In 2023 we focused on growing three things: our projects, ecosystem recognition, and our community.
Our technical community made great strides on each of these. Our open source project portfolio is wider and more mature. Outside of the CCC we contributed security expertise to public documents and standards organizations. As we grew to deliver these projects and papers, we maintained our emphasis on growing a positive community where everyone is welcome, and anyone can learn and contribute.
Projects
We grew projects in two vectors. First, for our existing projects we wanted to make sure they were useful and adopted. The prime example of that is Gramine moving to Graduated status as a reflection of its maturity and broad adoption.
Second, as a still young consortium we have plenty of room to add projects to address new areas or bring new approaches to existing areas. We are delighted to have made a home for new projects originating from Red Hat, Intel, VMWare/Broadcom, Samsung, and Suse. They join a portfolio originally provided by Red Hat, Microsoft, UNC, Intel, UC Berkeley, and Arm. These projects are now in an open governance setting where individuals unaffiliated with these organizations can bring their talents and contributions.
VirTEE provides tools and libraries to make development, management, and attestation of Virtualization-based Confidential Computing easier.
Spdm-rs implements key protocols to bring devices into the Confidential Computing boundary like accelerators for AI/ML workloads.
The Certifier Framework aims to bridge across different Confidential Computing environments for one coherent application experience.
Islet broadens our portfolio from a cloud and server focus out to phones and other mobile devices.
Finally, coconut-svsm creates a secure layer under the OS to provide trusted capabilities like virtual TPMs.
Some of these projects are still on-boarding and will be listed on the CCC website soon.
Ecosystem
One of the exciting things about Confidential Computing is that it is both developing and yet already in production. As an open source organization, we tend to focus on the development, but we also serve a role in explaining how to use it in production to solve real problems.
In 2023 we generated a number of articles in plain language about topics from attestation to homomorphic encryption. We also broadened out from our own channels to respond to government RFCs and engage other standards organizations. Our Governance, Risk, and Compliance SIG takes point on these matters and coordinates inputs from our community’s wide pool of subject matter experts. You are welcome to join us on Wednesdays.
The Attestation SIG is one of our most educational forums. This past year we made sense of a wide array of formats and attestation patterns. Our Cloud Service Providers (CSPs) discussed their attestation services and took inputs on how to evolve them to meet emerging standards while contributors from IETF, TCG, and other standards organizations shared their directions and took input on how to address requirements from hardware, software, and service vendors. The SIG also harmonized attestation approaches for TLS. A subteam produced a spec, implemented some open-source code and got the spec adopted in the IETF. All that in ~1 year, which by standardization time standards is quite a remarkable feat. To contribute or learn more please join us Tuesdays or make some popcorn and enjoy our youtube feed.
In our last TAC meeting of the year we ratified a new SIG. We all rely so much on the Linux kernel and yet that’s not an area where the consortium has focused. We’ll be writing up more about our plans in a separate post, but for now we’ll just note that in 2023 we recognized that engaging more with the Linux Kernel community is one of the most important things we can do to make Confidential Computing easy to adopt.
Community
It’s said that culture is more important than any individual policy or initiative of an organization. In the CCC we have a culture of Inclusivity and of Minimum Viable Governance. One way to think about that is we prioritize our resources in ways to include everyone. In the past that has included funded internships to welcome people to our community. 2023’s incremental step was identifying conferences where we can reach communities that are underrepresented in the CCC. In some cases we became aware of a conference after a deadline and so headed into 2024 we look to build on what we learned in 2023 to reach the widest possible audience. Given the rate of growth we saw in 2023, 2024 is going to be a big year for Confidential Computing and our Consortium. We are glad to have a sound culture to grow from and the opportunity to expand to make computing more secure.
Finally, as just a teaser for one more announcement hitting the news in 2024… we closed out 2023 by hiring a Technical Community Architect. We found an excellent energetic person to help activate things for CCC maintainers, grow contributors, and help champion our projects in the open source ecosystem.
2024 is going to be great!
