mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
Add page on CSPs (#56)
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
This commit is contained in:
parent
43924c7318
commit
d06d403d1d
@ -111,10 +111,10 @@ The Constellation source code is licensed under the [GNU Affero General Public L
|
||||
[install]: https://docs.edgeless.systems/constellation/getting-started/install
|
||||
[k8s-version-support]: https://docs.edgeless.systems/constellation/architecture/versions#kubernetes-support-policy
|
||||
[key-management]: https://docs.edgeless.systems/constellation/architecture/keys
|
||||
[license]: https://docs.edgeless.systems/constellation/next/overview/license
|
||||
[license]: https://docs.edgeless.systems/constellation/overview/license
|
||||
[network-encryption]: https://docs.edgeless.systems/constellation/architecture/keys#network-encryption
|
||||
[supply-chain]: https://docs.edgeless.systems/constellation/architecture/attestation#chain-of-trust
|
||||
[security-benefits]: https://docs.edgeless.systems/constellation/next/overview/security-benefits
|
||||
[security-benefits]: https://docs.edgeless.systems/constellation/overview/security-benefits
|
||||
[twitter]: https://twitter.com/EdgelessSystems
|
||||
[whitepaper]: https://content.edgeless.systems/hubfs/Confidential%20Computing%20Whitepaper.pdf
|
||||
[performance]: https://docs.edgeless.systems/constellation/next/overview/benchmarks
|
||||
[performance]: https://docs.edgeless.systems/constellation/overview/performance
|
43
docs/docs/overview/clouds.md
Normal file
43
docs/docs/overview/clouds.md
Normal file
@ -0,0 +1,43 @@
|
||||
# Feature status of clouds
|
||||
|
||||
What works on which cloud? Currently, Confidential VMs (CVMs) are available in varying quality on the different clouds and software stacks.
|
||||
|
||||
For Constellation, the ideal environment provides the following:
|
||||
|
||||
1. Ability to run arbitrary software and images inside CVMs
|
||||
2. CVMs based on AMD SEV-SNP (available in EPYC CPUs since the Milan generation) or, in the future, Intel TDX (available in Xeon CPUs from the Sapphire Rapids generation onward)
|
||||
3. Ability for CVM guests to obtain raw attestation statements directly from the CPU, ideally via a TPM-like interface
|
||||
4. Reviewable, open-source firmware inside CVMs
|
||||
|
||||
(1) is a functional must-have. (2)--(4) are required for remote attestation that fully keeps the infrastructure/cloud out. Constellation can work without them or with approximations, but won't protect against certain privileged attackers anymore.
|
||||
|
||||
The following table summarizes the state of features for different infrastructures as of September 2022.
|
||||
|
||||
| **Feature** | **Azure** | **GCP** | **AWS** | **OpenStack (Yoga)** |
|
||||
|-------------------------------|-----------|---------|---------|----------------------|
|
||||
| **1. Custom images** | Yes | Yes | No | Yes |
|
||||
| **2. SEV-SNP or TDX** | Yes | No | No | Depends on Kernel/HV |
|
||||
| **3. Raw guest attestation** | Yes | No | No | Depends on Kernel/HV |
|
||||
| **4. Reviewable firmware** | No* | No | No | Depends on Kernel/HV |
|
||||
|
||||
## Microsoft Azure
|
||||
|
||||
With its [CVM offering](https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview), Azure provides the best foundations for Constellation. Regarding (3), Azure provides direct access to remote-attestation statements. However, regarding (4), the standard CVMs still include closed-source firmware running in VM Privilege Level (VMPL) 0. This firmware is signed by Azure. The signature is reflected in the remote-attestation statements of CVMs. Thus, the Azure closed-source firmware becomes part of Constellation's trusted computing base (TCB).
|
||||
|
||||
Recently, Azure [announced](https://techcommunity.microsoft.com/t5/azure-confidential-computing/azure-confidential-vms-using-sev-snp-dcasv5-ecasv5-are-now/ba-p/3573747) the *limited preview* of CVMs with customizable firmware. With this CVM type, (4) switches from *No* to *Yes*. Constellation will support customizable firmware on Azure in the future.
|
||||
|
||||
## Google Cloud Platform (GCP)
|
||||
|
||||
The [CVMs available in GCP](https://cloud.google.com/compute/confidential-vm/docs/create-confidential-vm-instance) are based on AMD SEV but don't have SNP features enabled. This impacts attestation capabilities. Currently, GCP doesn't offer CVM-based attestation at all. Instead, GCP provides attestation statements based on its regular [vTPM](https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext), which is managed by the hypervisor. On GCP, the hypervisor is thus currently part of Constellation's TCB.
|
||||
|
||||
## Amazon Web Services (AWS)
|
||||
|
||||
AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features, but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). An experimental version of Constellation exists that runs on Nitro Enclaves.
|
||||
|
||||
## OpenStack
|
||||
|
||||
OpenStack is an open-source cloud and infrastructure management software. It's used by many smaller CSPs and datacenters. In the latest *Yoga* version, OpenStack has basic support for CVMs. However, much depends on the employed Kernel and hypervisor. Features (2)--(4) are likely to be a *Yes* with Linux Kernel version 6.2. Thus, going forward, OpenStack on corresponding AMD or Intel hardware will be a viable underpinning for Constellation.
|
||||
|
||||
## Conclusion
|
||||
|
||||
The different clouds and software like the Linux Kernel and OpenStack are in the process of building out their support for state-of-the-art CVMs. Azure has already most features in place. For Constellation, the status quo means that the TCB has different shapes on different infrastructures. With broad SEV-SNP support coming to the Linux Kernel, we soon expect a normalization of features across infrastructures.
|
@ -45,10 +45,15 @@ const sidebars = {
|
||||
label: 'Product features',
|
||||
id: 'overview/product',
|
||||
},
|
||||
{
|
||||
type: 'doc',
|
||||
label: 'Feature status of clouds',
|
||||
id: 'overview/clouds',
|
||||
},
|
||||
{
|
||||
type: 'doc',
|
||||
label: 'Performance',
|
||||
id: 'overview/benchmarks',
|
||||
id: 'overview/performance',
|
||||
},
|
||||
{
|
||||
type: 'doc',
|
||||
@ -130,7 +135,7 @@ const sidebars = {
|
||||
},
|
||||
{
|
||||
type: 'doc',
|
||||
label: 'Use persistent storage',
|
||||
label: 'Use peristent storage',
|
||||
id: 'workflows/storage',
|
||||
},
|
||||
{
|
||||
|
@ -35,3 +35,4 @@ updatable
|
||||
proxied
|
||||
[Ww]alkthrough
|
||||
WireGuard
|
||||
Xeon
|
||||
|
Loading…
Reference in New Issue
Block a user