antivirus Software

The 1980s marked a significant turning point with the advent of the first computer viruses. Among these early threats was the Brain virus, which led to the creation of the first antivirus software in 1987. This was a pivotal moment, signaling the start of an ongoing battle against cyber threats.

The Internet Era and Its Challenges

The explosion of the internet in the 1990s and early 2000s brought cybersecurity to the forefront. The connectivity that empowered businesses and individuals also opened up new vulnerabilities. Viruses, worms, and later, sophisticated malware, posed significant risks, leading to the development of more advanced cybersecurity solutions.

The Rise of Cybercrime

As technology continued to evolve, so did the nature of threats. Cybercrime became a lucrative business, with hackers targeting not just computers but entire networks. Data breaches, identity theft, and ransomware attacks became common, causing significant financial and reputational damage to individuals and organizations.

The Current Landscape: A Complex Battlefield

Today, cybersecurity is an intricate field, encompassing everything from endpoint security to network defenses, and now, Confidential Computing. The threats have become more sophisticated, leveraging AI and machine learning, making proactive and advanced defense mechanisms essential.

Confidential Computing: A New Frontier in Cybersecurity

This brings us to Confidential Computing – a response to the modern need for enhanced data protection. As we’ve seen, cybersecurity is no longer just about preventing unauthorized access; it’s about ensuring data integrity and confidentiality at every stage, including during processing.

Looking Ahead

The evolution of cybersecurity is a testament to the ever-changing landscape of technology. As we continue to innovate, so too will the methods to protect our digital assets. Confidential Computing is part of this ongoing evolution, representing the next step in securing our digital future.

A Fun Reminder of Our Journey

Reflecting on this evolution, it’s fascinating to think that the journey from the Brain virus to today’s sophisticated cyber threats led to the birth of an entire industry. The first antivirus software in 1987 was just the beginning of what has become a critical and ever-evolving field.

Stay Tuned

Next week, we’ll dive deeper into the world of Trusted Execution Environments (TEEs), a cornerstone of Confidential Computing. Join us as we explore how TEEs provide a secure space for data processing, marking a significant advancement in our quest for cybersecurity.

Explore the four-part series on Confidential Computing—a vital innovation for data privacy and security. Dive in now!

Part I –  Introduction to Confidential Computing:  A Year Long Exploration

Part IIIBasics of Trusted Execution Environments (TEEs):  The Heart of Confidential Computing

Part IVCollaborative Security:  The Role of Open Source in Confidential Computing

Feb 27

Introduction to Confidential Computing: A Year-Long Exploration

By Blog No Comments

Authored by Sal Kimmich

Welcome to the first blog Confidential Computing Consortium blog series to help new members navigate the transformative landscape of Confidential Computing, a crucial advancement in safeguarding data privacy and security.

What is Confidential Computing?

Confidential Computing is a cutting-edge approach that protects data in use by encrypting it within Trusted Execution Environments (TEEs). These secure areas of a processor ensure data is inaccessible to other applications, the operating system, and even cloud providers, safeguarding sensitive information from unauthorized access or leaks during processing. This technology is foundational in addressing the critical challenge of protecting data throughout its lifecycle, offering a new dimension of security for our digital world.

The Significance

In an era where data privacy concerns are paramount, Confidential Computing emerges as a vital solution. It enables businesses and individuals to compute with confidence, knowing their data remains secure and private, even in shared infrastructure environments. This technology fosters trust and facilitates secure data collaboration, unlocking new possibilities in cloud computing and beyond.

Our Journey Ahead

This blog series will explore these topics (and many more!):

1. The Evolution of Confidential Computing

2. Insights into Trusted Execution Environments (TEEs)

3. The Vital Role of Open Source in Confidential Computing

We’ll examine its transformative impact across industries, its pivotal role in emerging technologies, and how it underpins secure, data-driven innovations. This exploration is designed for tech enthusiasts, industry professionals, and anyone curious about the next frontier in digital security.

Learn more with Special Interest Groups (SIGs)

The Confidential Computing Consortium (CCC) champions this technology through collaborative efforts, including Special Interest Groups (SIGs). These SIGs are integral to: SIG meetings are open to everyone, emphasizing the consortium’s commitment to inclusivity and collaboration. There’s no membership requirement to join these discussions, making it an excellent opportunity for anyone interested in contributing to or learning more about confidential computing.

Be Part of the Movement

By joining our journey, you become a part of a community dedicated to advancing confidential computing. This series promises to deepen your understanding and provide resources that can be easily shared for collaborative efforts driving this technology forward.

Stay tuned as we reveal the fascinating world of Confidential Computing, and it’s critical role in privacy-enhancing technologies. If there is any topic you would love us to cover in this series, we’d love to hear from you! Reach out to skimmich@contractor.linuxfoundation.org

Explore the four-part series on Confidential Computing—a vital innovation for data privacy and security. Dive in now!

Part IIThe Evolution of Cybersecurity:  From Early Threats to Modern Challenges

Part IIIBasics of Trusted Execution Environments (TEEs):  The Heart of Confidential Computing

Part IVCollaborative Security:  The Role of Open Source in Confidential Computing

Feb 13

Highlights from the Confidential Computing DevRoom at FOSDEM

By Blog No Comments

By Sal Kimmich

The Confidential Computing DevRoom at FOSDEM brought together experts and enthusiasts to discuss and demystify the rapidly evolving field of Confidential Computing. The event was a melting pot of ideas, showcasing the latest advancements, practical applications, and the future direction of this technology.

 Kickoff: Unveiling the Essence of Confidential Computing

The DevRoom opened with Fritz Alder, Jo Van Bulk, and Fabiano Fidencio welcoming attendees and setting the stage for the day’s discussions. They emphasized the importance of adhering to the Confidential Computing Consortium (CCC) definition, highlighting key properties such as data confidentiality, integrity, and code integrity. The conversation also touched on contextual properties like code confidentiality, authenticated launch, and attestability, underscoring the diversity in application needs and security requirements.

Intel TDX: A Leap Towards VM Isolation

Dr. Benny Fuhry took the stage to deep dive into Intel Trusted Domain Extensions (TDX), presenting it as a groundbreaking approach to VM isolation. Intel TDX stands out by ensuring that each trust domain is encrypted with a unique key, a move aimed at mitigating Virtual Machine Monitor (VMM) attacks. With general availability announced alongside the 5th Gen Intel Xeon Scalable processors, Intel TDX is set to revolutionize memory confidentiality, integrity, and key management.

Watch this talk. 

 SGX-STEP: Enhancing Side Channel Attack Resolution

The SGX-STEP presentation from Luca Wilke spotlighted innovative techniques to counteract side-channel attacks, still a concern in the realm of Confidential Computing. Through detailed explanations of single stepping, interrupt counting, and amplification, the speakers shed light on improving temporal resolution for side-channel attacks, presenting a clear path toward more secure environments that could be used in Confidential Computing and beyond. 

Watch this talk. 

Database Security: Bridging Confidential Computing and Data Storage

Ilaria Battiston and Lotte Felius delved into the integration of confidential computing with database systems, presenting their research on secure databases. They discussed the performance overhead of utilizing SGX with SQLite and PostgreSQL, emphasizing the trade-offs between security and efficiency with preliminary results. Their work on minimizing performance impacts through vectorized processing inside secure enclaves provided valuable insights for developers aiming to secure database operations.

Watch this talk. 

Ups and Downs of Running Enclaves in Production

Evervault’s presentation from Cian Butler highlighted their innovative solutions for data security and compliance, focusing on encryption proxies and secure serverless functions. They discussed the challenges of monitoring and observability within AWS Nitro enclaves, showcasing their efforts to enhance reliability and performance in secure computing environments.

Watch this talk. 

 fTPM: Securing Embedded Systems

Tymoteusz Burak introduced the concept of fTPM implemented as a Trusted Application in ARM TrustZone, offering a compelling solution for enhancing the security of embedded systems. Despite challenges such as lack of secure storage and entropy sources, fTPM stands as a testament to the potential of leveraging Trusted Execution Environments (TEEs) for robust security measures.

Watch this talk.

Integrity Protected Workloads 

The presentation by Tom Dohrmann on Mushroom offered an insightful look into securing Linux workloads using AMD’s SEV-SNP technology. With a clear goal to run Linux programs securely, Mushroom addresses the critical need for integrity in remote code compilation on untrusted hosts. The architecture of Mushroom, built with a focus on minimalism and security, comprises a kernel and a supervisor, both developed in Rust, emphasizing efficiency and reduced host interaction. 

Watch this talk. 

Reproducible Builds For Confidential Computing

The talk by Malte Poll and Paul Meyer delved into a critical aspect of Confidential Computing: the validation of Trusted Computing Base (TCB) measurements through remote attestation and the importance of reproducible builds in this process. The presentation highlighted the challenges in the current landscape, where reference values for validating TCB measurements are often provided by third parties without transparent mechanisms for auditing their trustworthiness or origin. Advocating for an auditable CC ecosystem, the speakers emphasized the necessity for every component of the TCB to be open source and reproducible, allowing end-users to verify the deployed system comprehensively. Utilizing mkosi and Nix(OS), they showcased how to build fully reproducible OS images from source code to reference values for remote attestation, providing a foundation for projects like Constellation and the Confidential Containers project. This approach aims to enhance the trust and security in Confidential Computing by enabling the community to independently verify reference values, marking a significant step towards more transparent and secure computing environments.

Watch this talk. 

 Advancing Remote Attestation

Ionut Mihalcea and Thomas Fossati showed us the development and importance of remote attestation covered milestones from the formation of TCPA to the latest advancements in RATS EAT. This narrative underscored the critical role of remote attestation in establishing trust and preserving privacy within confidential computing frameworks.

Watch this Talk

FOSDEM: The Broader Impact 

FOSDEM concluded with a roundup of various DevRooms, highlighting the interconnectedness of confidential computing with other domains such as energy, community development, and monitoring. Special attention was given to the EU’s new open-source cloud initiative, IPCEI-CIS, showcasing the commitment to leveraging open-source solutions for enhancing security and privacy.

A Special Thank You

As we reflect on all the experiences and exchanges at FOSDEM, we want to share a special note of gratitude to all participants of the Decrypted Gathering – one that we received directly from the catering team who worked with us that night:

I catered your event and I have to thank you for having been the most respectful and polite clients I’ve ever seen… And I of course thank you for working for such a noble cause that is data protection and open OS.

Thank you for existing and you can congratulate all the persons present. It was unseen and so heartwarming for me/us. 

All the best,

Lauréline

Confidential computing is unique. It’s the kind of work that anyone can understand the value of, as soon as you explain the kind of data we try to keep private. Personalized medicine, space technology, and energy grids are all parts of Confidential Computing’s emerging sectors. 

I’m incredibly grateful to have a growing community of engineers, academics and technology giants all coming together around this work. Thank you to everyone who is helping us to bring Confidential Computing to the center stage of this year. 

Want to Get Involved with CCC? 

If you are still looking to get involved with the Confidential Computing Consortium, you can find more resources about our technical committees and institutional memberships here. All of our technical committee meetings are open to the public, and recorded for all to view. We welcome anyone who wants to join in on the conversations around Confidential Computing.

If there’s a concept or clarification from these talks you believe is important to share with the CCC community, get in touch with me at skimmich@contractor.linuxfoundation.org and we’ll help you do write it up as a blog post or webinar, and get the information out to everyone.

Jan 08

Welcoming Sal Kimmich to the Confidential Computing Consortium

By Announcement, Blog, In The News No Comments

The Linux Foundation’s Confidential Computing Consortium (CCC) is proud to announce Sal Kimmich joining as the Technical Community Architect. Sal’s career started by sharing Python scripts with other computational neuroscientists in the wild world of supercomputing. A decade later, they are still paying attention to the algorithmic side of open source tech.  

Before joining CCC, Sal worked as a scalable SecDevOps Machine Learning engineer and brought those contributions to the Cloud Native Computing Foundation (CNCF) and the Open Source Security Foundation (OpenSSF). They have focused on practical automation around security best practices that make the maintainer’s lives easier, like Security Slams.  

At CCC,  we are building the landscape for Trusted Execution Environments (TEEs) at the Linux Foundation as it becomes as Confidential Computing becomes foundational to cross-industry security practicesConfidentiality of data in use is also a cornerstone of digital progress: having hardware level trust in compute is critical to the wave of critical technologies in both edge and cloud. 

Sal’s vision for CCC is clear – to make maintainers’ work enjoyable and rewarding, to create tech demos that dazzle, and to showcase the world-class Open Source Projects enabling secure computation. 2024 marks the start of an incredible year of compute, collaboration and community expansion ahead, as runtime security takes the spotlight in emerging tech. 

Mar 06

Unifying Remote Attestation Protocol Implementations

By Blog, Featured Article No Comments

Shanwei Cen (@shnwc), Dan Middleton (@dcmiddle)

We’re excited to announce some recent attestation news. One of the hallmarks of confidential computing is the ability to build trusted communication with an application running in a hardware-based trusted execution environment. To make attestation easily accessible it can be incorporated into common protocols. That way developers don’t need to figure out all the details to build a secure protocol themselves. One of these protocols is called Remote Attestation TLS (RA-TLS), which builds on the ubiquitously used Transport Layer Security protocol underlying most secure internet communication. It turns out several projects independently implemented RA-TLS with tiny but incompatible differences. In the CCC Attestation SIG, we’ve agreed on and, in some cases, already implemented changes to make them all be able to interoperate.

The CCC Attestation SIG is chartered to develop attestation-related software aimed at improving interoperability, and to achieve harmonization and de-fragmentation between multiple projects. One approach is to identify and review projects in SIG meetings, propose improvements for interoperability and standardization, and work with these projects for implementation and tests. Interoperable RA-TLS is a great example showcasing how the SIG delivers on its charter.

RA-TLS (Remote Attestation TLS) architecture is defined in the white paper Integrating Remote Attestation with Transport Layer Security, to enable Intel® Software Guard Extensions (Intel® SGX) remote attestation during the establishment of a standard Transport Layer Security (TLS) connection. In a TLS server / client scenario, the TLS server runs inside an SGX enclave. It generates a public-private keypair, creates an SGX report with a hash of the public key in its user-data field, and gets an SGX quote for this report. It then creates an X.509 certificate with a custom extension containing this SGX quote. This customized certificate is sent to a TLS client in the TLS handshake protocol. The client gets the SGX quote from the certificate and performs remote attestation to verify that the connected server runs inside an authentic Intel® SGX enclave.

There are a few aspects of RA-TLS architecture that were not covered in this white paper. Some of the gaps include the specific X.509 extension OID value for the SGX quote, the supported types of SGX quote, and how the public key is hashed. Additionally, since the white paper was published, new TEEs like Intel® Trust Domain Extensions (Intel® TDX) and new quote formats have become available. The level of specificity in the RA-TLS paper left room for incompatibility between different implementations and prevented their interoperability.

RA-TLS has been supported in multiple open-source projects, including Gramine, RATS-TLS, Open Enclave Attested TLS, and SGX SDK Attested TLS. The CCC Attestation SIG invited these projects to its meetings for review, and recommended further investigation to look into harmonization between them for interoperability. Following up on this recommendation, we conducted an in-depth investigation and identified areas of incompatibility. We documented our findings, created a draft proposal for an interoperable RA-TLS architecture, and presented our work back to the SIG.

Based on the interoperable RA-TLS draft proposal, we refined the design, and aligned it with the upcoming DICE Attestation Architecture v1.1 draft standard on X.509 extension OID value and evidence format definition (as a tagged CBOR byte string). We created an CCC Attestation SIG github project interoperable-ra-tls to host the design documents and interoperability tests. This project also facilitates discussion among members of the RA-TLS projects and the CCC Attestation SIG community in general. In addition, we registered the needed CBOR tags with the IANA registration service. In the process, we provided feedback to the DICE Attestation Architecture workgroup for refinement of their draft standard specification.

Great progress has been made to implement this proposed interoperable RA-TLS scheme in the RA-TLS projects. We’ve worked with all the projects to create issues and pull requests for their implementations. Especially, as discussed in some of the interoperable-ra-tls project issues, Gramine and RATS-TLS have completed their implementation, and have been active in interoperability tests.

In summary, the interoperable RA-TLS work demonstrated the value of the CCC Attestation SIG in providing a constructive forum to collaborate on attestation technology. We invite you to try out the new unified implementations in Gramine and RATS-TLS. If you are interested in getting more involved, please join us at the CCC Attestation SIG or any other facet of our Confidential Computing Consortium open source community. All are welcome here.

Feb 28

CCC Newsletter – February 2023

By Newsletter No Comments

Welcome to the February 2023 edition of the Confidential Computing Consortium newsletter! We look forward to sharing every month news about projects underway, new members, industry events and other useful information to keep you updated with what’s happening at the consortium. This newsletter is also available on our website.

Recent Events

FOSDEM

The Confidential Computing Consortium participated at the Confidential Computing devroom at FOSDEM on the 4th and 5th of February. The event was organized by Jo Van Bulck and Fritz Alder, from the University of Leuven, Belgium, and Fabiano Fidencio, from Intel. This was the fourth edition of this devroom at FOSDEM. The event was very successful. The devroom, with a capacity for 80 attendees, was mostly full throughout the day. Half of the people in the devroom have heard of Confidential Computing and many of the speakers were members of the CCC. Jo and Fritz highlighted the importance of bringing developers and academia together around Confidential Computing. There was also a social event organized by Richard Searle, Chair of the EUAC.

State of Open Con

The Confidential Computing Consortium participated at the State of Open Con in London on the 7th and 8th of February. This was the first conference of its kind being organized by OpenUK and it was located at the Queen Elizabeth II Centre, in the heart of London. Amanda Brock, the Executive Director of OpenUK, kicked off the event with a keynote. Other keynote speakers included Jimmy Wales, Founder of Wikipedia, Camille Gloster, Deputy National Cyber Director from the White House, and Eric Brewer, VP Infrastructure & Google Fellow. The CCC had a booth where Nick Vidal, the CCC Outreach Chair, was joined by Liz Moy (Evervault). There was good engagement at the booth, with the presentation of demo use cases that resonated with attendees. Stephen Walli, the CCC Chair, was also present and gave a talk entitled “What do we mean by Open Governance?” Mike Bursell, co-founder of the Enarx project, gave an entertaining talk on ConfidentialComputing.

CCC Webinar: Confidential Computing in Financial Services

The last CCC webinar that happened this month of February is already available online. Featured speakers include Bessie Chu (Cape Privacy), Gavin Uhma (Cape Privacy), Mark F. Novak (JP Morgan Chase), and Richard Searle (Fortanix).

Upcoming Events

OC3

The Confidential Computing Consortium is a sponsor of the Open Confidential Computing Conference (OC3). The online conference will take place on the 15th of March. Registration is free. Stephen Walli, Chair of the CCC, will give one of the keynotes. The main keynote “Industry Perspectives: the impact and future of confidential computing” features Ian Buck, VP of Hyperscale and HPC at NVIDIA, Mark Papermaster, CTO & EVP at AMD, Mark Russinovich, CTO at Microsoft Azure, and Greg Lavender, CTO of Intel.

Confidential Computing Summit

The Confidential Computing Consortium is a co-organizer of the Confidential Computing Summit. The event will take place in San Francisco on the 29th of June. The Confidential Computing Summit brings together experts, innovators, cloud providers, software and hardware providers, and user organizations from all industries to accelerate key initiatives in confidential computing. Call for Speakers are open.

White Papers & Reports

The National Cybersecurity Center of Excellence (NCCoE) has released a draft report, NIST Interagency Report (NISTIR) 8320D, Hardware Enabled Security: Hardware-Based Confidential Computing, for public comment. The public comment period for this draft is open through April 10, 2023. Abstract from the report: In today’s cloud data centers and edge computing, attack surfaces have shifted and, in some cases, significantly increased. At the same time, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the platform on which data and workloads will be executed and accessed. The physical platform represents the first layer for any layered security approach and provides the initial protections to help ensure that higher-layer security controls can be trusted. This report explains hardware-enabled security techniques and technologies that can improve platform security and data protection for cloud data centers and edge computing.

Technical Advisory Committee

As part of 2023 goals, the TAC is looking to increase the impact of the CCC in the ecosystem:

  • Cross-project Integration event for discussion.
  • Portfolio growth and maturity, hosting projects that are adopted by the community. Look into new projects from member companies and academic research.
  • Cross-org and Cross-SIG coordination.
  • Outbound education and DCI revisit.

– Dan Middleton, TAC Chair (2023)

Outreach Committee

The CCC Outreach Committee has brought in Jake Orlowitz (WikiBlueprint) as the Wikipedia consultant with the goal of facilitating the creation of a top-quality Wikipedia article on Confidential Computing on English Wikipedia using an efficient participatory approach. As a result of this collaborative participation, Mike Ferron-Jones (Intel) has shared a Wikipedia article draft.

The CCC Outreach Committee has also brought Noah Lehman (Linux Foundation) as a social media consultant with the goal of facilitating the creation of top-quality posts on Twitter and LinkedIn. In collaboration with CCC members, he’ll create up to 8 on-demand social posts per month (this includes social posts promoting ad-hoc announcements, events, news and initiatives) and up to 4 on-demand social posts per month shared on Linux Foundation social media. Noah has shared the Social Media plan with the CCC.

Kate George (Intel) has volunteered to help with the CCC Event Strategy. She highlighted 5 event objectives: 1. Raise awareness of Confidential Computing & Open-source projects under the foundation, and participating companies; 2. Accelerate the adoption of Confidential Computing; 3. Present panels, talks, and demo cases to targeted audiences – security, health care, financial services, and government. (Consider compliance piece too); 4. Recruit new members or projects; and 5. Foster collaboration and open-source. Kate and Nick Vidal have shared the Event Strategy slides and List of Events.

– Nick Vidal, Outreach Chair (2023)

ProjectsEnarxThe Enarx project is looking for a custodian, as Profian had to close its doors. Both Profian and Red Hat have invested heavily on the development of Enarx, which has reached a good stable release with a number of key components to establish the foundations for a comprehensive Confidential Computing solution. The Linux Foundation is providing full support to the project.
GramineGramine version 1.4 has been released, with important new features, including support for EDMM (Enclave Dynamic Memory Management), and performance improvements. Key milestones for 2023 include support communication with hardware accelerators (GPUs), support dynamic thread creation/destruction, support additional runtimes and workloads, integration with confidential container deployments (Kata containers, enclave-CC), interoperate with RA-TLS (standardization), support additional TEE backends (Intel TDX), and explore coarse-grained partitioning for certain I/O bound applications (DPDK).
KeystoneKeystone aims to enable TEE on (almost) all RISC-V processors. It’s very popular in academia, gaining 133 yearly citations (+28% YoY), however in the past year four students from UCB working on Keystone have graduated and left the project. Key milestones for 2023 include better application support (dynamic library), parity with industry standards, increase dev board accessibility, and work closely with the RISC-V AP-TEE working group. 

Thanks,

The Confidential Computing Consortium

Jan 26

CCC Newsletter – January 2023

By Newsletter No Comments

Welcome to the January 2023 edition of the Confidential Computing Consortium newsletter! We look forward to sharing every month news about projects underway, new members, industry events and other useful information to keep you updated with what’s happening at the consortium. This newsletter is also available on our website.

Introduction

The start of the new year is the perfect opportunity to reflect about the year that has passed and what we have accomplished collectively in 2022. It has been a pivotal year for the CCC in many regards. Please check the updates from the Technical Advisory Committee, the Outreach Committee, the CCC projects, and the Special Interest Groups.

New Members

Cape Privacy and Canonical joined the Confidential Computing Consortium.

Cape Privacy is a confidential computing platform to easily run serverless functions on encrypted data. Cape empowers developers to build secure applications which protect the underlying data and code from the cloud.

Canonical is committed to enabling Ubuntu users to leverage the strong run-time confidentiality and integrity guarantees that confidential computing provides. The mission of the Confidential Computing Consortium of driving cross-industry open source software, standards and tools greatly resonates with us and we are really excited to have joined its members.

Upcoming Events

FOSDEM

The Confidential Computing Consortium will be participating at the Confidential Computing devroom at FOSDEM. A social event is being sponsored by the CCC on the 4th of February.

State of Open Con

The Confidential Computing Consortium will have a table at the State of Open Con, a conference being organized by OpenUK in London on the 7-8th of February.

CCC Webinar: Confidential Computing in Financial Services

The next CCC webinar will happen on February 16 at 8:00 am PT. Featured speakers include Bessie Chu (Cape Privacy), Gavin Uhma (Cape Privacy), Mark F. Novak (JP Morgan Chase), and Richard Searle (Fortanix).

White Papers & Reports

The Confidential Computing Consortium has published the Common Terminology for Confidential Computing. As more companies and open source projects begin to use similar terms to describe similar paradigms that build upon hardware-based, attested Trusted Execution Environments (TEEs), it will be increasingly important that vendors use consistent terminology that describes the ways in which these new capabilities are applied within different functional domains.

Technical Advisory Committee

It was a busy year for the Technical Advisory Council (TAC). We had a number of goals for the year across the spectrum of maturing our projects to collaborating with other open organizations to acting on our diversity & inclusion plans. Attestation was a pronounced theme for the year. We revised the definition of Confidential Computing to include attestation as an essential element. The TAC approved the Veraison project which focuses on building blocks for attestation verification. We created the Attestation SIG last year and throughout 2022, it found its legs and created a good deal of content. You can browse our meeting recordings and presentations for a series of talks on Secure Channels and Attestation Formats. An outcome of this sharing led to two additional initiatives. CCC projects Gramine, Occlum, and Open Enclave SDK all rely on separate implementations of “Remote Attestation TLS.” The independent implementations were not interoperable. The Attestation SIG helped uncover and resolve variations arriving at a proposal to harmonize the implementations of those projects. Contributors to the SIG are also creating an Attested TLS proof of concept based on a similar design. We look forward to attestation of TEEs becoming a fundamental part of communications as Confidential Computing becomes pervasive.

Harmonization was not unique to the Attestation SIG. The TAC also engaged with a variety of organizations looking for opportunities for collaboration and coordination. We hosted speakers from RISC-V, MPC Alliance, IETF, TCG, CDCC, TrustedComputing.org, HomomorphicEncryption.org, PCI SIG WG, and the OCP Security SIG. In fact, most of our TAC meetings host a Tech Talk and our meetings have become a place for learning a variety of security related technical topics. As an open collaborative community, everyone is welcome to join our meetings or view the recordings. We hope to see you in one in 2023.

The TAC also had direct collateral outputs. In addition to revising our primary whitepaper, we also generated a new whitepaper which is going through the final layout. That paper focuses on terminology to give greater clarity to the different ways Confidential Computing artifacts can be packaged and what that should imply to a consumer. We were also able to collectively form a response to the OSTP’s request for comments on Privacy Enhancing Technologies (PETs).

This government interaction suggested a broader need for similar discourse. The TAC subsequently approved the creation of a Governance, Risk, and Compliance SIG. This newly chartered SIG already has representation from representatives from Meta, Microsoft, Intel, NVidia, Arm, CSA, JPMorgan Chase, Anjuna and others.

Of course, as an open source organization, our main focus is on open source projects. This year the TAC provided projects with additional resources. Our focus on diversity and inclusion took a few forms. Each of the projects were introduced to D&I training specifically for open source provided by the Linux Foundation. We made Outreachy internships available and Veracruz and Enarx piloted this membership program for the rest of the CCC. As the year progressed we created other resources for projects – increasing funding for CI, creating conference travel funding for projects, and making additional security tooling available.

All in all it has been a very productive year for the Technical Advisory Council, our SIGs, and our projects. We have a number of ambitious goals coming together for 2023 and will communicate those in a future blog.

– Dan Middleton, TAC Chair (2023)

Outreach Committee

2022 was a year of two halves. While the effects of COVID restrictions were still being felt in the first half of the year, things really turned around in the summer, and by the end of the year life was back to pre-COVID levels in most regions of the world. The outreach committee had to be nimble and adapt to the changing circumstances. In some ways, some of the impetus was to lay the foundation to hit the ground running again in 2023.

The committee implemented multiple important initiatives during this time including:

  • For the second year in a row, CCC sponsored the OC3 Summit, a virtual Open Confidential Computing Conference held in early 2022.
  • Building brand awareness and visibility in industry events like RSA. We were able to negotiate a co-marketing arrangement at no cost, whereby RSA promoted the CCC on their website, and in promotions, and CCC did the same for RSA. We’ll have a similar arrangement with RSA in 2023 as well.
  • Expanding our presence to Latin America, participating at Roadsec 2022 in Sao Paulo, the biggest hacker festival in Latin America. 
  • After a hiatus due to COVID, CCC had a presence at Black Hat USA, in Las Vegas. This included a meeting room where we received visitors wanting to learn and/or get engaged with CCC. In addition we also got exposure in some of the member booths at the show, by way of presentations, CCC handouts etc.
  • We were also able to get brand visibility at the Crypto & Privacy Village at DEF CON 2022.
  • Rekindled industry analyst interactions including recent briefing with ABI Research, and communications with Gartner, Forrester, IDC, 451 Research, OMDIA, Nemertes and other Tier 2/3 analyst firms
  • Secured a speaking spot for the consortium in the Keynote segment of the upcoming OC3 event in March 2023
  • Signed up a consultant to greatly increase our social media activities starting Jan 2023
  • Shortlisted a consultant to help guide the committee to get Confidential Computing on Wikipedia
  • Made good progress on content refresh of our website, with the updates scheduled to be rolled out in March 2023

The committee is very excited about the foundation that has been laid, and we are looking forward to a highly successful 2023!

– Ravi Sharma, Outreach Chair (2022)

ProjectsPlease find updates from the CCC projects below:

Special Interest Groups
Please find updates from the SIGs below:

Thanks,

The Confidential Computing Consortium

Close Menu