Canonical is committed to enabling Ubuntu users to leverage the strong run-time confidentiality and integrity guarantees that confidential computing provides. That is why we are happy to announce we have joined the confidential computing consortium, a project community at the Linux Foundation that is focused on accelerating the adoption of confidential computing and driving cross-industry collaboration around relevant open source software, standards and tools.
Why confidential computing
A major gap in today’s security paradigm is the lack of protection for data currently in use. Data breaches can occur when data is in use and have various origins, such as malicious insiders with administrative privileges or hackers exploiting bugs or vulnerabilities in privileged system software (such as the OS, hypervisor, or firmware).
Confidential computing is here to give you back control over the security guarantees of your workloads. As the consortium explains, confidential computing aims to “protect data in use by performing computation in a hardware-based Trusted Execution Environment. These secure and isolated environments prevent unauthorised access or modification of applications and data while in use, thereby increasing the security assurances for organisations that manage sensitive and regulated data”.
This privacy-enhancing technology is here to address the very challenge of run-time insecurity. Instead of trying to make all system software secure, confidential computing takes a simple and pragmatic approach to privacy-enhancing technologies, which just works today.
The need for a confidential computing consortium
Bringing confidential computing to end users is an industry-wide effort that requires the cooperation of several stakeholders. On the hardware side, silicon providers have been investing considerable resources into maturing their Trusted Execution Environment offerings. Just to cite a few, we have Intel SGX, Intel TDX, and AMD SEV on the X86 architecture; TrustZone and the upcoming ARM CCA for the ARM ecosystem; and Keystone for RISC-V architectures, and Nvidia H100 for GPUs.
Public cloud providers (PCPs for short) have been one of the main adopters of hardware trusted execution environments. In order to make running confidential workloads easy for their users, PCPs have been focusing on enabling a “shift and lift” approach, where entire VMs can run unchanged within the TEE. What this means is that developers neither have to refactor their confidential applications nor rewrite them. What this also means is that the guest operating system needs to be optimised to support the user applications to leverage the platform’s underlying hardware TEE capabilities, and to further protect the VM while it’s booting, and when it’s at rest.
This is exactly what Canonical has been working on.
The Ubuntu confidential computing portfolio is growing
Thanks to a close collaboration with the many major cloud providers, Ubuntu has been the first Linux operating system to support both AMD SEV and TDX in the public cloud. Today, it only takes a few clicks to start using Ubuntu confidential VMs on Azure , AWS, Google Cloud. In the near future, we look forward to sharing more innovation across all the layers of confidential VMs, confidential containers and much more !
At Canonical, we believe that confidential computing and privacy enhancing technologies will be the default way of doing computing in the future. This is why our confidential computing portfolio is free on all public clouds . Of course, you can always augment your Ubuntu Confidential VMs with Canonical’s Ubuntu Pro services, which offer expanded security maintenance for 10 years, certified and hardened images and kernel livepatch capabilities.
Confidential computing as part of Canonical’s security commitment
With our work on confidential computing and our collaboration with the members of the consortium, we are furthering our commitment to security. This is just the beginning of Canonical’s confidential computing journey. Stay tuned for many more exciting announcements about our expanding portfolio.
- Watch our webinar to learn more about confidential computing
- Read our blog post for “What is confidential computing? A high-level explanation for CISOs”
- Read our blog post for “Confidential computing in public clouds: isolation and remote attestation explained”
- Start creating and using Ubuntu CVMs on Azure
- Is Linux Secure?
- Learn more about Google Cloud Confidential Computing
- Learn about Learn about how confidential computing can help you better utilize security-sensitive data within the financial-services industryhow confidential computing can help you better utilize security-sensitive data within the financial-services industry