The Linux Foundation Projects
Skip to main content
All Posts By

jshelby

Aug 20

End-User Devices for Confidential Computing: Exploring Islet

By Blog No Comments

Author:  Sal Kimmich

As technology evolves, the need for secure and confidential computing extends beyond servers and data centers to end-user devices such as smartphones, tablets, and personal computers. These devices are increasingly used to collect and process sensitive data, necessitating robust security measures to protect user privacy. One notable project within the Confidential Computing Consortium that addresses this need is Islet.

What is Confidential Computing?

Confidential computing is a security paradigm that aims to protect data in use by performing computation in a hardware-based Trusted Execution Environment (TEE). This approach ensures that sensitive data remains encrypted and secure even when being processed, mitigating the risk of unauthorized access and tampering.

The Importance of Trusted Firmware

Trusted Firmware is the cornerstone of Confidential Computing, providing the essential security features and isolation needed to establish a trusted execution environment. Unlike regular firmware, Trusted Firmware includes mechanisms for secure boot, cryptographic verification, and hardware-based isolation of secure and non-secure execution environments. To understand more on this topic, view our blog on Trusted Firmware. 

Islet: A Platform for On-Device Confidential Computing

Islet is an open-source project designed to enable Confidential Computing on ARM architecture devices using the ARMv9 Confidential Compute Architecture (CCA). Its primary objective is to provide a secure platform for on-device Confidential Computing, thereby protecting user privacy and enabling secure processing of sensitive data directly on end-user devices. Islet is implemented in the Rust programming language, and utilizes Rust’s inherent memory safety features to create a robust and secure environment.

Key Features of Islet

  1. Realm Management Monitor (RMM):
    • Operates at EL2 in the Realm world on the application processor cores.
    • Manages confidential virtual machines (VMs), known as realms, ensuring their secure execution.
    • Islet RMM complies with ARm’s specifications for platform ABIs, which enables Islet to integrate seamlessly with the ARM ecosystem, supporting Linux and KVM patch for ARM CCA.
  2. Hardware Enforced Security (HES):
    • Performs device boot measurement and generates platform attestation reports.
    • Manages sealing key functionality within a secure hardware IP separate from the main application processor.
  3. Automated Verification:
    • Incorporates formal verification techniques to enhance the security of Islet, ensuring robustness against various attack vectors.

Use Case: Confidential Machine Learning

Islet showcases its capabilities through a confidential machine learning demo. In this scenario, a mobile device user interacts with a chat-bot application that runs on Islet. The chat-bot processes the request and communicates with an ML server through a secure channel, demonstrating end-to-end confidential computing. This use case highlights Islet’s potential in enabling secure and private machine-to-machine computing without relying on server-side intervention.

Why End-User Devices Need Confidential Computing

While traditional confidential computing solutions focus on server-side protection, securing end-user devices is equally important for several reasons:

  1. Initial Data Collection:
    • Sensitive data collection often begins at the user device level, making it crucial to protect this data from the outset.
  2. Privacy Apps:
    • As users increasingly rely on privacy-focused applications such as secure messengers, password managers, and private browsers, ensuring the confidentiality of data on these devices becomes essential.
  3. End-to-End Security:
    • By enabling confidential computing on user devices, Islet helps establish end-to-end security throughout the entire data processing path, from collection to computation.
  4. Machine-to-Machine Computing:
    • On-device confidential computing facilitates secure machine-to-machine communication, reducing the need for server intervention and enhancing overall security.

Conclusion

Confidential computing is not just for servers and data centers; it is equally critical for end-user devices. Projects like Islet within the Confidential Computing Consortium exemplify the application of Trusted Firmware principles to secure user devices. By providing a robust platform for on-device confidential computing, Islet ensures the privacy and security of sensitive data, paving the way for more secure and private user experiences.

For more information on Islet and its capabilities, visit the Islet GitHub repository.

Aug 13

Understanding Trusted Firmware in Confidential Computing: Coconut SVSM and VirTEE 

By Blog No Comments

Author:  Sal Kimmich

Trusted Firmware serves as the foundational layer in confidential computing, ensuring that the hardware and software environment’s security and integrity are maintained. Unlike regular firmware, Trusted Firmware is designed with additional security features and responsibilities to establish a Trusted Execution Environment (TEE). Here’s a deeper dive into what makes Trusted Firmware different and its role in confidential computing.

 

Differences Between Trusted Firmware and Regular Firmware

  1. Enhanced Security Features:
    • Regular Firmware: Primarily focuses on initializing hardware components and providing basic services to the operating system.
    • Trusted Firmware: Includes enhanced security features such as cryptographic verification of firmware components, secure boot, and mechanisms to enforce hardware-based isolation of secure and non-secure execution environments.
  2. Isolation and Trust:
    • Regular Firmware: Does not inherently provide mechanisms to isolate critical operations or sensitive data from the rest of the system.
    • Trusted Firmware: Establishes a TEE, isolating sensitive operations from the general-purpose operating system and protecting them from potential threats and unauthorized access.
  3. Responsibility and Scope:
    • Regular Firmware: Manages standard hardware initialization and operational tasks.
    • Trusted Firmware: Manages secure initialization of hardware features, authenticates and validates software components, and provides a secure execution environment for critical tasks.

Why Trusted Firmware is Necessary

Trusted Firmware is crucial for confidential computing because it provides a secure foundation that prevents unauthorized access and tampering. Here’s why Trusted Firmware is needed and how it differs from the regular OS and firmware:

Need for Trusted OS:

  • Purpose: To prevent resources from being accessed directly by the generalist OS running concurrently with it, such as preventing a user with root privileges from accessing sensitive resources.
  • Security: The Trusted OS operates with higher privileges and tighter security controls, ensuring that critical operations and data are protected even if the general OS is compromised.

Differences from Normal OS:

  • Size and Scope: The Trusted OS is designed to be small and secure, running with higher privileges than the general OS. For instance, in an ARMv8-a system, parts of the Trusted OS run at EL3 (highest privilege), while a hypervisor runs at EL2, and Linux at EL1.
  • Purpose: The Trusted OS is not meant to replace the general OS like Linux, which is extensive and feature-rich. Instead, it secures specific resources and operations from the general OS.

Security Provided by Trusted OS:

  • Threat Protection: It protects against attempts by users of the general OS to access resources managed by the Trusted OS, including both legitimate and illegitimate access attempts.
  • Mechanism: It uses secure mechanisms, such as the SMC instruction, to switch between the general OS and the Trusted OS when necessary to access secure resources.

Switching Between Trusted OS and Normal World:

  • Context Switching: Occurs when code running in the general OS needs to access a resource managed by the Trusted OS, such as decrypting content using a key only accessible by the Trusted OS.
  • Interrupt Handling: Hardware interrupts may also trigger a switch to the Trusted OS, allowing safe handling of interrupts within the TEE context.

Example Projects

COCONUT Secure VM Service Module (SVSM)

The COCONUT Secure VM Service Module (SVSM) exemplifies Trusted Firmware in confidential computing by providing secure services and device emulations for Confidential Virtual Machines (CVMs). Key features include:

  • Integration with AMD SEV-SNP: Utilizes AMD’s Secure Encrypted Virtualization with Secure Nested Paging, including the VM Privilege Level feature, to ensure robust hardware-based security.
  • Secure Boot and Authentication: Ensures a secure boot process and component authentication, maintaining a trusted execution path from the firmware to the CVM.

VirTEE

VirTEE is another project that demonstrates the application of Trusted Firmware principles. It focuses on:

  • Open Community Development: Collaborative development of tools for TEE bring-up, attestation, and management, supporting a wide range of virtualization platforms.
  • Support for Multiple Technologies: Includes tools and libraries for AMD SEV, SEV-SNP, and Intel TDX, providing comprehensive support for secure virtualization across different hardware platforms.

Discover more about VirTEE via their project repository. 

Conclusion

Trusted Firmware is essential for establishing and maintaining secure and reliable confidential computing environments. It provides enhanced security features, isolation, and trust mechanisms that are not present in regular firmware. Projects like COCONUT-SVSM and VirTEE illustrate the practical application of Trusted Firmware principles, showcasing robust frameworks for secure virtualized environments and cross-platform confidential computing. These projects ensure the integrity and confidentiality of sensitive data and operations, advancing the field of secure computing.

 

 

Aug 12

OPPO Joins the Confidential Computing Consortium: Advancing Privacy and Security for a Smarter Future

By Announcement No Comments

 

We are thrilled to announce that OPPO has become a General member of the Confidential Computing Consortium, a global community dedicated to advancing privacy and security through cutting-edge technology. This exciting development reflects our commitment to safeguarding user privacy and delivering secure, reliable smart life experiences.

Commitment to Privacy and Security

OPPO fully understands the significance of user privacy and consistently prioritizes security above all else. Their products and services are designed with robust security features, including high-strength data encryption, secure transmission and storage, and rigorous access control mechanisms. These measures ensure that our offerings meet high-level information security assessments and certifications, establishing a comprehensive privacy protection system.

As a member of the Confidential Computing Consortium, OPPO will collaborate with industry leaders, innovators, and researchers to push the boundaries of privacy protection. Our goal is to contribute to technological innovation and explore new frontiers in confidential computing, enhancing the security and reliability of smart devices and services.

By joining the Confidential Computing Consortium, OPPO aligns itself with a community committed to developing open-source technologies and standards that enhance data privacy. This partnership enables OPPO to: work alongside leading companies and organizations to share knowledge and best practices, drive innovation in privacy protection, enhance user trust and participate in groundbreaking research and development efforts that set new standards for data security in the technology industry.

What Is Confidential Computing?

Confidential computing is an emerging technology that focuses on protecting data while it is being processed. Unlike traditional security measures that protect data at rest or in transit, confidential computing ensures that data remains secure during computation by using hardware-based trusted execution environments (TEEs). This approach provides a higher level of assurance and privacy, particularly in cloud and edge computing environments

OPPO’s membership in the Confidential Computing Consortium is a significant milestone in our journey toward creating a more secure and trustworthy digital world. We are excited to work hand in hand with colleagues from various sectors to explore the limitless possibilities of confidential computing and to continue delivering unparalleled security and privacy to our users.

We invite our partners, customers, and stakeholders to join us in this exciting new chapter as we pave the way for a smarter, safer future. Together, we can make a difference in the world of technology and privacy.

Confidential Computing Consortium Resources

 

Aug 08

Catch the Exclusive Interview with Mike Bursell at the Confidential Computing Summit 2024

By Blog, CCC Events No Comments

The Confidential Computing Summit 2024, the premier event for confidential data and AI, triumphantly returned to San Francisco this summer on June 5-6. With a larger and more comprehensive two-day conference, this year’s event brought together the brightest minds in confidential computing and privacy-preserving AI to explore emerging technologies and innovative solutions.

Did you miss the Summit? We’ve Got You Covered!

If you missed this year’s conference, don’t worry,  you can still catch the sessions including an exclusive interview with Mike Bursell, Executive Director at the Confidential Computing Consortium. Mike’s insights offer an in-depth look at the latest developments and future directions in confidential computing and privacy-preserving AI.

Learn from the Best

Hear from  industry leaders, innovators, and researchers as they delve into the cutting-edge technologies shaping the future of confidential data and analytics. Gain valuable knowledge from experts on how confidential computing is revolutionizing data security and AI applications, offering new privacy and data protection solutions.

  • Mike Bursell’s Interview: Discover his perspective on the critical role of confidential computing in safeguarding sensitive data and the future of privacy-preserving AI.
  • Conference Sessions: Explore other engaging sessions and panel discussions from the Summit to stay ahead of the curve in confidential computing technologies.

Why You Should Tune In

  • Exclusive Insights: Gain access to thought leadership from key figures in the industry.
  • Emerging Technologies: Get a front-row seat to the latest advancements and trends in confidential data and AI.
  • Networking Opportunities: Connect with fellow professionals and experts in the field.

Confidential Computing Consortium Resources

Aug 01

Automata Joins the Confidential Computing Consortium as a Startup Member

By Announcement No Comments

We are thrilled to announce that Automata has joined the Confidential Computing Consortium as the most recent Startup member and brings their expertise in machine attestation and secure computation to our community.  Automata is a machine attestation layer built by humans and designed for machines. It performs verifiable computation over stateless data using secure hardware, extending machine trust to Ethereum with Trusted Execution Environments (TEEs), also called TEE Coprocessors.

 Why TEE Coprocessors?

TEEs are a cornerstone of confidential computing. They create a secure enclave by encrypting the hardware memory, allowing us to guarantee the integrity and confidentiality of computations performed by a TEE.

  • Integrity: TEEs verify that the data and code being run are authentic. Through remote attestation, we can be confident that computations are executed by a genuine TEE.
  • Confidentiality: TEEs provide technical assurance that untrusted parties protect computations from access.

 Coprocessors extend blockchain functionality by performing off-chain computations over on-chain data within a parallel environment—in this case, a TEE. Our experience with TEEs on the blockchain, from moving TEE stack components on-chain to designing and deploying TEE-backed applications, has shown that secure hardware is a practical and promising way to handle workloads in a decentralized setting.

Automata and Confidential Computing

Recently, Automata has made significant advancements in on-chain computation. We have implemented what we believe to be the first complete DCAP attestation workflow on the blockchain, allowing for the caching of attestation collaterals in a decentralized repository that the community can contribute to and maintain.

 Additionally, we introduced Multi-Prover AVS on EigenLayer, a restaking protocol that enhances the security of rollups with a secondary TEE Prover. Our work with TEEs demonstrates the feasibility of using secure hardware as the building blocks for interacting with blockchains, upholding core values of openness and verifiability.

 This aligns with the spirit of the Confidential Computing Consortium. We are excited about the renewed energy around confidential computing. We are committed to contributing to the long-term success of TEEs as the de-facto medium of computational integrity on the web. We also aim to motivate further research into trust-minimized, confidential implementations for both applications and infrastructure.

 Confidential Computing Consortium Resources

Jul 30

Hushmesh: Building a Secure Future with Confidential Computing

By Blog No Comments

Author: Manu Fontaine

At Hushmesh, a U.S.-based Public Benefit cybersecurity startup, we see Confidential Computing as a foundational technology for all things digital, paving the way for an inherently secure and private Internet. Imagine a future where Confidential Computing underpins a “universal zero trust” model at the chip level, whereby privacy and security are built into our digital infrastructure instead of bolted on.

Traditionally, data security and privacy are bolted on after the fact with a patchwork of point-solutions on top of an insecure infrastructure. However, with Confidential Computing, these critical  elements can become inherent to the infrastructure, automated  directly at the chip level without human intervention.

Our vision at Hushmesh is to utilize Confidential Computing to build the Mesh, a global information space and infrastructure, like the Web, but with automated end-to-end cryptographic security and privacy built in for everything and everyone. As Hushmesh CEO Manu Fontaine puts it, “Confidential Computing is the necessary technology to deliver digital peace of mind at internet scale. The Mesh is the definitive solution to identity theft, data breaches, fakes, and fraud.”

The potential of Confidential Computing extends beyond what is currently imaginable. By embedding security into the very fabric of our digital infrastructure, we aim to eliminate the vulnerabilities that threaten our digital lives, and to move towards a future where trust is inherent, not an afterthought. The need for this transformation is urgent, and we must act now to secure our digital future.

Confidential Computing is not just a technological advancement but a paradigm shift. It challenges us to rethink how we approach security and privacy for the next phase of the digital age, pushing us towards an inherently secure and trustworthy Internet for everyone. At Hushmesh, we are excited to be at the forefront of this revolution, working towards a future where Confidential Computing is ubiquitous. Without Confidential Computing, universal zero trust is simply not possible.

Join us on this journey to redefine digital security and privacy with Confidential Computing. Together, we can shape a future where our digital lives are secure and private, where trust is inherent, not an afterthought. Your participation is crucial in this collective effort to make the Internet what we all need it to be.

Read The Case for Confidential report here.

Manu Fontaine is the Founder and CEO of Hushmesh, the public benefit corporation developing and operating the Mesh. You can think of the Mesh as a global information space, like the Web, but with universal zero trust built in. Secured by the Universal Name System (UNS) and Universal Certificate Authority (UCA), the Mesh delivers what the Web never could: the global assurance of provenance, integrity, authenticity, reputation, confidentiality, and privacy for all bits within it, be they code or data, at internet scale. The Mesh is the definitive solution to identity theft, data breaches, fakes, and fraud. Hushmesh is developing privacy-preserving wallet and verifier Mesh agents for DHS SVIP, alongside secure “meshaging” for the North Atlantic Treaty Organization Defence Innovation Accelerator for the North Atlantic (NATO DIANA) Secure Information Sharing Challenge. www.hushmesh.com

Jul 23

Confidential Computing Consortium Enhances PETs Integration at Asia Pacific PET Summit

By Blog, Event No Comments

Authored by Mike Bursell

On Tuesday, July 16th, the Confidential Computing Consortium proudly served as the Associate Sponsor for the third PET Summit in the Asia Pacific region, held once again in Singapore. This year’s event occurred at the Marina Bay Sands Expo & Convention Centre, perfectly timed to coincide with Singapore’s PDP (Privacy Data Protection) week. The IMDA, Singapore’s leading organization for promoting digital innovation in business and society, supported it.

The summit saw a fantastic turnout. With over 400 registrations, the main hall was buzzing with activity, and the breakout hall next door was equally busy, hosting lively discussions among customers, ISVs, government representatives, and academic researchers. Your active participation and engagement were key to the success of the event.

IMDA’s Chief Executive, Chuen Hong LEW, kicked off the event, followed by an introduction from Mike Bursell, the CCC’s Executive Director. This year, the summit shifted the focus from simply educating about Privacy-Enhancing Technologies (PETs) to exploring their implementation, real-world use cases, and evangelization. A key highlight recognized the diverse range of PETs as an opportunity to match solutions to business needs, allowing organizations to choose the best-suited technologies rather than being limited to a single approach.

This addition is a significant win for Confidential Computing, which can integrate seamlessly with various PETs, enhancing privacy and transparency. This was highlighted in a panel discussion moderated by Mike Bursell titled “How Privacy-Enhancing Technologies (PETs) & Confidential Computing Balance Privacy & Transparency.” Panelists included Jesse Schrater (Intel), Zheng Leong (Automata Network), Anubhav Nayyar (Silence Laboratories), and Mark Bundgaard (Partisia). Following this, Mike introduced Confidential Computing and its potential, especially in multi-party and collaborative computing use cases.  Another session, also moderated by Mike, emphasized the need for PET evangelization at the organizational level, advocating for solutions that address specific business needs rather than adopting a “technology looking for a problem” approach.

The summit also highlighted the growing interest in Confidential Computing across the Asia Pacific region. Attendees included representatives from global organizations with a regional presence, local companies, and regional and national business organizations. A common theme in the moderated roundtable session was the importance of collaborating with regulators and standards bodies to promote accepted norms for deployments. The CCC actively encourages and coordinates this effort through its GRC (Governance, Risk, and Compliance) Special Interest Group.

For more information about the GRC Special Interest Group or other parts of the CCC, please visit here.

Jul 18

Announcing Invary’s Membership and Our New Start-Up Tier

By Announcement No Comments

We are thrilled to announce that Invary has joined the Confidential Computing Consortium (CCC) as a start-up member! Invary’s mission to protect people, organizations, and governments from hidden cyber threats aligns perfectly with our commitment to advancing secure computing technologies.

Invary brings a wealth of expertise in cyberthreat detection and mitigation, enhancing the Consortium’s efforts to foster secure, privacy-preserving computing environments. Their innovative solutions and dedication to cybersecurity will be invaluable as we work together to promote and develop open standards for confidential computing.

Invary’s remote attestation service enhances the security of Trusted Execution Environments (TEEs), ensuring data remains encrypted and inaccessible to unauthorized users during processing.

We look forward to collaborating with Invary to drive forward the adoption of confidential computing, ensuring robust protection against cyberthreats for all users. Welcome, Invary, to the Confidential Computing Consortium!

Jason Rogers, CEO of Invary, on joining the CCC said, “We are excited to join the Confidential Computing Consortium and look forward to collaborating with experts focused on data privacy and cybersecurity. We are grateful for the opportunity provided by the CCC’s Startup Program and eager to share our expertise in Runtime Integrity and Attestation.”

In addition to welcoming Invary, we are thrilled to introduce a new membership tier tailored specifically for start-ups. This initiative empowers emerging companies by offering them a unique opportunity to join the CCC community free of charge for the first 12 months. We are excited about the potential of this new offer and look forward to seeing the innovative contributions from start-ups.

Why This Matters

Confidential Computing is revolutionizing data protection and processing. The use of hardware-based techniques to isolate sensitive data ensures security even during processing. As the field evolves, collaboration and innovation become increasingly crucial to keep up with advancements. The CCC plays a pivotal role by uniting industry leaders, researchers, and innovators to drive the future of secure computing. This is a call for start-ups to join this collaborative effort and contribute to the future of secure computing.

Invary brings expertise in cyber threat detection and mitigation, enhancing the Consortium’s efforts to foster secure, privacy-preserving computing environments. Their innovative solutions and dedication to cybersecurity will be invaluable as we work together to promote and develop open standards for confidential computing.

Join Us

We look forward to collaborating with Invary to accelerate the adoption of confidential computing and ensure robust protection against cyber threats for all users. Welcome, Invary, to the Confidential Computing Consortium!

For start-ups interested in joining, our new membership tier provides an excellent opportunity to be part of a leading community in secure computing. Take advantage of this chance to contribute, collaborate, and innovate in Confidential Computing.

Welcome to the future of secure computing. Welcome to the CCC!

Confidential Computing Consortium Resources

Jul 02

June Newsletter

By Newsletter No Comments

In Today’s Issue:

  1. Executive Director June Recap
  2. NEW ANNOUNCEMENT!
  3. Securing the Software Supply Chain
  4. Community News
  5. OSS EU 2024, Confidential Computing Mini Summit

Executive Director June recap

It was great to meet so many of you at the Confidential Computing Summit in San Francisco – both at the CCC sponsored meet-up at a local speakeasy and at the conference itself. I would like in particular like to thank everyone who engaged with and supported the work we’re doing at the CCC – by coming to the booth, talking to us in person and, of course, attending and speaking sessions. As well as a great deal of discussion around use cases (with a particular focus on AI), many people were interested in getting involved in discussions around business models for remote attestation, one of several topics I brought up in my keynote session (regulator and standards engagement was another popular one).  If you’re interested in getting involved, please let me know!

Combined with a number of podcasts, webinars and panel discussions at various conferences, interest in and visibility of Confidential Computing really seems to be picking up. We’ve got a working group on repositioning the CCC’s messaging to ensure that we’re able to respond to industry and ecosystem interest: we’d love more involvement in this as well.

Exciting News for Start-ups!

The Confidential Computing Consortium (CCC) has launched a new membership tier tailored for start-ups, offering a complimentary first-year membership. This initiative aims to empower emerging companies by providing access to vital resources, collaborative opportunities, and industry insights. Eligible start-ups can connect with leaders, gain educational materials, and influence industry standards. This is a fantastic chance to be part of the future of secure computing. 

 To learn more and apply, visit the Confidential Computing Consortium blog.

Securing the Software Supply Chain

In the wake of SolarWinds and other high-profile supply chain attacks, Confidential Computing offers new ways to protect the integrity of the software we all rely on. 
Recently we heard from Chad Kimes of Github and Marcela Melara from Intel on securing the software supply chain. They shared their work on SLSA, in-toto, & CI/CD for secure, attestable builds. You can watch their tech talk here.

Community News

Meet us at Open Source Summit

Bringing EU Community Together

CCC is hosting the “Confidential Computing Mini Summit” at the Open Source Summit EU, Vienna Austria.

  • ⏰ Time: 13:30 – 17:00
  • 🎫 Mini Summit Registration Fee: $10
  • 💰 20% Discount Code for Main Summit: OSSEUCOLOSPK20
    (*Note: Registration for the main conference is required to attend the Mini Summit.)
  • Register Here

Have a topic you want to present at the Mini Summit? Submit CFP Here

Jul 02

COCONUT-SVSM Joins the Confidential Computing Consortium: Enhancing Security for SensitiveWorkloads

By Announcement, Blog No Comments

The Confidential Computing Consortium (CCC) welcomes a new project: The COCONUT
Secure VM Service Module (COCONUT-SVSM), which aims to be a game-changer for secure
service provision within confidential virtual machines (CVMs). This is a significant step forward
for the project.


Published by SUSE in March 2023 the project built an active developer community with major
industry players contributing, including AMD, Microsoft, IBM, Intel, Redhat and Google. By
joining the CCC the project gains enhanced visibility and even more collaboration opportunities
within the confidential computing community and is set for further community growth.

Building a Secure Foundation for Confidential VMs

COCONUT-SVSM was started by SUSE and is now hosted by the Linux Foundation (LF),
known for fostering open-source collaboration. This choice reflects the project’s commitment to
open development and community involvement. COCONUT-SVSM aims to become a platform
that delivers essential services to CVMs. These services, which can not be provided by the host
VMM in a secure way, include:

  • Virtual TPM emulation: This functionality provides a secure Trusted Platform Modulewithin the CVM, enabling functionalities like secure key generation and storage, but alsoenable full remote attestation of workloads.
  • UEFI variable store: This secure storage area safeguards critical configuration data forthe CVM and enables secure boot on some platforms.
  • Live migration for CVMs: This feature allows for seamless movement of running CVMsacross different physical hosts without compromising security.

The key advantage of COCONUT-SVSM lies in its secure execution environment. It operates
within the trust boundary of the CVM, but is still isolated from the actual operating system. This
isolation ensures that even if the underlying system gets compromised, the security of services
offered by COCONUT-SVSM remains intact

Benefits for Confidential Computing

This integration will enable users to enhance their confidential VM setups with features like:

  • Secure Remote Attestation: This allows for verifying the integrity and trustworthiness of the execution environment, a crucial requirement for running sensitive workloads and protecting data.
  • End-To-End Data Security: Users can guarantee that their data is always encrypted and never visible to any unauthorized party during storage, transmission, and processing.

Ultimately, these features empower users to fully protect their data even in untrusted
environments like the public cloud. This paves the way for secure cloud deployments and
confidential computing adoption across various industries.

Industry Leaders Support COCONUT-SVSM

COCONUT-SVSM is gaining traction within the tech industry, with key partners recognizing its
potential to advance confidential computing. Here’s what some industry leaders have to say
about COCONUT-SVSM:

AMD
“SUSE and AMD have a long history of collaborating on the development of the Linux
ecosystem and confidential computing technologies for AMD EPYC Processors” said
Frank Gorishek, corporate vice president, Software Development, AMD. “We are thrilled
to see COCONUT-SVSM join the CCC as an open source implementation of the AMD
SVSM specification for SEV-SNP. AMD is committed to open source technologies such
as COCONUT-SVSM as a catalyst for collaborative innovation on transformative
technologies such as confidential compute.”

Microsoft
“A secure environment like COCONUT-SVSM can play a valuable role in confidential
computing.” a spokesperson from Microsoft Hyper-V said. ”It can hold secrets and
provide virtualization services seamlessly to improve the usability of CVMs.”

Open Governance and Continued Growth

The COCONUT-SVSM project fosters open collaboration. SUSE’s Jörg Rödel, as the founding
developer, is the current lead maintainer. In the future, a broader project leadership will be
established by a Technical Steering Committee (TSC) consisting of at least 3 lead people to
ensure diverse perspectives guide the project’s direction.


The project community collaborates via its GitHub organization, a mailing list and in weekly
community meetings. There the project’s future, current challenges, and contributions from a
broad developer base are discussed.


Every developer passionate about confidential computing and secure service provisioning is
invited to start contributing to COCONUT-SVSM and support the continued growth of the
project.

The Meaning Behind the Name

The name COCONUT is a play on the term “CoCo,” a common abbreviation for confidential
computing. The “coconut” metaphor reflects the project’s focus on robust security, symbolizing a
hard-to-crack shell protecting the integrity of sensitive data.


By joining the Confidential Computing Consortium, COCONUT-SVSM is set to make significant
contributions to the field of confidential computing. The community excited to see the project
flourish within the CCC and invite all those interested in secure virtualization technology to join
the thriving COCONUT-SVSM project. Together, we can bring confidential computing and
end-to-end data protection forward for a wide range of industries and applications.

Close Menu