Hardening the Linux Guest for the Confidential Cloud Computing: Deep Dive and Results
Hardening the Linux Guest for the Confidential Cloud Computing: Deep Dive and Results – Elena Reshetova, Intel
Confidential Cloud Computing is a powerful security model where the cloud tenants are not required to trust the SW stack provided by Cloud Service Providers (CSPs). This includes the Virtual Machine Monitor (VMM) that has been an internal part of VM guests’ TCB for decades. In recent years CPU vendors are coming forward with the technologies that make it possible to support this changed threat model (AMD SEV, Intel TDX, etc.), but a lot of work also needs to be done on the VM guest SW stack to truly make this setup secure. This talk continues the last year’s LSS presentation to give a more technical deep dive on our efforts for hardening the mainline Linux kernel that can be used as a secure VM guest kernel. We will go into details on how we treat individual kernel subsystems and communication mechanisms, how our implemented hardening security mechanisms work, as well as share results from our fuzzing and manual code audit activities. The open source tools and documentation for the project has been published at https://github.com/intel/ccc-linux-guest-hardening
by The Linux Foundation
linux foundation
