- Ubuntu CVMs use the security extensions of the third generation of AMD CPUs, Secure Encrypted Virtualization-Secure Nested Paging.
- CVMs enable users to run workloads within a logically isolated hardware-rooted execution environment to reduce the trusted computing base.
- Ubuntu Confidential VMs are capable of securing VMs throughout their entire lifecycle, including run-time, rest, and boot time.
Canonical, the creator of Ubuntu, announced the general availability of Ubuntu Confidential VMs on Microsoft Azure. Ubuntu CVMs are using the latest security extensions of the third generation of AMD CPUs, Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). Ubuntu CVMs give the control over the security guarantee of the VMs back to the user.
Isolated hardware-rooted execution environment
Ubuntu CVMs allow users to run the workload within a logically isolated hardware-rooted execution environment. It reduces the user’s trusted computing base to include only the application and the platform’s underlying hardware CPU. Thus, even if the host OS is compromised, it prevents attackers to access users’ data and altering the code execution.
Ubuntu CVMs secure VMs throughout their entire lifecycle:
- At run-time: Using AMD SEV-SNP, your VM’s code and data are encrypted when they are being operated on in the system memory. The encryption leverages the newest AES-128 hardware encryption engine embedded in the CPU’s memory controller. The encryption key is further protected and managed by the AMD Secure Processor.
- At rest: Your entire workload is encrypted using Ubuntu-enhanced full disk encryption capabilities. The encryption key is itself stored encrypted in your VM’s virtual disk. It’s then bound to the virtual TPM (vTPM) associated with your instance. Finally, the vTPM is itself part of the guest VM address space and enjoys the same run-time security guarantees provided by the AMD SEV-SNP extensions to the entire VM instance.
- At boot time: Before booting the VM, the platform provides a hardware-rooted signed attestation which can be used to verify the OS, firmware, and platform boot measurements.