DevConf.cz 2022 has ended
Back To Schedule
Friday, January 28 • 11:30am - 12:20pm
Confidential computing with Kata Containers

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

"Confidential computing" is a set of technologies such as memory or CPU state encryption that are intended to restrict access to the live data in a virtual machine to its legitimate users, to the exclusion of even the physical host or the hypervisor running the virtual machine. "Confidential containers" is the application of such technologies to protect the data in containers. This matters for use cases where the "tenant" running the workloads has legal or business reasons to want the data being processed to be hidden from the infrastructure it is running on.

We will discuss the implementation of confidential containers in the context of the Kata project. The current plan involves multiple important steps:
- Image download needs to be moved within the guest
- A process known as "attestation" allows the tenant to verify what they are running and the platform they run it on
- Separation of the control plane into operations related to host resources and operations related to the owner workloads
We will also provide a progress report on these developments since DevConf.us.

In the second part, we go deeper into how Kata Containers' confidential computing efforts can be integrated with the respective hardware platforms.
With confidential computing always requiring ensuring confidential data can only be read in a secured context, and the technologies for achieving this varying between vendors, we present a modularised approach able to combine these technologies.
As an example, we show how confidential containers are integrated with Kata using Secure Execution (IBM Z).
We also discuss design approaches as to how this technology can be made accessible to tenants. This is not trivial, as a naive approach of e.g. having tenants build entire VM images on specialised hardware does not scale well.

The session will be delivered together with Christophe de Dinechin, Red Hat.

Session chairs: Luca Berton and Katka Prochazkova

avatar for Christophe de Dinechin

Christophe de Dinechin

Senior Principal Software Engineer, Red Hat
Christophe de Dinechin works at Red Hat primarily on Kata Containers and its integration into OpenShift, as well as on Confidential Containers. He co-presented a talk at the KVM Forum 2021 titled "Don't peek into my container". He also has a strong interest in virtualisation, performance... Read More →
avatar for Jakob Naucke

Jakob Naucke

Software Developer, IBM
Kata Containers, Confidential Containers, IBM Z & LinuxONE

Friday January 28, 2022 11:30am - 12:20pm CET
Session Room 2