Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

ijlal-loutfi
on 21 March 2023


Canonical is committed to enabling Ubuntu users to leverage the strong run-time confidentiality and integrity guarantees that confidential computing provides. That is why we are happy to announce we have joined the  confidential computing consortium, a project community at the Linux Foundation that is focused on accelerating the adoption of confidential computing and driving cross-industry collaboration around relevant open source software, standards and tools.

Why confidential computing

A major gap in today’s security paradigm is the lack of protection for data currently in use. Data breaches can occur when data is in use and have various origins, such as malicious insiders with administrative privileges or hackers exploiting bugs or vulnerabilities in privileged system software (such as the OS, hypervisor, or firmware). 

Confidential computing is here to give you back control over the security guarantees of your workloads.  As the consortium explains, confidential computing aims to  “protect data in use by performing computation in a hardware-based Trusted Execution Environment. These secure and isolated environments prevent unauthorised access or modification of applications and data while in use, thereby increasing the security assurances for organisations that manage sensitive and regulated data”.

This privacy-enhancing technology is  here to address the very challenge of run-time insecurity. Instead of trying to make all system software secure, confidential computing takes a simple and pragmatic approach to privacy-enhancing technologies, which just works today. 

The need for a confidential computing consortium

Bringing confidential computing to end users is an industry-wide effort that requires the cooperation of several stakeholders. On the hardware side, silicon providers have been investing considerable resources into maturing their Trusted Execution Environment offerings. Just to cite a few, we have Intel SGX, Intel TDX, and AMD SEV on the X86 architecture; TrustZone and the upcoming ARM CCA for the ARM ecosystem; and Keystone for RISC-V architectures, and Nvidia H100 for GPUs.

Image by Mitchell Luo from unsplash

Public cloud providers (PCPs for short) have been one of the main adopters of hardware trusted execution environments. In order to make running confidential workloads easy for their users, PCPs have been focusing on enabling a “shift and lift” approach, where entire VMs can run unchanged within the TEE.  What this means is that developers neither have to refactor their confidential applications nor rewrite them. What this also means is that the guest operating system needs to be optimised to support the user applications to leverage the platform’s underlying hardware TEE capabilities, and to further protect the VM while it’s booting, and when it’s at rest.

This is exactly what Canonical has been working on. 

The Ubuntu confidential computing portfolio is growing

Thanks to a close collaboration with the many major cloud providers, Ubuntu has been the first Linux operating system to support both AMD SEV and TDX in the public cloud. Today, it only takes a few clicks to start using Ubuntu confidential VMs on Azure  , AWS, Google Cloud. In the near future, we look forward to sharing more innovation across all the layers of confidential VMs, confidential containers and much more !

At Canonical, we believe that confidential computing and privacy enhancing technologies will be the default way of doing computing in the future. This is why our  confidential computing  portfolio is free on all public clouds . Of course, you can always augment your Ubuntu Confidential VMs with Canonical’s Ubuntu Pro services, which offer expanded security maintenance for 10 years,  certified and hardened images and kernel livepatch capabilities.

Confidential computing as part of Canonical’s security commitment

With our work on confidential computing and our collaboration with the members of the  consortium, we are furthering our commitment to security. This is just the beginning of Canonical’s confidential computing journey.  Stay tuned for many more exciting announcements about our expanding portfolio.

More resources

Related posts


ijlal-loutfi
7 April 2023

Build the foundation for your zero trust strategy with Ubuntu confidential computing

Confidential computing Article

Why do we want to eliminate trust? Isn’t trust a good thing that we should foster and grow? And shouldn’t computing platforms trust their end-users, and vice versa? The short answer is no. And I would argue that the very goal of system security has always been to reduce trust.  For instance, because you do ...


ijlal-loutfi
13 December 2022

What’s confidential, generally available, and open source? It’s Canonical Ubuntu 22.04 on Microsoft Azure!

Confidential computing Article

On behalf of all Canonical teams, I am happy to announce the general availability of Ubuntu 22.04 Confidential VMs (CVMs) on Microsoft Azure! They are part of the Microsoft Azure DCasv5/ECasv5 series that leverage the latest security extensions of the third generation of AMD CPUs, Secure Encrypted Virtualization-Secure Nested Paging (SEV- ...


ijlal-loutfi
31 October 2022

Confidential computing in public clouds: isolation and remote attestation explained

Confidential computing Article

In the first part of this blog series, we discussed the run-time (in)security challenge, which can leave your code and data vulnerable to attacks by both the privileged system software of the public cloud infrastructure, as well as its administrators. We also introduced the concept of trusted execution environments and confidential comput ...