Confidential computing with Kata Containers - DevConf.CZ 2022 скачать в хорошем качестве

Confidential computing with Kata Containers - DevConf.CZ 2022

Speakers: Christophe de Dinechin, Jakob Naucke "Confidential computing" is a set of technologies such as memory or CPU state encryption that are intended to restrict access to the live data in a virtual machine to its legitimate users, to the exclusion of even the physical host or the hypervisor running the virtual machine. "Confidential containers" is the application of such technologies to protect the data in containers. This matters for use cases where the "tenant" running the workloads has legal or business reasons to want the data being processed to be hidden from the infrastructure it is running on. We will discuss the implementation of confidential containers in the context of the Kata project. The current plan involves multiple important steps: Image download needs to be moved within the guest A process known as "attestation" allows the tenant to verify what they are running and the platform they run it on Separation of the control plane into operations related to host resources and operations related to the owner workloads We will also provide a progress report on these developments since DevConf.us. In the second part, we go deeper into how Kata Containers' confidential computing efforts can be integrated with the respective hardware platforms. With confidential computing always requiring ensuring confidential data can only be read in a secured context, and the technologies for achieving this varying between vendors, we present a modularised approach able to combine these technologies. As an example, we show how confidential containers are integrated with Kata using Secure Execution (IBM Z). We also discuss design approaches as to how this technology can be made accessible to tenants. This is not trivial, as a naive approach of e.g. having tenants build entire VM images on specialised hardware does not scale well. The session will be delivered together with Christophe de Dinechin, Red Hat. Sched: https://sched.co/siGQ