Confidential Computing And Hardware TEEs
Confidential Computing and Hardware TEEs Raghu Yeluri, Sr. Principal Engineer and Lead Security Architect Office of the CTO / SATG
Outline Confidential Computing (CC) Technologies enabling Confidential Computing Use-cases Examples for Confidential Computing Challenges with Confidential Computing Intel’s Project Amber - overview Summary 2
The “Last Mile” Problem with Data Protect Data Protect Data Protect Data at Rest in Transit in Use Storage Encryption Network Encryption Confidential Computing 3
Confidential Computing (CC) Protection/separation of data processing from the platform owner/administrator Any Time, Any Place, Any Compute Enables data privacy & governance Accelerates cloud transformation for sensitive workloads Largest shift in computer security since the 1970’s CPU INFRASTRUCTURE ACCELERATORS Relies on a Trusted Execution Environment (TEE) CLOUD EDGE DEVICES & THINGS Confidential Computing: Workloads run in Trusted Execution Environment (TEE) to protect against unauthorized viewing and tampering of code and data 4
TEE enables Confidential Computing What is a TEE? A Trusted Execution Environment (TEE) is a secure area protected by the processor. (aka. Enclave) Provides hardware-enforcement so that: Code loaded inside TEE is operator-authorized code. Data inside TEE cannot be read/modified from the outside. Confidentiality and integrity for both code and data. APP APP OS APP x x VMM Hardware TCB Threats protected: Unit of isolation Malicious/compromised admin VM1 Malicious/compromised tenant of a hypervisor App Apps Apps Malicious/compromised network Compromised operating system/BIOS VM2 App Apps VMM H/W Examples of TEEs: Intel SGX, Intel TDX, AMD SEV-SNP, ARM Realms TCB TCB: Trusted Compute Base 5
Intel Hardware TEEs Intel SGX Intel SGX Intel TDX Bare Metal Deployment Virtualized Deployment Virtualized Deployment Enclave Apps Enclave Apps Guest OS Host OS Apps Apps Apps Guest OS Guest OS Guest OS Hypervisor/Container Libraries Hypervisor/Container Libraries Host OS Host OS Maximum data isolation Single tenancy Simplest migration of existing software Multi-tenancy Trust Boundary: Software with access to Confidential Data 6
Intel SGX: A Trusted Execution Environment for Protecting Date In-Use SGX Encrypted Data In Trusted Execution Environment Encrypted Results Out Malware Unencrypted data Designed so software outside the enclave cannot access data inside it, even with escalated privileges Trusted, verified application software OS and Hypervisor Other VMs Data in-use is protected inside a hardware-enforced Trusted Execution Environment (TEE) called an “Enclave” System & VM Administrator Enclave configuration & Software load is verified with strong attestation 7
Trust Boundary: Smaller is Better Trust Boundary: People and software with potential access to confidential data Without Confidential Computing Cloud Stack & Admins VM Isolation Cloud Stack & Admins BIOS & Firmware BIOS & Firmware Host OS & Hypervisor Host OS & Hypervisor VM Guest Admin VM Guest Admin Guest OS Guest OS Applications Applications Confidential Data Confidential Data App Isolation Cloud Stack & Admins BIOS & Firmware Host OS & Hypervisor VM Guest Admin Guest OS App Enclave Intel TDX Confidential Data Intel SGX 8
Real World Usages Trusted Multi-party Compute Federated Learning Privacy Preserving Analytics Blockchain Cloud & Edge Infrastructure Key Management 9
Security Challenges Side-Channels Physical Attacks Understanding TCB/Attestation Root of Trust Ownership Post Quantum Crypto Hardening 10
Attestation: Challenges in Today’s CC Model Linking infrastructure & attestation Scaling attestation across vendors & geos Complexity of home-grown attestation Expanding Confidential Computing Requires Better Attestation Solutions 11
What is Project Amber? An Intel service to remotely verify a
Guest OS App Confidential Data Without Confidential Computing VM Isolation App Isolation Intel TDX Intel SGX ve Trust Boundary: People and software with potential access to confidential data. 9 . and Intel Trust Domain Extensions (Intel TDX) CSP agnostic & Multi-cloud deployment Project Amber 1.0 Objectives: 14
Tees Business has been the recognised voice of business in the Tees region since 2015, acting as the only dedicated brand covering the local business scene. Published quarterly, the print version of Tees Business magazine is circulated to a readership of 20,000 , with an online edition achieving up to 12,000 views per issue. Content covers everything from local business news, advice and .
Cloud Computing J.B.I.E.T Page 5 Computing Paradigm Distinctions . The high-technology community has argued for many years about the precise definitions of centralized computing, parallel computing, distributed computing, and cloud computing. In general, distributed computing is the opposite of centralized computing.
CLOUD EDGE CPU DEVICES & THINGS INFRASTRUCTURE Confidential Computing: Workloads run in Trusted Execution Environment (TEE) to protect against unauthorized viewing and tampering of code and data. 5 What is a TEE? A Trusted Execution Environment (TEE) is a secure area protected by the processor. (aka.
risers, PermaLock Mechanical Tapping Tees, PSV polyethylene shut-off valves, and Perfection excess flow valve. Each of these products features Permasert coupling outlets and are available in a broad range of sizes. Reducing Couplings and Reducing Tees Blind End Caps and Stubs Mechanical Couplings Tees, Wyes and Ells Repair Couplings Excess .
Complete the system with this guide to the USG suspension system collection. Color* donn DX Ceiling Grid Item No. Suspension Tees White Main tee 12' SDX/SDXL24 15/16" Heavy Duty Main Tee SDX/SDXL26 15/16" Cross Tees 2' SDX/SDXL26 15/16" Cross Tees 4' SDX416 15/16" SDX422 15/16" SDX/SDXL424 Wa
Beaded Hose Fittings Beaded hose fittings are intended for use with hose clamps. Male NPT x Beaded Hose Barb Table of Contents (cont) Threaded Pipe Fittings (cont) 33 - 42 90 Male Pipe Elbows 40 90 Female Pipe Elbows 40 90 Street Elbows 40 45 Street Elbows 41 Female Tees 41 Male Branch Tees 41 Street Tees 42 Female Pipe Crosses 42
InteRnal taP tees. tees. MULTIPLE, MULTIPLE CROSS & INTERNAL TAP. MULTIPLE CROSS TEE. MUltIPle tees. MULTIPLE TEE TAP TEE. BACK TO INDEX. 12. fIttInGs. Single Wall. SIZE (SIZE ON SIZE) PACKAGE QUANTITY PRODUCT CODE. 3" (75mm) 7 0322AA 4" (100mm) 5 0422AA 5" (125mm) 4 0522AA 6" (150mm) 2 0622AA
care as a way to improve hospital quality and safety. As one indicator of this, the Centers for Medicare and Medicaid Services implemented new guidelines in 2012 that reduce payment to hospitals exceeding their expected readmission rates. To improve quality and reduce preventable readmissions, [insert hospital name] will use the Agency for Healthcare Research and Quality’s Care Transitions .
