Confidential Computing
Challenges of Remote Attestation for Confidential Computing Workloads
<p>Confidential Computing poses a unique challenge of Attestation Verification.
The reason is, Attester in Confidential Computing is infact a collection of Attesters, what we call as Composite Attester.
One Attester is a Workload which runs in a CC Environment, while the other Attester is the actual platform on which the Workload is executed. The two Attesters have separate Supply Chains (one been the Workload Owner deploying the Workload) while the Platform is a different Supplier, say Intel TDX or Arm CC.
Another deployment could be a Workload been trained on a GPU (via means of Integrated TEE) attached to a CPU, to create an end-to-end secure environment. How can one trust such a Workload, along with the CPU which is feeding the training data to it??
To trust a Composite Attester, through remote attestation one needs multiple Remote Attestation Verifiers, for example one coming from CPU Vendor the other from a GPU Vendor.
How do the Verifiers coordinate? Are there topological patterns of coordination that can be standardized.</p>
<p>The presentation will highlight the Work done in IETF Standards & Open Source Project Veraison to highlight:
1. Composite Attesters
2. Remote Attestation though Multiple Verifiers
3. Open-Source Work done in Project Veraison to highlight how Composition of Attesters can be constructed in a standardized manner
4. Open Source Work done in Project Veraison to highlight how Multiple Verifiers can coordinate to produce a Combined Attestation Verdict for a Composite Attester.</p>
<p>Please see the following links-
https://datatracker.ietf.org/doc/draft-richardson-rats-composite-attesters/</p>
<p>https://datatracker.ietf.org/doc/draft-deshpande-rats-multi-verifier/</p>
<p>Composition of Attesters using Concise Message Wrappers:
Golang Implementation:
https://github.com/veraison/cmw <br />
Rust Implementation:
https://github.com/veraison/rust-cmw</p>
<p>Attestation results required for constructing compositional semantics:
Golang Implementation:
https://github.com/veraison/ear</p>
<p>Rust Implementation:
https://github.com/veraison/rust-ear</p>
<p>Verification of Composite Attesters - Arm-CCA
https://github.com/veraison/services</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ud6215 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 2/1/26 |
<p>Welcome to the 7th iteration of the Confidential Computing devroom! In this welcome session, we will give a very brief introduction to confidential computing and the devroom, and we will give an honorable mention to all the folks that contributed to this devroom, whether they are presenting or not.</p>
|
| 2/1/26 |
<p>Hardware extensions for confidential computing establish a strict trust boundary between a virtual machine and the host hypervisor. From the guest’s perspective, any interaction crossing this boundary must be treated as untrusted and potentially malicious. This places significant hardening demands on guest operating systems, especially around firmware interfaces, device drivers, and boot components.</p> <p>This talk explores how COCONUT-SVSM can act as a trusted proxy between the hypervisor ...
|
| 2/1/26 |
<p>Currently QEMU hypervisor based confidential guests on SEV-SNP, SEV-ES and TDX are not at-par with other non-confidential guests in terms of restartability. For these confidential guests, once their initial state is locked-in and its private memory pages, CPU register states are encrypted, its state is finalized and it cannot be changed. This means, in order to restart a confidential guest, a new confidential guest context must be created in KVM and CPU registers, private memory pages ...
|
| 2/1/26 |
<p>In this talk, I will first introduce Intellectual Property Encapsulation, the confidential computing feature of Texas Instruments MSP430 microcontrollers, and multiple vulnerabilities we have found in it. Then, I will propose two methods of mitigating these vulnerabilities: first, a software-only solution that can be deployed on existing devices; second, a standard-compliant reimplementation of the hardware on an open-source CPU with more advanced security features and an extensive testing ...
|
| 2/1/26 |
<p>Confidential computing is rapidly evolving with Intel TDX, AMD SEV-SNP, and Arm CCA. However, unlike TDX and SEV-SNP, Arm CCA lacks publicly available hardware, making performance evaluation difficult. While Arm's hardware simulation provides functional correctness, it lacks cycle accuracy, forcing researchers to build best-effort performance prototypes by transplanting their CCA-bound implementations onto non-CCA Arm boards and estimating CCA overheads in software. This leads to duplicated ...
|
| 2/1/26 |
<p>We have released the sample codes for remote attestation on cloud confidential computing services. I report the lessons learned from them. https://github.com/iisec-suzaki/cloud-ra-sample The samples cover multiple types of Trusted Execution Environments (TEEs): (1) Confidential VMs, including AMD SEV-SNP on Azure, AWS, and GCP, and Intel TDX on Azure and GCP; (2) TEE enclaves using Intel SGX on Azure; and (3) hypervisor-based enclaves using AWS Nitro Enclaves. As verifiers, the samples make ...
|
| 2/1/26 |
<p>A decade after Intel SGX’s public release, a rich ecosystem of shielding runtimes has emerged, but research on API and ABI sanitization attacks shows that their growing complexity introduces new vulnerabilities. What is still missing is a truly minimal and portable way to develop enclaves.</p> <p>In this talk, we will introduce our recent work on "bare-sgx", a lightweight, fully customizable framework for building SGX enclaves directly on bare-metal Linux using only C and assembly. The ...
|
