Confidential Computing
Open source firmware for high assurance confidential infrastructure
February 1, 2026
12:25 PM – 12:45 PM Add to calendar
12:25 PM – 12:45 PM Add to calendar
UD6.215
<p>This talk presents a practical approach to building a high‑assurance core
infrastructure for home and small business environments, using modern open
firmware on commodity server hardware.</p>
<p>As AI workloads move from cloud to on‑premise, the need for trustworthy and
attestable hardware platforms for running models and handling sensitive data
becomes critical. But what does "trustworthy" actually mean at the
hardware/firmware level, and can we realistically achieve it with today’s
platforms?</p>
<p>We will walk through how to build a system based on a modern AMD server board
combined with open‑source firmware (coreboot[1] and OpenSIL[2]) to gain more
control and transparency across the boot chain. We will discuss:</p>
<ul>
<li>How open firmware and silicon initialization enable a stronger supply chain
transparency and verifiability</li>
<li>How to establish, measure, and attest a minimal and understandable firmware
and software stack</li>
<li>How to combine this with AMD’s security and confidential computing features
to protect workloads and keys</li>
<li>Practical pitfalls when deploying such systems at home or in small
organizations</li>
</ul>
<p>The goal is to show how open firmware can complement security and confidentiality
computing features to create a platform you can actually inspect, reason
about, and attest from top to bottom - rather than treating the hardware and
firmware as opaque, trusted black boxes.</p>
<p>[1] https://www.coreboot.org/
[2] https://github.com/openSIL/openSIL</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ud6215 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 2/1/26 |
<p>Welcome to the 7th iteration of the Confidential Computing devroom! In this welcome session, we will give a very brief introduction to confidential computing and the devroom, and we will give an honorable mention to all the folks that contributed to this devroom, whether they are presenting or not.</p>
|
| 2/1/26 |
<p>Hardware extensions for confidential computing establish a strict trust boundary between a virtual machine and the host hypervisor. From the guest’s perspective, any interaction crossing this boundary must be treated as untrusted and potentially malicious. This places significant hardening demands on guest operating systems, especially around firmware interfaces, device drivers, and boot components.</p> <p>This talk explores how COCONUT-SVSM can act as a trusted proxy between the hypervisor ...
|
| 2/1/26 |
<p>Currently QEMU hypervisor based confidential guests on SEV-SNP, SEV-ES and TDX are not at-par with other non-confidential guests in terms of restartability. For these confidential guests, once their initial state is locked-in and its private memory pages, CPU register states are encrypted, its state is finalized and it cannot be changed. This means, in order to restart a confidential guest, a new confidential guest context must be created in KVM and CPU registers, private memory pages ...
|
| 2/1/26 |
<p>In this talk, I will first introduce Intellectual Property Encapsulation, the confidential computing feature of Texas Instruments MSP430 microcontrollers, and multiple vulnerabilities we have found in it. Then, I will propose two methods of mitigating these vulnerabilities: first, a software-only solution that can be deployed on existing devices; second, a standard-compliant reimplementation of the hardware on an open-source CPU with more advanced security features and an extensive testing ...
|
| 2/1/26 |
<p>Confidential computing is rapidly evolving with Intel TDX, AMD SEV-SNP, and Arm CCA. However, unlike TDX and SEV-SNP, Arm CCA lacks publicly available hardware, making performance evaluation difficult. While Arm's hardware simulation provides functional correctness, it lacks cycle accuracy, forcing researchers to build best-effort performance prototypes by transplanting their CCA-bound implementations onto non-CCA Arm boards and estimating CCA overheads in software. This leads to duplicated ...
|
| 2/1/26 |
<p>Confidential Computing poses a unique challenge of Attestation Verification. The reason is, Attester in Confidential Computing is infact a collection of Attesters, what we call as Composite Attester. One Attester is a Workload which runs in a CC Environment, while the other Attester is the actual platform on which the Workload is executed. The two Attesters have separate Supply Chains (one been the Workload Owner deploying the Workload) while the Platform is a different Supplier, say Intel ...
|
| 2/1/26 |
<p>We have released the sample codes for remote attestation on cloud confidential computing services. I report the lessons learned from them. https://github.com/iisec-suzaki/cloud-ra-sample The samples cover multiple types of Trusted Execution Environments (TEEs): (1) Confidential VMs, including AMD SEV-SNP on Azure, AWS, and GCP, and Intel TDX on Azure and GCP; (2) TEE enclaves using Intel SGX on Azure; and (3) hypervisor-based enclaves using AWS Nitro Enclaves. As verifiers, the samples make ...
|
