What’s confidential, generally available, and open source? It’s Canonical Ubuntu 22.04 on Microsoft Azure!

class="wp-block-image">

Confidential computing is an industry-wide effort that requires the cooperation of several stakeholders. On the hardware side, silicon providers have been investing considerable resources into maturing their Trusted Execution Environment (TEEs) offerings. Public cloud providers (PCPs) have been one of the main adopters of such TEEs. In order to make running confidential workloads easy for their users, PCPs have been focusing on enabling a “shift and lift” approach, where entire VMs can run unchanged within the TEE.  What this means is that developers neither have to refactor their confidential applications nor rewrite them. What this also means is that the guest operating system needs to be optimised and enabled to support the user applications to leverage the platform’s underlying hardware TEE capabilities, and to further protect the VM while it’s booting, and when it’s at rest.

This is exactly what Canonical Ubuntu has been working on for the past couple of months! Thanks to a close collaboration with Microsoft Azure, Ubuntu 22.04 CVMs on Azure are ready for you, today, to build confidential public cloud workloads.

How do Ubuntu CVMs work

Ubuntu CVMs achieve such strong security guarantees by securing your VMs throughout their entire lifecycle:

• At run-time: Using AMD SEV-SNP, your VM’s code and data are encrypted when they are being operated on in the system memory. The encryption leverages the newest AES-128 hardware encryption engine embedded in the CPU’s memory controller. The encryption key is further protected and managed by the AMD Secure Processor. 
• At-rest: Your entire workload is encrypted using Ubuntu-enhanced full disk encryption capabilities. The encryption key is itself stored encrypted in your VM’s virtual disk. It’s then bound to the virtual TPM (vTPM) associated with your instance. Finally, the vTPM is itself part of the guest VM address space, and enjoys the same run-time security guarantees provided by the AMD SEV-SNP extensions to the entire VM instance.
• At boot-time: Before booting the VM, the platform provides a hardware-rooted signed attestation which can be used to verify the OS, firmware and platform boot measurements.

Looking ahead?

By using Ubuntu 22.04 CVMs, you add an additional layer to your defense-in-depth architecture and reduce the attack surface of your Azure workloads. Ubuntu handles the complex tasks involved, enabling you to achieve this new level of security without friction.

If you are already using the public cloud, you can only benefit from running your VMs as confidential VMs instead!  If you have security concerns that are preventing you from using the public cloud, the advances in confidential computing warrant that you re-evaluate your risk assessment, and reach the conclusion that best suits your organisation.

At Canonical, we believe that confidential computing and privacy enhancing technologies will be the default way of doing computing in the future. This is why Canonical Ubuntu confidential VMs are available for free. On Azure, you can always augment your Ubuntu CVMs with Canonical’s Ubuntu Pro services, that offers an extended security maintenance of 10 years,  certified and hardened images and kernel livepatch capabilities.

This is just the beginning of Canonical Ubuntu’s confidential computing journey! Come along, and stay tuned for many more exciting announcements about our expanding portfolio.

More resources

• Watch our webinar  “Introduction to confidential computing” webinar 
• Learn about how confidential computing can help you better utilize security-sensitive data within the financial-services industry
• Take a deep dive into how we enabled CVMs on Azure
• Start creating and using Ubuntu CVMs on Azure
• Join our webinar to know if  Linux is secure