ijlal-loutfi
on 8 July 2024
Deploy confidential computing with Intel® TDX and Ubuntu 24.04 today
When we first announced support for Intel® Trust Domain Extensions (Intel® TDX) guest and host capabilities on Ubuntu 23.10, many of you used it to build applications and datacenters with strong silicon-level security guarantees. You also provided feedback on how easy the setup process was, expressed excitement about starting your confidential computing journey with Ubuntu, and shared your plans to continue this commitment with future Ubuntu releases, which will incrementally bring more advanced silicon features.
Today, we are happy to announce the availability of the Intel-optimised build for Ubuntu 24.04 LTS, which allows you to run Intel® TDX with an Ubuntu host, and continues Ubuntu’s earlier support for the TDX guest side. With no changes required to the application layer, VM isolation with Intel® TDX greatly simplifies the porting and migration of existing workloads to a confidential computing environment.
Why confidential computing with Intel TDX
Confidential computing addresses a critical gap in data security: protecting data while it is being processed in system memory. While traditional security measures primarily secure data at rest and data in transit, data in-use faces unique challenges. These include insider threats, where malicious insiders with elevated privileges can access sensitive data during its processing, as well as malware and exploits that take advantage of vulnerabilities within the platform’s privileged system software (such as the operating system, hypervisor, and firmware).
Intel® TDX on 4th Gen and 5th Gen Intel® Xeon Scalable Processors represents one of the most ambitious silicon realisations of the confidential computing paradigm. They introduce secure and isolated virtual machines called trust domains (TDs), designed to shield against diverse software threats, including those posed by virtual-machine managers and other VMs hosted on the same platform. Intel® TDX also enhances defences against physical access attacks on platform memory, such as cold-boot attacks and DRAM interface intrusions. To achieve this high level of security, Intel® TDX incorporates new CPU security extensions that provide three essential security features:
- Memory Isolation through Main Memory Encryption: CPUs equipped with confidential computing capabilities include an AES-128 hardware encryption engine within their memory controller. This engine encrypts and decrypts memory pages whenever there is a memory read or write operation. Instead of storing workload code and data in plain text in system memory, they are encrypted using a hardware-managed encryption key. This encryption and decryption process happens seamlessly within the CPU, ensuring strong memory isolation for confidential workloads.
- Additional CPU-Based Hardware Access Control Mechanisms: CPUs with confidential computing capabilities introduce new instructions and data structures that allow auditing of security-sensitive tasks typically carried out by privileged system software. These tasks encompass memory management and access to platform devices. For example, when reading memory pages mapped to confidential workloads, these new instructions also provide information about the last value written into the page. This feature helps prevent data corruption and replay attacks by detecting unauthorised modifications to memory pages.
- Remote Attestation: Enable a relying party, whether it’s the owner of the workload or a user of the services provided by the workload, to confirm that the workload is operating on an Intel® TDX-enabled platform located within a TD before sharing data with it. Remote attestation allows both workload owners and consumers to digitally verify the version of the Trusted Computing Base (TCB) they are relying on to secure their data.
What do we offer with Ubuntu 24.04?
Ensuring end-users can fully utilise these critical silicon security features requires more than just acquiring the right hardware: it demands an enabled software stack above it. Within the Linux ecosystem, upstreaming patches before they can be integrated by the downstream OS distributions is a meticulous and time-consuming process.
Recognising the timely need for Ubuntu end-users and customers to secure their sensitive data and code at run-time, Canonical and Intel have established a strategic collaboration through which we can provide a rolling Intel-optimized Ubuntu build that is ahead of upstream, and which continuously brings you the latest Intel® TDX features as they are developed by Intel. Today, we make available an Intel-optimized build derived from Ubuntu 24.04, encompassing all the essential components required for deploying Intel® TDX confidential workloads. These Ubuntu builds support both host and guest environments, as well remote attestation capabilities, enabling seamless deployment of confidential Intel® TDX virtual machines:
- Host side: it includes a 6.8 kernel derived from the 24.04 generic kernel, along with critical user-space components such as Libvirt, and QEMU.
- Guest side: it provides a 6.8 kernel, Shim, Grub, and TDVF which serves as an in-guest VM firmware
- Attestation: this release also includes Intel® Software Guard Extensions Data Center Attestation Primitives (DCAP) on the host side, and the Intel® Trust authority CLI on the guest side. These allow users to retrieve attestation reports from the underlying hardware root of trust, and forward them to the Intel® Trust Authority service for verification.
Figure 1. End-2-End TDX software stack with Ubuntu
Support structure
To support our customers in confidently adopting Intel® TDX, Canonical will provide security maintenance and enterprise support for the Ubuntu 24.04 Intel-optimised build throughout its lifetime. For the host side, the kernel will continue to be updated, and will be engineered to allow users to roll to the new kernel every six months. Each kernel will receive nine months of security maintenance and support. This approach of hardware enablement (HWE) kernels is commonplace to allow for support of new hardware, and each is derived from the kernel version shipping with the interim releases, e.g. Ubuntu 24.10, ensuring continuous support. Similarly, for the userspace, we will either backport patches to the existing 24.04 versions or support newer versions.
This rolling approach carefully balances enabling customers to leverage evolving TDX features as they progress upstream, while also enabling secure deployment of TDX today.
Looking ahead
This collaboration between Canonical and Intel underscores our shared commitment to advancing confidential computing, particularly within the enterprise sector where robust support for both host and guest capabilities is paramount.
As Intel progresses with upstreaming additional silicon features, Canonical remains dedicated to delivering optimised Ubuntu builds, ensuring a smooth adoption path for Intel® TDX by our customers.
We eagerly anticipate your deployment of the Ubuntu 24.04 Intel® TDX build and value your feedback and questions. Your insights are vital as we continue to innovate and enhance data security solutions for the future.
Additional Resources
Understand the basics of confidential computing
Learn about how to secure your AI workloads with confidential computing