Linux Foundation Organization on the establishment of a consortium , aimed at developing open technologies and standards related to secure in-memory processing and confidential computing. The joint project has already been joined by companies such as Alibaba, Arm, Baidu, Google, IBM, Intel, Tencent and Microsoft, which intend to work together on a neutral platform to develop technologies for isolating data in memory during the computing process.
The ultimate goal is to provide the means to support the full cycle of data processing in encrypted form, without finding information in open form at individual stages. The consortium's area of ββinterest primarily includes technologies related to the use of encrypted data in the computing process, namely, the use of isolated enclaves, protocols for , manipulation of encrypted data in memory and complete isolation of data in memory (for example, to prevent the host system administrator from accessing data in the memory of guest systems).
The following projects have been transferred for independent development as part of the Confidential Computing Consortium:
- Intel handed over for continued joint development
components for using technology (Software Guard Extensions) on Linux, including an SDK with a set of tools and libraries. SGX proposes using a set of special processor instructions to allocate private memory areas to user-level applications, the contents of which are encrypted and cannot be read or modified even by the kernel and code running in ring0, SMM and VMM modes; - Microsoft handed over the framework , allowing you to create applications for various TEE (Trusted Execution Environment) architectures using a single API and abstract enclave representation. An application prepared using Open Enclav can run on systems with different enclave implementations. Of the TEEs, only Intel SGX is currently supported. Code to support ARM TrustZone is in development. About support , AMD PSP (Platform Security Processor) and AMD SEV (Secure Encryption Virtualization) are not reported.
- Red Hat handed over the project , which provides an abstraction layer for creating universal applications to run in enclaves that support various TEE environments, independent of hardware architectures and allowing the use of various programming languages ββ(WebAssembly-based runtime is used). The project currently supports AMD SEV and Intel SGX technologies.
Among the overlooked similar projects, we can note the framework , which is developed mainly by Google engineers, but an officially supported Google product. The framework allows you to easily adapt applications to move some of the functionality that requires increased protection to the side of a protected enclave. Of the hardware isolation mechanisms in Asylo, only Intel SGX is supported, but a software mechanism for forming enclaves based on the use of virtualization is also available.
Recall that the enclave (, Trusted Execution Environment) involves the provision by the processor of a special isolated area, which allows you to move part of the functionality of applications and the operating system into a separate environment, the memory contents and executable code in which are inaccessible from the main system, regardless of the level of privileges available. For their execution, implementations of various encryption algorithms, functions for processing private keys and passwords, authentication procedures, and code for working with confidential data can be moved to the enclave.
If the main system is compromised, the attacker will not be able to determine the information stored in the enclave and will be limited only to the external software interface. The use of hardware enclaves can be considered as an alternative to the use of methods based on encryption or , but unlike these technologies, the enclave has virtually no effect on the performance of calculations with confidential data and significantly simplifies development.
Source: opennet.ru