Benefits of Ubuntu for confidential computing
- Protect sensitive data by encrypting it when it’s being processed
- Secure your workloads in untrusted environments
- Build data clean rooms for collaborative AI analytics
Intel TDX is available on Ubuntu for both the host and guest
Ubuntu now supports Intel’s latest confidential computing technology. This hardware-based trusted execution environment enables you to add an extra layer of protection to the code and data running within your confidential virtual machines.
Private preview available on Ubuntu 23.10
Canonical’s strategic partnership with Intel gives you a customised Ubuntu build for Intel®TDX, incorporating all the latest necessary end-to-end host-to-guest patches available, even before they make it upstream.
We support a 6.5 kernel, derived from the 23.10 generic kernel, and offer essential user space components accessible through PPAs, such as Libvirt 9.6, and QEMU 8.0. We also offer a set of user-friendly scripts to simplify the creation of confidential environments with just a few commands.
We support a comprehensive package, featuring a 6.5 kernel, Shim, Grub, and TDVF, which serves as an in-guest VM firmware.
How confidential VMs work
Confidential VMs introduce a new trust boundary which only includes the software running within, and the platform’s hardware. All other software outside is no longer part of your trusted computing base.
To provide such strong security guarantees, confidential computing relies on two main primitives:
Confidential computing capable CPUs are equipped with an AES hardware memory encryption engine, which encrypts data when it is written to system memory, and decrypts it when read. The encryption key itself is stored in the hardware root of trust and is never exposed to the platform’s system software.
2. Remote attestation
When a confidential VM is launched, its integrity is verified and its initial code and data are measured by a hardware root of trust. This ensures they have not been tampered with. The measurement is cryptographically signed and can be attested to a remote verifier.
A solid foundation of your zero trust strategy
With confidential computing, you can remove the privileged systems software from your trusted computing base, reduce your attack surface, and get a remotely verifiable cryptographic guarantee before trusting any platform with your data.
Confidential computing in your private data centre
Combine good data governance practices with the latest advances in privacy-enhancing computation. Use confidential computing to protect the confidentiality and integrity of the sensitive data hosted on your on-premises servers, using hardware-rooted primitives beyond traditional measures.