On behalf of all Canonical teams, I am happy to announce the general availability of Ubuntu Confidential VMs (CVMs) on Microsoft Azure! They are part of the Microsoft Azure DCasv5/ECasv5 series, and only take a few clicks to enable and use. Ubuntu 20.04 is the first and only Linux distribution to support Confidential VMs on Azure.
What are Ubuntu CVMs?
Ubuntu CVMs use the latest security extensions of the third generation of AMD CPUs, Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). As such, they bring about a fundamental shift in the traditional threat model of public clouds. Traditionally, any vulnerability within the millions of lines of code in the cloud’s privileged system software (OS, hypervisor, firmware) would systematically compromise the confidentiality and integrity of your running code and data. The same could be said for any undue access to your VM and/or its platform by a malicious cloud administrator.
Ubuntu CVMs are here to give you back control over the security guarantees of your VMs. They do this by allowing you to run your workload within a logically isolated hardware-rooted execution environment. Your trusted computing base is dramatically reduced to your application and the platform’s underlying hardware CPU, and nothing else. In other words, a compromised host OS or an angry cloud administrator can no longer access your data nor alter your code’s execution.
How do Ubuntu confidential VMs work?
Ubuntu CVMs achieve such strong security guarantees by securing your VMs throughout their entire lifecycle:
Using AMD SEV-SNP, your VM’s code and data are encrypted when they are being operated on in the system memory. The encryption leverages the newest AES-128 hardware encryption engine embedded in the CPU’s memory controller. The encryption key is further protected and managed by the AMD Secure Processor.
2. At rest
Your entire workload is encrypted using Ubuntu-enhanced full disk encryption capabilities. The encryption key is itself stored encrypted in your VM’s virtual disk. It’s then bound to the virtual TPM (vTPM) associated with your instance. Finally, the vTPM is itself part of the guest VM address space, and enjoys the same run-time security guarantees provided by the AMD SEV-SNP extensions to the entire VM instance.
3. At boot time
Before booting the VM, the platform provides a hardware-rooted signed attestation which can be used to verify the OS, firmware and platform boot measurements.
Part of Canonical’s security commitment
With Ubuntu CVMs, Canonical continues its strong commitment to security. This is yet another reason for which developers, end-users and enterprises across the world continue to choose Ubuntu on all major public clouds. With Azure CVM, Ubuntu customers can continue using its extended security maintenance of 10 years, certified and hardened images and kernel livepatch capabilities, while enjoying the Ubuntu user experience they have come to love and expect.
Stay tuned for more news on confidential computing
Azure Confidential VMs only mark the beginning of Ubuntu’s confidential computing capabilities across various public clouds and compute classes. We look forward to sharing more news about our expanding portfolio and learning about the novel ways you are leveraging confidential computing.