SUSE open-sources Secure VM Service Module for Confidential Computing

submited by
Style Pass
2023-03-15 18:30:04

Today SUSE open-sources its implementation of a Secure Virtual Machine Service Module (SVSM), which will enhance the security of confidential virtual machines (CVMs). The COCONUT-SVSM will allow CVMs to securely store data in a trusted environment and emulate TPM devices on AMD EPYC Generation 3 and later. Written in the Rust programming language it features special isolation capabilities. It is dual-licensed under the Apache-2.0 and MIT licenses. With open-sourcing the project we invite the community to participate in its future development.

The very short answer is: Confidential Computing encrypts data during processing. In recent years CPU vendors have started to integrate features which allow to setup isolated and trusted execution environments that are inaccessible to the rest of the system. The SVSM builds on AMD Secure Virtual Machine with Secure Nested Paging (AMD SEV-SNP). With this extension the virtual machine runs with encrypted memory and register state, so that its content is not visible outside of the CVMs context.

Confidential Computing is especially important in environments where the hypervisor is controlled by someone else and thus not fully trusted. Since all peripheral devices of a CVM are controlled by the hypervisor, these devices are not fully trusted too . For most devices like disks and network cards the CVM can protect itself from malformed or malicious input . But there are also devices, like the TPM, which contain security sensitive state that must not be visible to the hypervisor.

Leave a Comment