Brussels / 3 & 4 February 2024


Linux on a Confidential VM in a cloud: where's the challenge?

Confidential instance types (or CVMs) are the newest addition to public clouds like Microsoft Azure, Google Cloud Platform (GCP) and Amazon Web Services (AWS), some are already generally available and some are still in development/preview. Can we just bring existing general purpose Linux distributions to these environments and get the advertised confidentiality guarantees? Do we need to develop something or maybe we just need to have a specific OS image configuration to enjoy the benefits? The talk will try to answer these questions and explain the differences in the design of the various CVM instance types and discuss the current state of development of various important component upstream as well as their integration in general purpose Linux distributions (Fedora, CentOS Stream, RHEL). Focusing on providing confidentiality of the data at rest, existing technologies providing boot time integrity (SecureBoot, Measured boot, vTPMs,...) will be discussed. Finally, some of the remaining gaps in various components (Linux kernel, systemd, cloud-init,...) will be highlighted.


Photo of Vitaly Kuznetsov Vitaly Kuznetsov