diff --git a/.wordlist.txt b/.wordlist.txt index 712a2ba5..45993ee6 100644 --- a/.wordlist.txt +++ b/.wordlist.txt @@ -194,3 +194,10 @@ VNC TightVNC URL TCP +AES +TDX +Xeon +th +TDs +VMM + diff --git a/aws/aws-how-to/eks-gpu-enablement.rst b/aws/aws-how-to/eks-gpu-enablement.rst index bb2b2133..03c2ef96 100644 --- a/aws/aws-how-to/eks-gpu-enablement.rst +++ b/aws/aws-how-to/eks-gpu-enablement.rst @@ -5,7 +5,7 @@ GPU-based EKS worker nodes are needed for many applications, such as for the tra Before enabling GPUs on your worker nodes, you'll have to create a cluster and node groups with `GPU based instances `_. You'll also need SSH access to the nodes. -============================================== + Install a GPU driver on each node --------------------------------- diff --git a/google/google-explanation/confidential-computing.rst b/google/google-explanation/confidential-computing.rst new file mode 100644 index 00000000..fa6daf57 --- /dev/null +++ b/google/google-explanation/confidential-computing.rst @@ -0,0 +1,37 @@ +Security: Confidential computing +================================ + +.. include:: ../../reuse/common-intro.txt + :start-after: Start: Confidential computing + :end-before: End: Confidential computing + + +Intel® Trust Domain Extensions (Intel® TDX) +------------------------------------------- + +Intel introduced Intel® TDX to its confidential computing portfolio with the launch of its new 4th Gen Xeon enterprise processors in January, 2023. Intel® TDX is a combination of hardware and software features that provide isolation and security for virtual machines (VMs) running on Intel processors. It introduces architectural innovations to enable the deployment of hardware-isolated VMs, known as trust domains (TDs). The primary objective of Intel® TDX is to create a robust isolation layer between TDs and the virtual-machine manager (VMM)/hypervisor, as well as other non-TD software. This offers comprehensive protection against a wide spectrum of potential threats. + +These hardware-isolated TDs encompass several critical components, including the Secure Arbitration Mode (SEAM) module, an Intel-provided, digitally-signed security-services module. Additional features of TDX include: + +* shared bit in the guest-physical address +* secure extended-page table for address-translation integrity +* physical-address-metadata table for page management +* multi-key total-memory-encryption engine for memory encryption and integrity +* remote attestation + +These features are integral to ensuring the security and trustworthiness of TD execution within the Intel® TDX system. For further details, check out this white paper on `Intel® Trust Domain Extensions`_. + +In essence, Intel® TDX empowers you to execute your workloads within a logically isolated hardware-based execution environment. This is achieved by allocating a dedicated segment of system memory that undergoes real-time encryption using an advanced AES-128 encryption engine. TDX also introduces stringent access control measures that govern memory access. This prevents external access, including access from the cloud's privileged system software. + + + +Confidential computing on GCP +----------------------------- + +To create and launch confidential compute enabled instances on GCE, refer to: + +* Intel® TDX - :ref:`create-intel-tdx-conf-compute-on-gcp` +* AMD SEV - :ref:`create-amd-sev-conf-compute-on-gcp` + + +.. _`Intel® Trust Domain Extensions`: https://www.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf diff --git a/google/google-explanation/index.rst b/google/google-explanation/index.rst index 3a44fb63..45180e92 100644 --- a/google/google-explanation/index.rst +++ b/google/google-explanation/index.rst @@ -9,4 +9,5 @@ Discussion and clarification of some key topics are available here: canonical-offerings how-gcp-pricing-works + confidential-computing \ No newline at end of file diff --git a/google/google-how-to/create-different-instance-types.rst b/google/google-how-to/create-different-instance-types.rst index 253bf67a..b1ce69a6 100644 --- a/google/google-how-to/create-different-instance-types.rst +++ b/google/google-how-to/create-different-instance-types.rst @@ -67,10 +67,10 @@ On your Google Cloud console, while creating a new instance from :guilabel:`Comp * choose an ARM compatible OS and version, say ``Ubuntu`` and ``Ubuntu 22.04 LTS Minimal`` in :guilabel:`Boot disk` > :guilabel:`CHANGE` > :guilabel:`Operating system` and :guilabel:`Version` -.. _create-conf-compute-on-gcp: +.. _create-amd-sev-conf-compute-on-gcp: -Create a confidential compute enabled VM ----------------------------------------- +Create an AMD SEV based confidential computing VM +-------------------------------------------------- On your Google Cloud console, while creating a new instance from :guilabel:`Compute Engine` > :guilabel:`VM instances`> :guilabel:`CREATE INSTANCE`: @@ -102,5 +102,27 @@ Back on the google console, open the instance details and go to :guilabel:`Logs` [...] +.. _create-intel-tdx-conf-compute-on-gcp: +Create an Intel® TDX based confidential computing VM +----------------------------------------------------- +In GCE, Intel® TDX is supported in the `C3 machine series`_ since they use the 4th Gen Intel® Xeon CPUs. To create the VM, in the Google Cloud CLI, use the ``instances create`` command with ``confidential-compute-type=TDX``: + +.. code:: + + gcloud alpha compute instances create INSTANCE_NAME \ + --machine-type MACHINE_TYPE --zone us-central1-a \ + --confidential-compute-type=TDX \ + --on-host-maintenance=TERMINATE \ + --image-family=IMAGE_FAMILY_NAME \ + --image-project=IMAGE_PROJECT \ + --project PROJECT_NAME + +where: + +* MACHINE_TYPE: is the C3 machine type to use and +* IMAGE_FAMILY_NAME: is the name of the confidential VM supported image family to use, such as Ubuntu 22.04 LTS or Ubuntu 22.04 LTS Pro Server + + +.. _`C3 machine series`: https://cloud.google.com/compute/docs/general-purpose-machines#c3_series diff --git a/reuse/common-intro.txt b/reuse/common-intro.txt index 91f520bf..0c65a22d 100644 --- a/reuse/common-intro.txt +++ b/reuse/common-intro.txt @@ -20,6 +20,8 @@ End: Product need and user Start: Confidential computing +Confidential computing addresses the question of trust between cloud providers and their customers. By using confidential compute enabled machines, protection of the customer's data is directly enforced by the underlying cloud hardware. In the process, a large class of attacks on cloud guest machines are avoided or at least mitigated. + Data can be thought of as being in one of three states: * in-transit - being transmitted from one location to another @@ -28,7 +30,8 @@ Data can be thought of as being in one of three states: Both data in-transit and data at-rest can be encrypted using well-known techniques, but for securing data in-use, you need confidential computing. -Confidential computing is the protection of data in-use by performing computation in a hardware-based trusted execution environment. It allows the encryption of data while it is in the system memory. This requires the support of both hardware and the OS. For example, your hardware could be based on AMD's Secure Encrypted Virtualisation (SEV) architecture and the OS could be Ubuntu. +Confidential computing is the protection of data in-use by performing computation in a hardware-based trusted execution environment. It allows the encryption of data while it is in the system memory. This requires the support of both hardware and the OS. For example, your hardware could be based on Intel's TDX (Trust Domain Extensions) processors or AMD's SEV (Secure Encrypted Virtualisation) architecture and the OS could be Ubuntu. + End: Confidential computing