Ensuring data security at run-time has long been an open computing challenge and a tough problem to solve. This gap arises because data must be decrypted in system memory for processing, even when it is stored encrypted. This exposes it to a large attack surface of threats posed by potentially malicious system software, such as a compromised operating system, hypervisor, or firmware, as well as individuals with elevated privileges. Confidential Computing is an industry movement to address this security gap, designed to protect data in use. Intel® Trust Domain Extensions (Intel® TDX) is Intel’s latest addition to their confidential computing portfolio.
To make use of these new hardware primitives, the entire software stack needs to be enlightened. To address this, Canonical and Intel have forged a strategic collaboration, enabling customers to always have access to an Intel-optimised Ubuntu build, which has all the latest necessary end-to-end host-to-guest patches available by default, even before they make it upstream. As the upstreaming process progresses, these patches will subsequently also become available on the generic Ubuntu images.
Intel® TDX on 5th Gen Intel® Xeon Scalable Processors
Intel® TDX introduces new architectural elements that address the challenge of run-time security in virtualised environments head-on. Intel TDX has been designed to establish secure and isolated virtual machines known as trust domains (TDs), and to protect them from various potential software threats, including those originating from the virtual-machine manager and other non-trust domain software on the platform. Intel TDX also strengthens defence against specific physical access attacks on platform memory, such as cold-boot attacks and active attacks on DRAM interfaces. To achieve this, Intel TDX capable CPUs incorporate a new AES-128 hardware encryption engine which encrypts memory pages at run-time, using an encryption key that is protected by the TDX hardware root of trust and is exclusively accessed by the TD guest owner.
To achieve such strong security guarantees, the solution relies on Intel’s innovations at the silicon level. Initially, this capability was only available on select SKUs of their 4th Gen Intel® Xeon scalable processors, offered via a limited number of public cloud providers. Now, Intel has announced general Intel TDX market availability through its 5th Gen Intel® Xeon Scalable processors, formerly code-named Emerald Rapids.
5th Gen Intel® Xeon® Scalable processors help maximise the longevity and return on IT investments with compatibility with the previous generation to minimise testing and validation. Intel’s industry-leading portfolio for data security helps unlock opportunities with silicon-based security features and trust services.
“Intel has a well-established and collaborative relationship with Canonical, and we work closely to enable our security capabilities within the Ubuntu operating environment. Through our collaboration, Canonical now offers an Intel-optimised version of their enterprise distributions that incorporates all the latest Intel TDX architectural elements and innovations in 5th Gen Xeon Scalable processors. This will provide customers with the confidence that their most sensitive data is more secure, while also helping maintain privacy and promote compliance.“– Mark Skarpness, Vice President and General Manager of System Software Engineering, Intel.
“We are excited to extend our long-standing partnership with Intel into Intel TDX! This will enable 5th Gen Intel Xeon Scalable processors’ users to start building their confidential computing infrastructure with Ubuntu today, and benefit from its strong hardware-rooted confidentiality and integrity security guarantees”, said Cindy Goldberg, VP of Silicon Alliance, Canonical.
For customers and end-users eagerly anticipating the hardware upgrade, it fully unlocks the potential of these silicon security innovations and also necessitates enablement at the software level. In the Linux ecosystem, achieving this involves the upstreaming of patches before integration into downstream distributions. This is a time intensive process, and with it comes the imminent risk of a widening gap between silicon innovation and software readiness, which will only get compounded as Intel continues to push the boundaries of hardware innovation for 5th Gen Intel Xeon scalable processors and beyond.
A staged approach to enable Intel® TDX for confidential computing
The results of this strategic partnership are already here, with our recently released Intel TDX private preview on Ubuntu 23.10, it is empowering our customers to confidently start their confidential computing journey with Ubuntu on Intel TDX today, while also laying the groundwork for more extensive and long-term plans for Ubuntu 24.04 LTS and beyond.
Canonical’s vision for Intel TDX on Ubuntu is ambitious and all-encompassing. Once customers acquire a 5th Gen Intel Xeon Scalable processor, they will be ready to easily deploy both an Ubuntu host for Intel TDX with the kernel, Libvirt QEMU, and Trust Domain Virtual Firmware (TDVF), and an Ubuntu guest Intel TDX VM equipped with the necessary enlightened kernel, Shim, and Grub.
Security maintenance and enterprise support
Anticipating Intel TDX’s integration into the generic Ubuntu 24.04 images, Canonical is taking an incremental approach to the level of security maintenance and enterprise support the company offers for these Intel TDX optimised builds. Starting with Ubuntu 23.10, an Intel TDX limited preview is already live for both host and guest enablement, where Canonical provides user-friendly scripts for effortless confidential environment setup. Remote attestation capability is expected by December 2023, and setup assets are accessible on GitHub. Canonical leads first line support during this technical preview, with Intel handling second line support. The 6.5 kernel stays updated with security patches, and user space PPAs for QEMU, Libvirt, and TDVF track upstream changes.
Looking ahead
This strategic collaboration effort between Canonical and Intel marks a significant commitment to advancing confidential computing. Beyond the immediate benefits of Intel TDX, this partnership seeks to bridge the ever-growing gap between cutting-edge silicon innovation and the software ecosystem’s ability to keep pace. Organisations can now confidently embrace the full potential of Intel TDX, ensuring a secure and optimised experience for end-users.
Furthermore, the availability of Ubuntu-based Intel TDX on many major public cloud providers, including Microsoft Azure and Google Cloud, empowers you to confidently start the development of your multi-cloud hybrid confidential computing strategy with Ubuntu today, providing a unified and secure environment for your computing needs.
Canonical invites you to deploy the Ubuntu Intel TDX build, and share your valuable feedback and questions. Get started with confidential computing and share your feedback with us. Your input is crucial as we collaboratively drive innovation and fortify data security for the future.
About Canonical
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries .
Source: cyberpogo.com