On behalf of all Canonical teams, I am happy to announce the general availability of Ubuntu 22.04 Confidential VMs (CVMs) on Microsoft Azure! They are part of the Microsoft Azure DCasv5/ECasv5 series that leverage the latest security extensions of the third generation of AMD CPUs, Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP).
As such, Ubuntu 22.04 CVMs can protect your public cloud workloads even against a strong adversary that might compromise the cloud’s privileged system software (hypervisor, host OS, firmware), as well as a potentially malicious or compromised VM administrator.
Confidential computing is an industry-wide effort that requires the cooperation of several stakeholders. On the hardware side, silicon providers have been investing considerable resources into maturing their Trusted Execution Environment (TEEs) offerings. Public cloud providers (PCPs) have been one of the main adopters of such TEEs. In order to make running confidential workloads easy for their users, PCPs have been focusing on enabling a “shift and lift” approach, where entire VMs can run unchanged within the TEE. What this means is that developers neither have to refactor their confidential applications nor rewrite them. What this also means is that the guest operating system needs to be optimised and enabled to support the user applications to leverage the platform’s underlying hardware TEE capabilities, and to further protect the VM while it’s booting, and when it’s at rest.
This is exactly what Canonical Ubuntu has been working on for the past couple of months! Thanks to a close collaboration with Microsoft Azure, Ubuntu 22.04 CVMs on Azure are ready for you, today, to build confidential public cloud workloads.
How do Ubuntu CVMs work
Ubuntu CVMs achieve such strong security guarantees by securing your VMs throughout their entire lifecycle:
- At run-time: Using AMD SEV-SNP, your VM’s code and data are encrypted when they are being operated on in the system memory. The encryption leverages the newest AES-128 hardware encryption engine embedded in the CPU’s memory controller. The encryption key is further protected and managed by the AMD Secure Processor.
- At-rest: Your entire workload is encrypted using Ubuntu-enhanced full disk encryption capabilities. The encryption key is itself sealed to the vTPM associated with your virtual machine, The vTPM itself is implemented in the guest VM’s address space, and enjoys the same run-time security guarantees provided by the AMD SEV-SNP extensions to the entire VM instance, but its state is currently persisted outside of the guest VM and might rely on the cloud’s or a third party’s key infrastructure.
- At boot-time: Before booting the VM, the platform provides a hardware-rooted signed attestation which can be used to verify the OS, firmware and platform boot measurements.
Ubuntu Confidential VMs beyond run-time security
Ubuntu 22.04 confidential VMs also offers an extensive range of remote attestation solutions. These CVMs seamlessly integrate Microsoft Azure Attestation and incorporate Intel Trust Authority, catering to enterprises seeking operator-independent attestation.
In parallel, Microsoft Azure has also enriched Ubuntu CVMs with important integrity features, including boot-time attestation and confidential disk encryption with enterprise key management options for PMK (platform-managed key) and CMK (customer-managed key) using Managed HSM with FIPS 140-2 Level 3 validation.
Last but not the least, Ubuntu 22.04 confidential VMs also support ephemeral vTPMs and OS disks, a new feature where disks can be stored on the VM’s OS cache disk or the VM’s temp/resource disk, without needing to be saved to any remote Azure Storage, and where vTPMs generate fresh cryptographic material each time the VM boots up. This allows organisations to start building remote attestation protocols with reduced dependency on the underlying cloud infrastructure.
By using Ubuntu 22.04 CVMs, you add an additional layer to your defense-in-depth architecture and reduce the attack surface of your Azure workloads. Ubuntu handles the complex tasks involved, enabling you to achieve this new level of security without friction.
If you are already using the public cloud, you can only benefit from running your VMs as confidential VMs instead! If you have security concerns that are preventing you from using the public cloud, the advances in confidential computing warrant that you re-evaluate your risk assessment, and reach the conclusion that best suits your organisation.
At Canonical, we believe that confidential computing and privacy enhancing technologies will be the default way of doing computing in the future. This is why Canonical Ubuntu confidential VMs are available for free. On Azure, you can always augment your Ubuntu CVMs with Canonical’s Ubuntu Pro services, that offers an extended security maintenance of 10 years, certified and hardened images and kernel livepatch capabilities.
This is just the beginning of Canonical Ubuntu’s confidential computing journey! Come along, and stay tuned for many more exciting announcements about our expanding portfolio.
- Contact us
- Watch our webinar “Introduction to confidential computing” webinar
- Learn about how confidential computing can help you better utilize security-sensitive data within the financial-services industry
- Take a deep dive into how we enabled CVMs on Azure
- Start creating and using Ubuntu CVMs on Azure
- Join our webinar to know if Linux is secure
Why do we want to eliminate trust? Isn’t trust a good thing that we should foster and grow? And shouldn’t computing platforms trust their end-users, and vice...
We are happy to announce we have joined the confidential computing consortium, a project community at the Linux Foundation that is focused on accelerating...
In the first part of this blog series, we discussed the run-time (in)security challenge, which can leave your code and data vulnerable to attacks by both the...