Introducing Confidential VMs on Ubuntu Pro for Azure

In the modern cloud ecosystem, the emergence of Confidential VMs (CVMs) has marked a significant stride towards robust security. However, while CVMs excel in guarding against external code threats, they remain susceptible to vulnerabilities within their boundaries. Herein lies the profound synergy between Ubuntu Pro and Confidential VMs on Microsoft Azure. While the latter fortifies the external walls, Ubuntu Pro vigilantly guards the interior, fostering a hardened, compliant, and manageable enclave for your cloud-based workloads. The integration not only significantly amplifies the security, but seamlessly aligns with enterprise requisites, propelling confidential computing towards being production-ready for professional workloads.

What are the benefits of Ubuntu Pro?

Ubuntu Pro extends the popular Ubuntu LTS with additional enterprise-grade capabilities tailored to meet the stringent requirements of professional and production use-cases. Here are some key advantages:

• Extended Security Maintenance (ESM): 10 years of vulnerability management for the entire stack of software packages.
• Comprehensive Patching: Security patching for over 25,000 open-source packages, expanding the set of packages your team can build on safely and reducing your average CVE exposure significantly.
• Kernel Livepatch: Minimise downtime and unplanned reboots with patches for critical and high-severity kernel vulnerabilities.
• Automated Compliance: Tooling for hardening and compliance profiles, including CIS, DISA-STIG, FIPS 140, and more.
• Streamlined Billing: Hourly billing through your existing Azure account.

For more details, you can visit the Ubuntu Pro for Azure page.

Why use Confidential VMs (CVMs)?

Confidential VMs add an extra layer of security by encrypting data during processing, addressing a previously challenging aspect of data protection. The technology ensures that data is encrypted at runtime, at rest, and during boot-up. Here are some key features:

• Runtime Protection: Data and code in memory are encrypted, ensuring that they are secure from any unauthorized access.
• Data-at-Rest Encryption: Full-disk encryption capabilities to secure all stored data.
• Boot-Time Verification: Hardware-rooted signed attestation to verify the OS, firmware, and platform boot measurements.

 For more information, you can visit this blog.

Combining Ubuntu Pro and Confidential VMs

Confidential computing introduces a security model where CVMs protect data from external software threats. However, vulnerabilities from within their boundaries remain a concern. This is where Ubuntu Pro becomes essential. Ubuntu Pro offers security measures to tackle vulnerabilities within the CVM’s software stack or the guest OS. Regular security patching and updates provided by Ubuntu Pro mitigate this risk. For a detailed exploration on the importance of securing your CVM from internal vulnerabilities, you can read our in-depth article here. This integration ensures a more secure environment suitable for enterprise operations and is compatible with both AMD SEV-SNP hardware and, for those in the Azure limited preview, Intel TDX.

How to Deploy

To deploy a new Confidential VM with Ubuntu Pro, use the Azure CLI command as follows:

az vm create 
--resource-group "${RESOURCE_GROUP}" 
--name "${VM_NAME}" 
--size Standard_DC4as_v5 
--enable-vtpm true 
--image "Canonical:0001-com-ubuntu-confidential-vm-focal:20_04-lts-cvm:latest" 
--security-type ConfidentialVM 
--os-disk-security-encryption-type VMGuestStateOnly 
--enable-secure-boot true 
--license-type UBUNTU_PRO

The –license-type UBUNTU_PRO flag is the key for deploying Ubuntu Pro. 

In-Place Upgrade

Existing Confidential VM Ubuntu LTS VMs can be upgraded to Ubuntu Pro using a few commands. For more details, you can visit our In-Place Upgrade announcement.

Conclusion

Azure Confidential VMs provide an enhanced layer of protection for cloud-based workloads. But for a comprehensive security approach, it’s crucial to also address vulnerabilities from within. Ubuntu Pro fills this internal security need, improving the overall security framework. This integration between Ubuntu Pro and Azure Confidential VMs provides a more secure environment, enabling users to manage their confidential computing tasks with increased confidence.