-
Notifications
You must be signed in to change notification settings - Fork 46
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #90 from k-dimple/main
Add google explanation - Security: Confidential computing
- Loading branch information
Showing
6 changed files
with
75 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -194,3 +194,10 @@ VNC | |
TightVNC | ||
URL | ||
TCP | ||
AES | ||
TDX | ||
Xeon | ||
th | ||
TDs | ||
VMM | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
Security: Confidential computing | ||
================================ | ||
|
||
.. include:: ../../reuse/common-intro.txt | ||
:start-after: Start: Confidential computing | ||
:end-before: End: Confidential computing | ||
|
||
|
||
Intel® Trust Domain Extensions (Intel® TDX) | ||
------------------------------------------- | ||
|
||
Intel introduced Intel® TDX to its confidential computing portfolio with the launch of its new 4th Gen Xeon enterprise processors in January, 2023. Intel® TDX is a combination of hardware and software features that provide isolation and security for virtual machines (VMs) running on Intel processors. It introduces architectural innovations to enable the deployment of hardware-isolated VMs, known as trust domains (TDs). The primary objective of Intel® TDX is to create a robust isolation layer between TDs and the virtual-machine manager (VMM)/hypervisor, as well as other non-TD software. This offers comprehensive protection against a wide spectrum of potential threats. | ||
|
||
These hardware-isolated TDs encompass several critical components, including the Secure Arbitration Mode (SEAM) module, an Intel-provided, digitally-signed security-services module. Additional features of TDX include: | ||
|
||
* shared bit in the guest-physical address | ||
* secure extended-page table for address-translation integrity | ||
* physical-address-metadata table for page management | ||
* multi-key total-memory-encryption engine for memory encryption and integrity | ||
* remote attestation | ||
|
||
These features are integral to ensuring the security and trustworthiness of TD execution within the Intel® TDX system. For further details, check out this white paper on `Intel® Trust Domain Extensions`_. | ||
|
||
In essence, Intel® TDX empowers you to execute your workloads within a logically isolated hardware-based execution environment. This is achieved by allocating a dedicated segment of system memory that undergoes real-time encryption using an advanced AES-128 encryption engine. TDX also introduces stringent access control measures that govern memory access. This prevents external access, including access from the cloud's privileged system software. | ||
|
||
|
||
|
||
Confidential computing on GCP | ||
----------------------------- | ||
|
||
To create and launch confidential compute enabled instances on GCE, refer to: | ||
|
||
* Intel® TDX - :ref:`create-intel-tdx-conf-compute-on-gcp` | ||
* AMD SEV - :ref:`create-amd-sev-conf-compute-on-gcp` | ||
|
||
|
||
.. _`Intel® Trust Domain Extensions`: https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters