Google ã§ã¯ãã¯ã©ãŠã ã³ã³ãã¥ãŒãã£ã³ã°ã®å°æ¥ã¯ããŠãŒã¶ãŒãèªåã®ããŒã¿ã®ãã©ã€ãã·ãŒã«å®å šãªèªä¿¡ãæãŠããã©ã€ããŒããªæå·åãµãŒãã¹ãžãšãŸããŸã移è¡ããŠãããšèããŠããŸãã
Google Cloud ã¯ã転éäžããã³ä¿åäžã®é¡§å®¢ããŒã¿ããã§ã«æå·åããŠããŸãããåŠçããã«ã¯åŸ©å·åããå¿ èŠããããŸãã æ©å¯ã³ã³ãã¥ãŒãã£ã³ã° ã¯ãåŠçäžã«ããŒã¿ãæå·åããããã«äœ¿çšãããé©æ°çãªãã¯ãããžãŒã§ãã æ©å¯ã³ã³ãã¥ãŒãã£ã³ã°ç°å¢ã§ã¯ãæå·åãããããŒã¿ã RAM ãããã»ããµ (CPU) ã®å€éšã®ãã®ä»ã®å Žæã«ä¿åã§ããŸãã
Confidential VMs ã¯çŸåšããŒã¿ ãã¹ãäžã§ãããGoogle Cloud Confidential Computing ã©ã€ã³ã®æåã®è£œåã§ãã åœç€Ÿã¯ãã§ã«ããã«ãããã³ã ã¢ãŒããã¯ãã£ã®ã»ãã¥ãªãã£ã確ä¿ããããã«ãã¯ã©ãŠã ã€ã³ãã©ã¹ãã©ã¯ãã£ã§ããŸããŸãªåé¢ããã³ãµã³ãããã¯ã¹æè¡ã䜿çšããŠããŸãã Confidential VMs ã¯ãã¯ã©ãŠãå ã®ã¯ãŒã¯ããŒããããã«åé¢ããããã®ã¡ã¢ãªå æå·åãæäŸããããšã§ã»ãã¥ãªãã£ã次ã®ã¬ãã«ã«åŒãäžããã客æ§ãæ©å¯ããŒã¿ãä¿è·ã§ããããã«æ¯æŽããŸãã ããã¯ãèŠå¶ãããæ¥çã§åã人ã«ãšã£ãŠç¹ã«èå³æ·±ãå 容ã«ãªããšæããŸã (ãããã GDPR ããã®ä»ã®é¢é£äºé ã«ã€ããŠã çŽã 翻蚳è ).
æ°ããªå¯èœæ§ãåãéã
ãã§ã«ãæ©å¯ã³ã³ãã¥ãŒãã£ã³ã°çšã®ãªãŒãã³ãœãŒã¹ ãã©ãããã©ãŒã ã§ãã Asylo ã䜿çšããŠãæ©å¯ã³ã³ãã¥ãŒãã£ã³ã°ç°å¢ãå±éããŠäœ¿çšããããããã¯ã©ãŠãã§å®è¡ããããšãéžæããããããã¯ãŒã¯ããŒãã«é«ãããã©ãŒãã³ã¹ãšã¢ããªã±ãŒã·ã§ã³ãæäŸããããšã«éç¹ã眮ããŠããŸããã ç§ãã¡ã¯ã䜿ãããããæè»æ§ãããã©ãŒãã³ã¹ãã»ãã¥ãªãã£ã«ã€ããŠåŠ¥åããå¿ èŠã¯ãªããšä¿¡ããŠããŸãã
Confidential VMs ãããŒã¿çã«å ¥ã£ãããšã«ãããåœç€Ÿã¯ãã®ã¬ãã«ã®ã»ãã¥ãªãã£ãšåé¢ãæäŸããæåã®å€§æã¯ã©ãŠã ãããã€ããŒãšãªããæ°ããã¢ããªã±ãŒã·ã§ã³ãšã移æ€ããããã¢ããªã±ãŒã·ã§ã³ã®äž¡æ¹ã«å¯ŸããŠã·ã³ãã«ã§äœ¿ãããããªãã·ã§ã³ã顧客ã«æäŸããŸã (ãããããå€§å¹ ãªå€æŽãå ããããšãªãã¯ã©ãŠãã§å®è¡ã§ããŸãã çŽã 翻蚳è ïŒã æã ãæäŸããŸãïŒ
-
æ¯é¡ã®ãªããã©ã€ãã·ãŒ: ã客æ§ã¯ãåŠçäžã§ãã£ãŠããã¯ã©ãŠãå ã®æ©å¯ããŒã¿ã®ãã©ã€ãã·ãŒãä¿è·ã§ããŸãã Confidential VMs ã¯ã第 XNUMX äžä»£ AMD EPYC ããã»ããµã® Secure Encrypted Virtualization (SEV) æ©èœãå©çšããŸãã ããŒã¿ã¯ã䜿çšãã€ã³ããã¯ã¹äœæãã¯ãšãªããã¬ãŒãã³ã°äžã«æå·åããããŸãŸã«ãªããŸãã æå·åããŒã¯ä»®æ³ãã·ã³ããšã«ããŒããŠã§ã¢å ã§åå¥ã«äœæãããããŒããŠã§ã¢ããå€éšã«æµåºããããšã¯ãããŸããã
-
ã€ãããŒã·ã§ã³ã®åäž: Confidential Computing ã«ããã以åã¯äžå¯èœã ã£ãåŠçã·ããªãªãå¯èœã«ãªããŸãã äŒæ¥ã¯æ©å¯æ§ãç¶æããªãããæ©å¯ããŒã¿ã»ãããå ±æããã¯ã©ãŠãã§å ±åç 究ã§ããããã«ãªããŸããã
-
移æ€ãããã¯ãŒã¯ããŒãã®ãã©ã€ãã·ãŒ: ç§ãã¡ã®ç®æšã¯ãæ©å¯ã³ã³ãã¥ãŒãã£ã³ã°ãç°¡çŽ åããããšã§ãã Confidential VM ãžã®ç§»è¡ã¯ã·ãŒã ã¬ã¹ã§ããä»®æ³ãã·ã³ã§å®è¡ãããŠãã GCP ã®ãã¹ãŠã®ã¯ãŒã¯ããŒã㯠Confidential VM ã«ç§»è¡ã§ããŸãã æ¹æ³ã¯ç°¡åã§ããXNUMX ã€ã®ããã¯ã¹ã«ãã§ãã¯ãå ¥ããã ãã§ãã
-
Advanced Threat Protection: Confidential Computing ã¯ãã«ãŒããããããã³ããŒããããã«å¯Ÿãã Shielded VM ã®ä¿è·ã«åºã¥ããŠæ§ç¯ãããŠãããConfidential VM ã§å®è¡ããããã«éžæããããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®æŽåæ§ã確ä¿ããã®ã«åœ¹ç«ã¡ãŸãã
Confidential VM ã®åºæ¬
Confidential VM ã¯ã第 2 äžä»£ AMD EPYC ããã»ããµãŒã§å®è¡ããã NXNUMXD ä»®æ³ãã·ã³äžã§å®è¡ãããŸãã AMD ã® SEV æ©èœã¯ãEPYC ããã»ããµã«ãã£ãŠçæããã³ç®¡çããã VM ããšã®ããŒã§ä»®æ³ãã·ã³ã® RAM ãæå·åããªãããæãèŠæ±ã®å³ããã³ã³ãã¥ãŒãã£ã³ã° ã¯ãŒã¯ããŒãã§é«ãããã©ãŒãã³ã¹ãå®çŸããŸãã ããŒã¯ä»®æ³ãã·ã³ã®äœææã« AMD ã»ãã¥ã¢ ããã»ããµ ã³ããã»ããµã«ãã£ãŠäœæããããã®äžã«ã®ã¿é 眮ããããããåãããŒãäžã§å®è¡ãããŠãã Google ãšä»ã®ä»®æ³ãã·ã³ã®äž¡æ¹ããããŒã«ã¢ã¯ã»ã¹ã§ããªããªããŸãã
çµã¿èŸŒã¿ã®ããŒããŠã§ã¢ RAM æå·åã«å ããŠãShielded VM ã®äžã« Confidential VM ãæ§ç¯ããŠããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã€ã¡ãŒãžã®æ¹ããèæ§ãæäŸãããã¡ãŒã ãŠã§ã¢ãã«ãŒãã« ãã€ããªãããã³ãã©ã€ããŒã®æŽåæ§ãæ€èšŒããŸãã Google ãæäŸããã€ã¡ãŒãžã«ã¯ãUbuntu 18.04ãUbuntu 20.04ãContainer Optimized OS (COS v81)ãããã³ RHEL 8.2 ãå«ãŸããŸãã ç§ãã¡ã¯ãCentosãDebian ãªã©ã®ä»ã®ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã€ã¡ãŒãžãæäŸããããšã«åãçµãã§ããŸãã
ãŸããåœç€Ÿã¯ AMD ã¯ã©ãŠã ãœãªã¥ãŒã·ã§ã³ ãšã³ãžãã¢ãªã³ã° ããŒã ãšç·å¯ã«é£æºããŠãä»®æ³ãã·ã³ã®ã¡ã¢ãªæå·åãããã©ãŒãã³ã¹ã«åœ±é¿ãäžããªãããã«åªããŠããŸãã æ°ãã OSS ãã©ã€ã㌠(nvme ããã³ gvnic) ã®ãµããŒããè¿œå ãããå€ããããã³ã«ãããé«ãã¹ã«ãŒãããã§ã¹ãã¬ãŒãžèŠæ±ãšãããã¯ãŒã¯ ãã©ãã£ãã¯ãåŠçã§ããããã«ãªããŸããã ããã«ãããConfidential VM ã®æ§èœææšãéåžžã®ä»®æ³ãã·ã³ã®æ§èœææšã«è¿ãããšã確èªã§ããŸããã
第 2 äžä»£ã® AMD EPYC ããã»ããµã«çµã¿èŸŒãŸããŠãã Secure Encrypted Virtualization ã¯ãä»®æ³åç°å¢ã§ã®ããŒã¿ã®ä¿è·ã«åœ¹ç«ã€é©æ°çãªããŒããŠã§ã¢ ã»ãã¥ãªãã£æ©èœãæäŸããŸãã æ°ãã GCE Conââfidential VMs N2D ããµããŒãããããã«ãGoogle 㯠Google ãšååããŠãã客æ§ã®ããŒã¿ãä¿è·ããã¯ãŒã¯ããŒãã®ããã©ãŒãã³ã¹ã確ä¿ã§ããããã«æ¯æŽããŸããã Confidential VM ãã¯ãŒã¯ããŒãå šäœã§äžè¬ç㪠NXNUMXD VM ãšåãã¬ãã«ã®é«ãããã©ãŒãã³ã¹ãæäŸããããšã確èªããŠãç§ãã¡ã¯è奮ããŠããŸãã
AMDãããŒã¿ã»ã³ã¿ãŒ ãšã³ã·ã¹ãã æ åœå¯ç€Ÿé·ãRaghu Nambiar æ°
ã²ãŒã ãå€ãããã¯ãããžãŒ
Confidential Computing ã¯ããã©ã€ãã·ãŒãšã»ãã¥ãªãã£ãç¶æããªãããäŒæ¥ãã¯ã©ãŠãã§ããŒã¿ãåŠçããæ¹æ³ãå€ããã®ã«åœ¹ç«ã¡ãŸãã ãŸããä»ã®å©ç¹ãšããŠãäŒæ¥ã¯ããŒã¿ã»ããã®æ©å¯æ§ãæãªãããšãªãååã§ããããã«ãªããŸãã ãã®ãããªã³ã©ãã¬ãŒã·ã§ã³ã¯ãããã«é©æ°çãªæè¡ãã¢ã€ãã¢ã®éçºã«ã€ãªããå¯èœæ§ããããŸããããšãã°ããã®ãããªå®å šãªã³ã©ãã¬ãŒã·ã§ã³ã®çµæãšããŠã¯ã¯ãã³ãè¿ éã«äœæããç æ°ãæ²»çã§ããããã«ãªããŸãã
ãã®ãã¯ãããžãŒã貎瀟ã«ããããæ©äŒã楜ãã¿ã«ããŠããŸãã èŠãŠ
PS Google ãäžçãå€ãããã¯ãããžãŒãå±éããã®ã¯ãããåããŠã§ã¯ãããŸããããæåŸã§ã¯ãªãããšãé¡ã£ãŠããŸãã ããæè¿ Kubernetes ã§èµ·ãã£ãããã«ã ç§ãã¡ã¯ãã§ããéã Goggle ãã¯ãããžãŒããµããŒãããã³é
åžãããã·ã¢ã§ IT ã¹ãã·ã£ãªã¹ããèšç·ŽããŸãã åœç€Ÿã¯3瀟ã®ãã¡ã®XNUMX瀟ã§ã Kubernetesèªå®ãµãŒãã¹ãããã€ã㌠ãããŠå¯äžã® Kubernetes ãã¬ãŒãã³ã° ããŒãã㌠ãã·ã¢ã§ã ãã®ãããç§ãã¡ã¯æ¯å¹Žæ¥ãšç§ã«éäžç㪠Kubernetes ãã¬ãŒãã³ã° ã»ãã·ã§ã³ãå®æœããŠããŸãã 次åã®éäžè¬åº§ã¯28æ30æ¥ïœXNUMXæ¥ã«éå¬ãããŸã
åºæïŒ habr.com