Confidential Computing
Restartable confidential guests on QEMU hypervisor - where is the challenge?
<p>Currently QEMU hypervisor based confidential guests on SEV-SNP, SEV-ES and TDX are not at-par with other non-confidential guests in terms of restartability. For these confidential guests, once their initial state is locked-in and its private memory pages, CPU register states are encrypted, its state is finalized and it cannot be changed. This means, in order to restart a confidential guest, a new confidential guest context must be created in KVM and CPU registers, private memory pages re-encrypted with a different key. Today, this means that upon restart, the old QEMU process terminates and the only way to achieve a reset is to instantiate a new guest with a new QEMU process on these systems.</p>
<p>Resettable confidential guests are important for reasons beyond bringing them at par with non-confidential guests. For example, they are a key requirement for implementation of the F-UKI idea [1][2]. This talk will describe some of the challenges we have faced and our experiences in implementing SEV-ES, SEV-SNP and TDX guest reset on QEMU. A demo will be shown that reflects the current state of progress of this work. A link for the demo video will also be shared.
This will be mostly a QEMU centric presentation so we will also describe some fundamental concepts of confidential guest implementation in QEMU. </p>
<p>WIP patches based on which the demo will be shown are here [3][4][5]. These patches are posted in the qemu-devel mailing list for review and inclusion into QEMU [6][7][8].</p>
<ol>
<li>KVM Forum 2024 presentation https://pretalx.com/kvm-forum-2024/talk/HJSKRQ/</li>
<li>FOSDEM 2025 https://fosdem.org/2025/schedule/event/fosdem-2025-4661-introducing-fuki-guest-firmware-in-a-uki-for-confidential-cloud-deployments/</li>
<li>https://gitlab.com/anisinha/qemu/-/commits/coco-reboot</li>
<li>https://gitlab.com/anisinha/qemu/-/commits/coco-reboot-v2</li>
<li>https://gitlab.com/anisinha/qemu/-/commits/coco-reboot-v3</li>
<li>v1: https://lists.gnu.org/archive/html/qemu-devel/2025-12/msg01681.html</li>
<li>v2: https://mail.gnu.org/archive/html/qemu-devel/2026-01/msg01946.html</li>
<li>v3: https://mail.gnu.org/archive/html/qemu-devel/2026-01/msg05298.html</li>
</ol>
Weitere Infos
| Live Stream | https://live.fosdem.org/watch/ud6215 |
|---|---|
| Format | devroom |
| Sprache | Englisch |
Weitere Sessions
| 01.02.26 |
<p>Welcome to the 7th iteration of the Confidential Computing devroom! In this welcome session, we will give a very brief introduction to confidential computing and the devroom, and we will give an honorable mention to all the folks that contributed to this devroom, whether they are presenting or not.</p>
|
| 01.02.26 |
<p>Hardware extensions for confidential computing establish a strict trust boundary between a virtual machine and the host hypervisor. From the guest’s perspective, any interaction crossing this boundary must be treated as untrusted and potentially malicious. This places significant hardening demands on guest operating systems, especially around firmware interfaces, device drivers, and boot components.</p> <p>This talk explores how COCONUT-SVSM can act as a trusted proxy between the hypervisor ...
|
| 01.02.26 |
<p>In this talk, I will first introduce Intellectual Property Encapsulation, the confidential computing feature of Texas Instruments MSP430 microcontrollers, and multiple vulnerabilities we have found in it. Then, I will propose two methods of mitigating these vulnerabilities: first, a software-only solution that can be deployed on existing devices; second, a standard-compliant reimplementation of the hardware on an open-source CPU with more advanced security features and an extensive testing ...
|
| 01.02.26 |
<p>Confidential computing is rapidly evolving with Intel TDX, AMD SEV-SNP, and Arm CCA. However, unlike TDX and SEV-SNP, Arm CCA lacks publicly available hardware, making performance evaluation difficult. While Arm's hardware simulation provides functional correctness, it lacks cycle accuracy, forcing researchers to build best-effort performance prototypes by transplanting their CCA-bound implementations onto non-CCA Arm boards and estimating CCA overheads in software. This leads to duplicated ...
|
| 01.02.26 |
<p>Confidential Computing poses a unique challenge of Attestation Verification. The reason is, Attester in Confidential Computing is infact a collection of Attesters, what we call as Composite Attester. One Attester is a Workload which runs in a CC Environment, while the other Attester is the actual platform on which the Workload is executed. The two Attesters have separate Supply Chains (one been the Workload Owner deploying the Workload) while the Platform is a different Supplier, say Intel ...
|
| 01.02.26 |
<p>We have released the sample codes for remote attestation on cloud confidential computing services. I report the lessons learned from them. https://github.com/iisec-suzaki/cloud-ra-sample The samples cover multiple types of Trusted Execution Environments (TEEs): (1) Confidential VMs, including AMD SEV-SNP on Azure, AWS, and GCP, and Intel TDX on Azure and GCP; (2) TEE enclaves using Intel SGX on Azure; and (3) hypervisor-based enclaves using AWS Nitro Enclaves. As verifiers, the samples make ...
|
| 01.02.26 |
<p>A decade after Intel SGX’s public release, a rich ecosystem of shielding runtimes has emerged, but research on API and ABI sanitization attacks shows that their growing complexity introduces new vulnerabilities. What is still missing is a truly minimal and portable way to develop enclaves.</p> <p>In this talk, we will introduce our recent work on "bare-sgx", a lightweight, fully customizable framework for building SGX enclaves directly on bare-metal Linux using only C and assembly. The ...
|
