Exploring approaches for secure workload deployment and attestation in virtualization-based confidential computing environment
Ustiukhin, Artemii (2022)
Diplomityö
Ustiukhin, Artemii
2022
School of Engineering Science, Laskennallinen tekniikka
Kaikki oikeudet pidätetään.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi-fe2022053141296
https://urn.fi/URN:NBN:fi-fe2022053141296
Tiivistelmä
Nowadays, it is difficult to dispute the growing popularity of cloud technologies due to their high availability and scalability, as well as lower usage and support costs compared to onpremises servers. However, cloud providers cannot guarantee the same level of data and software security as on-premise deployments, and users usually have limited visibility and access to the underlying hardware and software platforms. This problem is solved by confidential computing technologies, which provide mechanisms for memory isolation, secure internal communication, and remote attestation that allow to verify that the user workloads are deployed in trusted execution environment with the declared data security and integrity guarantees. However, platforms and tools for confidential computing are still immature which prevents its widespread implementation. Moreover, the lack of comprehensive solutions for secure workload deployment does not allow to fully reveal the capabilities of confidential computing platforms.
The current thesis explores confidential computing platforms in terms of the options and solutions they provide for secure workload deployment and remote attestation. Through a comparison of platforms from different vendors, state-of-the-art in the area of confidential computing was introduced. It was also discovered that AMD SEV-SNP technology still lacks comprehensive end-to-end solutions for the secure workload deployment with remote attestation, while it has all the prerequisites for this. Thus, the study investigates core AMD SEV-SNP platform features required for the secure workload deployment organization in a confidential computing environment.
Since AMD SEV-SNP does not provide mutual authentication and secure remote communication features out of the box, a set of artifacts was designed to address these gaps. The artifacts together form a secure communication and remote attestation basis for secure workload deployment. The main contribution of this study is the design of the solution for secure connection establishment with mutual authentication and remote attestation in a single approach. The developed solution can be used in the industry as a basis for high-level applications for secure workload deployment. It also contributes to the potential research directions in scaling up the designed approach to add remote attestation of other components like application data or software versioning, or scaling it out to support multiple confidential computing technologies.
The current thesis explores confidential computing platforms in terms of the options and solutions they provide for secure workload deployment and remote attestation. Through a comparison of platforms from different vendors, state-of-the-art in the area of confidential computing was introduced. It was also discovered that AMD SEV-SNP technology still lacks comprehensive end-to-end solutions for the secure workload deployment with remote attestation, while it has all the prerequisites for this. Thus, the study investigates core AMD SEV-SNP platform features required for the secure workload deployment organization in a confidential computing environment.
Since AMD SEV-SNP does not provide mutual authentication and secure remote communication features out of the box, a set of artifacts was designed to address these gaps. The artifacts together form a secure communication and remote attestation basis for secure workload deployment. The main contribution of this study is the design of the solution for secure connection establishment with mutual authentication and remote attestation in a single approach. The developed solution can be used in the industry as a basis for high-level applications for secure workload deployment. It also contributes to the potential research directions in scaling up the designed approach to add remote attestation of other components like application data or software versioning, or scaling it out to support multiple confidential computing technologies.