On behalf of all Canonical groups, I’m blissful to announce the final availability of Ubuntu Confidential VMs (CVMs) on Microsoft Azure! They are a part of the Microsoft Azure DCasv5/ECasv5 sequence, and solely take just a few clicks to allow and use. Ubuntu 20.04 is the primary and solely Linux distribution to help Confidential VMs on Azure.
What are Ubuntu CVMs?
Ubuntu CVMs use the most recent safety extensions of the third technology of AMD CPUs, Safe Encrypted Virtualization-Safe Nested Paging (SEV-SNP). As such, they bring about a few basic shift within the conventional risk mannequin of public clouds. Historically, any vulnerability throughout the hundreds of thousands of strains of code within the cloud’s privileged system software program (OS, hypervisor, firmware) would systematically compromise the confidentiality and integrity of your operating code and knowledge. The identical could possibly be stated for any undue entry to your VM and/or its platform by a malicious cloud administrator.
Ubuntu CVMs are right here to provide you again management over the safety ensures of your VMs. They do that by permitting you to run your workload inside a logically remoted hardware-rooted execution setting. Your trusted computing base is dramatically decreased to your utility and the platform’s underlying {hardware} CPU, and nothing else. In different phrases, a compromised host OS or an offended cloud administrator can not entry your knowledge nor alter your code’s execution.
How do Ubuntu confidential VMs work?
Ubuntu CVMs obtain such sturdy safety ensures by securing your VMs all through their whole lifecycle:
1.At run-time
Utilizing AMD SEV-SNP, your VM’s code and knowledge are encrypted when they’re being operated on within the system reminiscence. The encryption leverages the most recent AES-128 {hardware} encryption engine embedded within the CPU’s reminiscence controller. The encryption secret is additional protected and managed by the AMD Safe Processor. At relaxation
2. At relaxation
Your whole workload is encrypted utilizing Ubuntu-enhanced full disk encryption capabilities. The encryption secret is itself saved encrypted in your VM’s digital disk. It’s then sure to the digital TPM (vTPM) related together with your occasion. Lastly, the vTPM is itself a part of the visitor VM handle area, and enjoys the identical run-time safety ensures supplied by the AMD SEV-SNP extensions to your complete VM occasion.
3. At boot time
Earlier than booting the VM, the platform offers a hardware-rooted signed attestation which can be utilized to confirm the OS, firmware and platform boot measurements.
A part of Canonical’s safety dedication
With Ubuntu CVMs, Canonical continues its sturdy dedication to safety. That is but one more reason for which builders, end-users and enterprises the world over proceed to decide on Ubuntu on all main public clouds. With Azure CVM, Ubuntu prospects can proceed utilizing its prolonged safety upkeep of 10 years, licensed and hardened pictures and kernel livepatch capabilities, whereas having fun with the Ubuntu person expertise they’ve come to like and count on.
Keep tuned for extra information on confidential computing
Azure Confidential VMs solely mark the start of Ubuntu’s confidential computing capabilities throughout varied public clouds and compute courses. We look ahead to sharing extra information about our increasing portfolio and studying concerning the novel methods you’re leveraging confidential computing.
