Learn about Confidential Computing Attestation

This post series presents various forms of attestation for various Confidential Computing use cases. Confidential Computing is a set of technologies designed to protect data in use, for example using memory encryption. Data at rest (on disk) and data in transit (over the network) can already be protected using existing technologies. Attestation, generally speaking, is the process of proving some properties of a system. Attestation plays a central role in asserting that confidential systems are indeed confidential.

This series focuses on four primary use cases:

1. Confidential virtual machines
2. Confidential workloads 
3. Confidential containers
4. Confidential clusters

Establishing a solid chain of trust in each case uses similar, but subtly different techniques. This is an evolving field, where new techniques are continuously being developed.

Confidential computing primer

May 2, 2023 - Christophe de Dinechin, David Gilbert, James Bottomley

This article is the first in a six-part series in which we present various usage models for confidential computing, a set of technologies designed to protect data in use—for example by using memory encryption—and the requirements to get the expected security and trust benefits from t​​he technology...Read full post

Attestation in confidential computing

May 4, 2023 - Christophe de Dinechin, David Gilbert, James Bottomley

This article is the second in a six-part series where we present various usage models for confidential computing, a set of technologies designed to protect data in use—for example using memory encryption—and the requirements to get the expected security and trust benefits from t​​he technology…Read full post

Confidential computing use cases

May 16, 2023 - Christophe de Dinechin, David Gilbert, James Bottomley

This article is the third in a six-part series where we present various usage models for confidential computing, a set of technologies designed to protect data in use—for example using memory encryption—and the requirements to get the expected security and trust benefits from t​​he technology…Read full post

Confidential computing: From root of trust to actual trust

June 2, 2023 - Christophe de Dinechin, David Gilbert, James Bottomley

This article is the fourth in a six-part series where we present various use cases for confidential computing—a set of technologies designed to protect data in use, like memory encryption, and what needs to be done to get the technologies’ security and trust benefits…Read full post

Confidential computing platform-specific details

June 16, 2023 - Christophe de Dinechin

Confidential Computing is a set of technologies designed to protect data in use (for example, it provides memory encryption). This article is fifth in a six-part series about various Confidential Computing usage models, and the requirements to get the expected security and trust benefits.…Read full post

Confidential computing: 5 support technologies to explore

June 22, 2023 - Christophe de Dinechin

This article is the last in a six-part series presenting various usage models for Confidential Computing, a set of technologies designed to protect data in use. In this article, I explore interesting support technologies under active development in the confidential computing community..…Read full post

Chains of trust in Confidential Computing - KVM Forum 2023 

This technology can be used in a number of ways, notably to implement Confidential Virtual Machines, Confidential Containers and Confidential Clusters. This talk explores the various chains of trust required to preserve confidentiality in each of these use cases. In each scenario, we will describe the root of trust, what is being proven, who verifies the proof, and what a successful verification allows, We will discuss techniques and technologies such as local and remote attestation, firmware-based certification, the use and possible implementations of a virtual TPM, attested TLS. We will also discuss the different requirements to attest an execution environment, a workload, a user, or a node joining a cluster.