The Canonical confidential computing team is excited to unveil the public preview of Ubuntu Confidential VMs with  Intel® Trust Domain Extensions (Intel TDX) on Microsoft Azure, as part of  the DCesv5 and ECesv5-series VMs. These VMs leverage the cutting-edge capabilities of 4th Gen Intel Xeon Scalable processors equipped with Intel TDX, and they are ready for you to explore right now. This marks a significant achievement in Ubuntu’s mission to drive the future of confidential public clouds.

Confidential computing threat model

Confidential computing aims to bring about a fundamental shift in the traditional threat model of public clouds. Traditionally,  any vulnerability within the millions of lines of code in the cloud’s privileged system software (OS, hypervisor, firmware) would systematically compromise the confidentiality and integrity of your running code and data. The same could be said for any undue access to your VM and/or its platform by a malicious cloud administrator. 

Ubuntu Confidential VMs (CVMs) are here to give you back control over the security guarantees of your VMs. They do this by allowing you to run your workload within a logically isolated hardware-rooted execution environment. 

Intel Trust Domain Extensions 

Intel® TDX  carves out a portion of system memory which is encrypted at run-time by a new AES-128 encryption engine, and by adding new access control checks that mediate access to this memory, and prevent external access to it even from the cloud’s privileged system software. 

Ubuntu confidential VMs

With this launch, Canonical Ubuntu Server 22.04 LTS also supports Full Disk Encryption. It also offers an extensive range of remote attestation solutions. These CVMs seamlessly integrate Microsoft Azure Attestation and incorporate Intel Trust Authority, catering to enterprises seeking operator-independent attestation.

In parallel, Microsoft Azure has also enriched Ubuntu CVMs with important integrity features, including boot-time attestation and confidential disk encryption with enterprise key management options for PMK (platform-managed key) and CMK (customer-managed key) using Managed HSM with FIPS 140-2 Level 3 validation. 

Last but not the least, Ubuntu 22.04 confidential VMs also support ephemeral vTPMs and OS disks, a new feature where disks can be stored on the VM’s OS cache disk or the VM’s temp/resource disk, without needing to be saved to any remote Azure Storage, and where  vTPMs  generate fresh cryptographic material each time the VM boots up. This allows organisations to start building remote attestation protocols with reduced dependency on the underlying cloud infrastructure.  

Try Ubuntu confidential VMs today

Intel TDX Ubuntu Confidential VMs on Azure is a key step towards building a strong foundation for a zero-trust security strategy in the cloud. Try Ubuntu Confidential VMs on Azure today and experience the future of cloud security. We’re excited to hear your feedback.

Other resources

• Contact us
• DCesv5 and DCedsv5-series confidential VMs specifications
• ECesv5 and ECedsv5-series confidential VMs specifications
• Watch our webinar to learn more about confidential computing
• Read our blog post: “What is confidential computing? A high-level explanation for CISOs”
• Read our blog post:“Confidential computing in public clouds: isolation and remote attestation explained”