[go: up one dir, main page]

Ubuntu for confidential computing

Protect your data in use,
across public and private clouds.


Contact us to learn more

Benefits of Ubuntu for confidential computing

  • Protect sensitive data by encrypting it when it’s being processed
  • Secure your workloads in untrusted environments
  • Build data clean rooms for collaborative AI analytics

Intel TDX is available on Ubuntu for both the host and guest

Ubuntu now supports Intel’s latest confidential computing technology. This hardware-based trusted execution environment enables you to add an extra layer of protection to the code and data running within your confidential virtual machines.

Diagram showing that Ubuntu builds cater to both the host and guest sides, empowering users to launch a
                        confidential TDX virtual machine seamlessly

Private preview available on Ubuntu 24.04

Canonical’s strategic partnership with Intel gives you a customised Ubuntu build for Intel®TDX, incorporating all the latest necessary end-to-end host-to-guest patches available, even before they make it upstream.

Host side

We support a 6.8 kernel, derived from the 24.04 generic kernel, and offer essential user space components accessible through PPAs, such as Libvirt 9.6, and QEMU 8.0. We also offer a set of user-friendly scripts to simplify the creation of confidential environments with just a few commands.

Guest side

We support a comprehensive package, featuring a 6.8 kernel, Shim, Grub, and TDVF, which serves as an in-guest VM firmware.


How confidential VMs work

Confidential VMs introduce a new trust boundary which only includes the software running within, and the platform’s hardware. All other software outside is no longer part of your trusted computing base.

Diagram showing the hardware is at the base and the CVM can add a layer of protection around the software
                        it's running

To provide such strong security guarantees, confidential computing relies on two main primitives:

  1. 1. Isolation

    Confidential computing capable CPUs are equipped with an AES hardware memory encryption engine, which encrypts data when it is written to system memory, and decrypts it when read. The encryption key itself is stored in the hardware root of trust and is never exposed to the platform’s system software.

  2. 2. Remote attestation

    When a confidential VM is launched, its integrity is verified and its initial code and data are measured by a hardware root of trust. This ensures they have not been tampered with. The measurement is cryptographically signed and can be attested to a remote verifier.




Use Ubuntu Pro to further harden your confidential VMs

While confidential VMs safeguard your workload from external threats, internal vulnerabilities within their boundaries can still pose risks. This is where Ubuntu Pro proves invaluable, ensuring your guest CVM software stack is continuously patched and up-to-date.

Learn more about Ubuntu Pro ›


A solid foundation of your zero trust strategy

With confidential computing, you can remove the privileged systems software from your trusted computing base, reduce your attack surface, and get a remotely verifiable cryptographic guarantee before trusting any platform with your data.

Learn more about zero trust and confidential computing ›


Confidential computing in your private data centre

Combine good data governance practices with the latest advances in privacy-enhancing computation. Use confidential computing to protect the confidentiality and integrity of the sensitive data hosted on your on-premises servers, using hardware-rooted primitives beyond traditional measures.

Why use confidential VMs in your private datacenter? ›