Key Points
References
| Reference_description_with_linked_URLs_______________________ | Notes______________________________________________________________ |
|---|---|
Key Concepts
KVM Container Security Concepts
Confidential computing is a set of technologies, such as Intel's TDX or AMD's SEV, designed to protect data in use, notably with the use of encrypted memory. Confidential containers (CC) are the application of technology to run containers in a way that does not expose any data to the host. Alice Frosi, Sergio Lopez and Christophe de Dinechin presented this technology last year, in a talk titled "Don't peek into my container". This year, CC became a CNCF sandbox project. This technology is full of promises, but it also presents a number of hard technical challenges, for which we have solutions of unequal quality. In this talk, we will focus on five major technical or commercial difficulties: 1/ attestation of the workloads, 2/ performance (including memory, disk and networking bloat), 3/ image download (including possible optimizations), 4/ access control (and the need to rethink credentials) and 5/ debuggability. For some of these problems, we have solutions in the works or on the horizon. For some others, we just know that it will be bad, and we are exploring ideas on how to limit the damage. The majority of these problems involve the hypervisor or KVM to some extent.
Five Big Problems with Confidential Containers – KVM Forum 2022.pdf file
Linux KVM Forum 2022
https://events.linuxfoundation.org/kvm-forum/program/schedule/
Potential Value Opportunities
Potential Challenges
Candidate Solutions
Step-by-step guide for Example
sample code block