Confidential Computing

Confidential Computing is a technology which allows protection of data in use by using hardware-based Trusted Execution Environment (TEE), the type of environments that provide increased level of security for data integrity, data confidentiality, and code integrity.

1. Confidential Computing with SUSE Manager

The trustworthiness of the TEE is checked with the attestation process. SUSE Manager can be used as an attestation server for the systems registered to it. It generates a report page for the systems which run in this mode. These systems need to be attested and checked on regular base. The history of the past checks is also stored and available per request.

Confidential Computing Attestation depends on the used hardware and environment where the attested systems are running on.

Confidential Computing Attestation is only available on x86_64 architecture.

2. Requirements

Confidential Computing can be set up in an environment with the following characteristics:

  • Attested system (virtual machine) is SLES15 SP6 and bootstrapped to SUSE Manager

  • Hardware must have AMD EPYC Milan CPU or AMD EPYC Genoa CPU

  • BIOS must be configured to allow Confidential Computing attestation

  • Host OS and the virtualization software (KVM and libvirt) must support Confidential Computing.

    At the moment, SLES15 SP6 has Confidential Computing as technical preview.

2.1. Limitations

  • Confidential Computing Attestation is currently implemented only as a technology preview.

  • Secure boot is attested as well. However, currently KVM secure boot and SNP Guest are not working together.

    For the exact steps for setting up and configuring Confidential Computing on your host, refer to the OS Vendor documentation.

3. Use Confidential Computing in SUSE Manager

Procedure: Enabling Attestation Container During the SUSE Manager Installation
  1. The attestation container is enabled during the installation of SUSE Manager with mgradm install podman.

  2. Add the following to file mgradm.yaml.

    coco:
        replicas: 1
Procedure: Enabling Attestation Container After the SUSE Manager Installation
  1. To enable the attestation container after the installation, use the command line parameter mgradm.

  2. Run the command

    mgradm scale --coco-replicas 1
Procedure: Enabling Attestation Container After the SUSE Manager Installation
  1. To disable the already enabled attestation container, run the command:

    mgradm scale --coco-replicas 0
Procedure: Enabling Attestation
  1. For the selected system, go to tab Audit  Confidential Computing  Settings.

  2. Enable the attestation by selecting the toggle button.

  3. In the field Environment Type select the correct option from the drop-down list.

  4. Click button Save to save the changes.

    attestation1
Procedure: Scheduling New Attestation
  1. For the selected system, go to tab Audit  Confidential Computing  List Attestations.

  2. Click Schedule Attestation. The new form opens.

  3. In the field Earliest select the time of running the attestation.

  4. If needed, add the newly created attestation to the action chain by selecting Add to option.

  5. Click button Schedule to save and schedule the new attestation execution.

    attestation2
Procedure: Viewing Attestation Reports
  1. For the selected system, go to tab Audit  Confidential Computing  List Attestations.

  2. Select the report you want to view.

    attestation3
  3. In the column Actions click the icon to open the report. Tab Overview will open.

    attestation4
  4. Move to the next tab SEV-SNP.

    attestation5

3.1. Report Statuses

Attestation reports can have one of the following statuses:

Pending

This is the default status of the scheduled attestation. The report is still not available, either because the process has not yet started or completed.

Successful

When the scheduled attestation creates a report which can be viewed, the status of the process is Successful.

Failed

When the scheduled fails and does not create a report as a result, the status of the process is Failed.