Running Confidential Workloads with Podman - Container Plumbing Days 2023

00:02

all right I think let's get started

00:06

um welcome everyone to the second day of

00:07

container Plumbing

00:09

um so the session we have right now is

00:11

running confidential workloads with

00:13

podman from Sergio if you have any

00:15

questions please um put them in the Q a

00:17

tab so we can go over them after the

00:19

talk um go ahead Sergio

00:22

thank you for the introduction

00:24

um so hello everyone I'm here I'm going

00:28

to present the what we've done so far to

00:31

enable podman to run completing their

00:33

workloads

00:34

but first let's start with a very very

00:37

brief introduction to consider Computing

00:40

this is a complex topic but we are going

00:42

to just to talk about some of the

00:45

highlights uh the uh the formal

00:49

definition is that confidential

00:50

Computing is the protection of data and

00:53

use by performing computation in a

00:55

hardware base at the state structure

00:56

execution environment

00:58

this definition comes from the computer

01:00

Consortium but what does it means in

01:04

practice for us

01:05

well for the case for this we care about

01:08

which is today which is a resultation

01:10

based uh confident that Computing it

01:13

means that we need a hardware that

01:14

provides us with two filters

01:17

uh one is the ability to run virtual

01:20

machines with memory encryption and the

01:23

Integrity protection with ram that is

01:26

both encrypted and protected and

01:29

integrity protected and the other is the

01:31

ability to generate an attestation which

01:35

is a assigned measurement of the memory

01:37

contents in a way that can be provided

01:39

to a third party

01:41

both abilities must be provided they're

01:44

the one with all the other is is not

01:46

used it doesn't make the cut

01:48

we need memory encryption because

01:51

otherwise the host will be able to

01:53

easily extract secrets from these stress

01:56

execution environment

01:58

we need Integrity protection because uh

02:02

in other case the host will be able to

02:04

alter the context of the memory of this

02:07

product distribution environment as such

02:09

potentially alter this Behavior

02:12

and we also need the attestation because

02:14

uh the initial payload that is going to

02:17

be loaded into into this virtual machine

02:20

slash trusted distribution environment

02:22

it needs to be needs to pass through the

02:25

host at some point so if we didn't have

02:28

at the station it will be very easy for

02:30

the host to alter the context of the

02:32

initial payload and in yet malware or

02:35

read on ingest any kind of or written

02:37

any kind of sensitive data

02:38

so uh we need both of them at the same

02:42

time

02:43

now

02:45

uh the truth is that virtual

02:47

efficient-based conventional Computing

02:49

is not exactly new

02:51

um it was at least available on the

02:53

market at least science 2017 uh when AMD

02:57

introduced their free sap servers that

02:59

provided a CV support

03:01

and SCP in the CVS are in Mainland Linux

03:05

and ship enabled in most distributions

03:07

but the truth is that even though it's

03:11

there and it provides some very

03:14

interesting features barely anyone is

03:18

using it in for real

03:20

so we have started a couple years ago we

03:23

started thinking about why was that and

03:26

we came to the conclusion that doing

03:28

computer Computing the right way is

03:31

complicated it's very complicated

03:33

because yes the hardware give us the

03:36

Primitives but it doesn't tell us how to

03:39

use them and what you need to measure

03:42

and how are you going to measure and

03:44

when and you're going to donate the

03:46

attestation those are questions that

03:48

depend heavily on the context

03:51

so we are starting thinking about ways

03:54

in which we can make computer Computing

03:56

more accessible to to the users

03:59

and we thought that instead of trying to

04:03

provide a completely different

04:05

experience and a completely different

04:07

workflow having to introduce these users

04:09

to this workflow

04:10

we could extend an existing workflow

04:14

such as the container workflow which

04:16

many users are very familiar with

04:18

and enable it to actually use computer

04:21

Computing for running this kind of

04:23

sensitive workloads

04:26

and we also noticed that we could very

04:28

easily do that by extending podman and

04:30

CRM and integrating that with lip Iran

04:34

is is a built-in machine monitor written

04:37

in Russ that instead of being a separate

04:41

binary and unexecutable it's provided as

04:44

a dynamic Library so you can link to it

04:47

from other programs and instantly gain

04:49

virtualization and computer Computing

04:52

capabilities

04:55

so now that we had an initial idea we

04:58

also need to Define exactly what are we

05:01

going to provide the uh to the users and

05:03

what's conceptually was a confidential

05:06

overload in our mind

05:08

and we started by sitting in our set of

05:10

goals

05:12

um the first one is that it must be

05:14

compatible with the system container

05:16

tools and workflows obviously this is

05:17

one of the main goals we had and because

05:20

we wanted to reuse the system workflow

05:22

and that was the lead motif

05:24

and this means that uh this kind of

05:26

workloads need to be deployed and

05:29

Service as an obvious image because it

05:32

needs to be something that you can

05:33

manipulate with podman with Builder

05:35

coscopio that you can push into a

05:38

registry and pull it from it so it needs

05:42

to be amazing image

05:43

another requirement is that all the

05:47

information that the the context the uh

05:50

vmm and the hypervisor need to actually

05:54

run this virtual machine has attractive

05:56

accusation execution environment must be

05:58

inside that OCA image it must be

06:01

contained in it with uncon users to need

06:04

to pass any kind of annotations or to do

06:07

any kind of local node configuration

06:10

just to run this kind of workloads we

06:13

want all the information to build

06:14

self-contained in a single image

06:17

but on the other hand we also must meet

06:19

the company that computer requirements

06:20

because otherwise it will be pointless

06:22

yeah and this means that the disk must

06:24

be encrypted and it must be Integrity

06:26

protected there is no use in having a

06:29

ram that is encrypted I'm an integrated

06:31

protective with the storage is not

06:33

protected and encrypted

06:35

and we also need that the memory

06:38

contents must be easy to measure and in

06:41

this context the initially easy to

06:43

measure means that we need to be able to

06:46

easily identify what we need to measure

06:48

uh in this design ECC because all the

06:52

components that need to measure are

06:53

provided by lead piranhas itself

06:56

and another requirement is that the host

06:58

leaks must be limited uh even if that

07:01

means breaking some of the conventional

07:03

container semantics

07:05

in practice this means that we cannot

07:07

support things such as volume mapping

07:09

and we cannot support things such as

07:12

running podman exec and running a new

07:15

Insider container inside a confidential

07:18

overload because that will break the

07:21

walls that we need there to provide the

07:24

configure Computing guarantees

07:29

so

07:31

thinking about these goals we can up

07:33

with this uh with this idea that prayers

07:38

a completed workload must be a regular

07:41

oci image

07:42

because again we need it to be

07:45

compatible with existing container tools

07:46

but it needs to be honestly image that

07:49

contains at least the te specific

07:51

parameters that we need to actually

07:53

deploy it and create a built-on machine

07:55

has attraction trust execution

07:56

environment

07:57

and we need to have a lux encrypted this

08:00

image with the contents of the an

08:02

original oci

08:04

so what this allows us is to for the

08:07

users to provide tools for the user to

08:09

pick and develop their application has a

08:12

regular container and eventually

08:14

transform this container into a

08:17

confidential workload simply by picking

08:19

up the contents of the container and

08:21

putting them into an encrypted this

08:23

image that in turn will be part of

08:25

another a new oci image that will be

08:28

back this conference confidential

08:29

workload

08:42

it has a well-known set of initial

08:44

memory contents because all of them are

08:46

provided the limit around FW which

08:48

provides a minimal kernel minimal Linux

08:50

kernel freeware and an indirectly system

08:54

and this also implies that

08:56

upgrades are very easily are very

08:59

controllable so you just need to

09:01

regenerate the

09:03

measurements once every one you are when

09:07

you update the library set well you have

09:10

the liquor run firmware and this is

09:11

something that can be coordinated very

09:13

easily

09:15

uh this contest doesn't allow any kind

09:17

of horse leaks it's through the network

09:19

the network is the only way in which

09:21

city can communicate with the outside

09:23

and uh the uh of course of course this

09:27

kind of contest provides memory

09:28

encryption and creative protection and

09:30

decision by relying on the underlying

09:32

companies and Computing Hardware

09:34

at this moment we support cbes CB SMP

09:38

which is a whole SUV AMD SUV family and

09:41

we also support TDX

09:47

um and now this is something I would

09:49

like to highlight when we are talking

09:50

about integrating liquid around with

09:52

siren we are not talking about replacing

09:56

the container context with a virtual

09:58

virtualization based context but instead

10:01

we are nesting them so uh when you run

10:06

one of these confidential workloads

10:07

podman and siren will still create the

10:10

container contest it will use c groups

10:13

they will use name spaces they will use

10:14

Easy Linux to create that uh isolated

10:18

context within the host

10:19

and then inside that container contest

10:22

is where Ricky Ram will create the vm-te

10:25

and inside this bntz VM slash T is where

10:30

the confidential world the application

10:31

and the user has developed is going to

10:34

be running

10:35

this means that we are not only

10:37

protecting uh the bmm the trust

10:40

execution agreement against house

10:42

inspection very we are still preserving

10:45

all the security guarantees that are

10:47

container regularly provides

10:49

and there is another nice Advantage for

10:51

this approach and that is that all the

10:54

networking activity that happens in the

10:56

confidential workload

10:58

is going to be perceived from the

11:01

container context has activity that uh

11:03

that could happen from any other process

11:06

within a container context

11:08

in practice this means that if you are

11:10

using sidecars for uh

11:13

injecting rules or or AP table rules or

11:19

for doing uh for taking a measurement of

11:24

the traffic and doing any kind of

11:26

traffic shaping that still works after

11:28

the works you don't need any kind of

11:30

specific support for confidential

11:32

workloads

11:36

now let's take a look at how each data

11:39

context is protected with Comprehensive

11:41

workloads in the center of the image We

11:44

have basically the same thing we've seen

11:45

before but slightly bigger and Jos the

11:49

container context managed by simran then

11:52

the bmte management look around and then

11:54

in the guess OS slash company in their

11:56

workload this vmte access a region of

12:00

memory from the host that is

12:02

transparently encrypted and decrypted by

12:03

the hardware so the if the host tries to

12:07

access this region of memory it will not

12:09

be able to access it or if it can it

12:10

will only find an encrypted garbage this

12:13

depends on the computer Computing

12:15

technology the host is the highways are

12:18

actually providing now there is an

12:21

exception of this Rule and that is where

12:23

will be some regions of memory that will

12:26

be shared with the host and will not be

12:28

encrypted for storing things such as

12:30

Vehicles adjustment and implementation

12:33

detail from a constantial point of view

12:36

we can say that a whole memory encrypted

12:38

that is going to a whole data that is

12:40

potentially sensitive is going to be

12:42

encrypted

12:44

now on the right side we also have the

12:46

storage which can be any kind of

12:48

arbitrary storage you can use with a

12:49

regular container and inside here we

12:52

have the confidential CI we talked

12:54

before which contains the confidential

12:57

workload encrypted this image which is

12:59

this Lux encrypted this image now the

13:02

encryption and decryption will happen by

13:03

software inside the context of the te so

13:07

it's the company sdd the one that will

13:09

be open the labs device and will operate

13:12

all three so the host has no visibility

13:14

of the data in plain text at any moment

13:17

and to be able to open these blacks

13:20

encrypted this image and they guess the

13:23

computer workload will retrieve the

13:25

secrets from this component on the right

13:27

which is the on the left side sorry

13:29

which is called the attestation server

13:32

and now the attestation server is a

13:34

component that is trusted for some

13:37

reason probably pass because it's

13:38

running an IDE we have for a lot of

13:40

reasons we are not going to cover that

13:42

in this talk but is one that stores the

13:46

all the expected maximums for the

13:49

confidential workers we have registered

13:50

in the system

13:52

so once this DEA starts up it will take

13:55

it will ask the hardware to make the to

13:58

take a measurement of the memory

14:00

contents to sign this measurement send

14:02

it and to send it to the gas operating

14:04

system the gos operating system will

14:07

send will contact the attestation server

14:09

with this with this attestation

14:11

signature

14:12

and it will send it to it the

14:15

application server will be verified the

14:16

signature and and compare against this

14:19

Vector measurement and if it matches it

14:22

will pick up the secret and it will send

14:24

it back to the guest operating system to

14:26

the confeder workload to be used to

14:29

unlock the encrypted this image that we

14:31

have in the confidence here on the on

14:33

the right side

14:39

before about this idea of taking a

14:43

regular container regular oci and

14:44

information

14:48

the actual process is fairly simple

14:50

actually so what happens here is that uh

14:54

we need to create a this image which is

14:57

basically a file in the house in the

14:58

context of the uh of the Builder or the

15:01

build operating system

15:03

on this this image we are going to

15:05

format it to relax we are going to

15:06

generate a random encryption key

15:09

we are going to expand the contents of

15:12

the original oci image into this relax

15:15

encrypted volume

15:17

then we are going to create a new oci

15:19

image that contains both this this image

15:22

and the parameters we said before we

15:24

need to actually launch IBM with the

15:28

capabilities

15:29

and once this one is created we are

15:31

going to potentially pass it to

15:33

situation registry and also send both

15:36

the encryption key

15:37

that is need to unlock the storage and

15:40

the measurement and the workload

15:42

parameters to the adaptation server

15:43

we've seen on the previous slide and we

15:46

see here on the bottom

15:50

now uh before jump before jumping into

15:53

the demo uh for the last couple years

15:56

every time I talk about this uh about

15:59

completely workloads I was asked about

16:01

what's the difference with a catacomb

16:03

video containers so this tiny instead of

16:06

waiting for your question I just went

16:08

ahead and made it part of the

16:09

presentation

16:11

so the the main difference from a

16:13

practical point of view between computer

16:16

workloads and configure containers is

16:19

that Kata is able to run multiple

16:22

containers in the same T in the same VM

16:25

well lip conduction Wireless intends to

16:28

run Jazz one container per T by Design

16:35

for supporting all the container all the

16:37

commissioner container semantics now

16:39

this of course comes with with a ghost

16:42

cater containers is computer containers

16:45

is more complex and requires more

16:47

components but it gives you these

16:49

additional features on the other side

16:52

for enabling confidential Network loss

16:54

we just need to add lip kerram which is

16:57

a very small piece of software show an

16:59

already existing stack which allows us

17:01

to meet the uh

17:04

Computing guarantees without very very

17:07

small addition in the stack

17:10

but

17:11

if you ask me honestly

17:14

which one to choose between the others

17:16

it honestly it really depends on what

17:19

you intend to do with them

17:20

if you I'll plan to use uh if you intend

17:23

to deploy to migrate existing container

17:26

deployments Kata will beat you give you

17:28

better compatibility so it's likely that

17:30

it's going to be uh you're going to uh

17:33

find less problems this way

17:36

uh if you intend to do a cloud

17:38

deployment that are going to have that

17:40

potentially going to have many

17:41

containers per board then again

17:44

will provide you with a lower uh

17:47

footprint

17:48

on the other hand if you intend to the

17:50

plus you have a deploy a cloud

17:52

deployment with many single container

17:54

pods or no Pods at all and in the sense

17:57

that everything is just a single

17:58

container or even a container pertinent

18:01

which is the case of function as a

18:03

service then we click around you have a

18:05

lower footprint and such and such a

18:07

lower TCO

18:08

and of course if you are aiming for an

18:12

enclosed deployment which yes they still

18:14

exists uh the uh with the the with

18:18

container workers you just uh can

18:20

leverage on the existing content

18:22

infrastructure and it just uh has a

18:25

little bit of of

18:27

um I just need to add liquid around to

18:28

the mix so it's just uh it allows you to

18:31

do the the to meet the community

18:35

requirements with a very small baggage

18:37

and this is ideal for such thing for

18:40

scenarios for contextual you have uh in

18:43

the in the edge or Automotive or in

18:45

general embedding contexts

18:49

so let's jump now to the demo which is

18:52

going to be live so

18:54

let's hope for the best

18:56

now here I'm connected to an ACB capable

19:00

machine which is an AMD epic server and

19:03

what I have here is a it's a very simple

19:06

golang program which is basically opens

19:10

an HTTP server and service this secret

19:14

through DLS we saw as Nicole

19:17

certificates so what I'm going to do is

19:20

I'm going to generate a regular

19:21

container from it

19:24

okay

19:25

build

19:26

container file

19:30

I'm going to give you the name CPD mode

19:34

okay now I'm going to run this container

19:39

I'm going to just close or 8080

19:45

and CPD mode

19:47

okay and I should be able to contact it

19:51

to obtain the secret

19:58

now

19:59

while this communication via https has

20:03

has been encrypted this is very easy

20:05

from the context of the house to stack

20:08

the secrets from this container so if I

20:12

go ahead and

20:14

inspect the container

20:21

to find out his process ID

20:24

ol and confirm this is basically the

20:29

binary we built before

20:31

and now I can simply done its memory

20:34

contents

20:38

and if I inspect this memory Contents I

20:41

can see

20:47

that the secret is is there in plain

20:49

text

20:52

in addition to attacking you from the

20:54

memory side of things I can also undo

20:56

the similar thing from the storage

20:58

so I'm going to speculative coin again

20:59

once again

21:01

I have the clear process idiot here so

21:04

I'm going to find out this mounts

21:12

okay here they are and let's take a look

21:15

at them and we see that we have here the

21:18

binary again in plain text so we can

21:21

simply

21:26

obtain the secret here too

21:29

so

21:30

in this case these were one of these not

21:33

protected against hosting by inspection

21:35

now we are doing the same thing but this

21:39

time with uh we are going to transform

21:42

this container into a confidential

21:44

workload so what we're going to do is

21:47

we're going to make use of this script

21:49

this tool which is called OC I choose w

21:52

uh ideally this should be uh the uh it

21:56

really will that Builder should be able

21:58

to do this for us but I for now we are

22:00

using this this script

22:02

and

22:03

to this screen we need to provide it

22:05

with the de config

22:07

which is uh we we say before that

22:10

contains the parameters that are needed

22:12

for the hypervisor to actually launch

22:13

this T which contains the workload ID

22:16

the number of pcpus the amount of ram

22:18

the technology we are going to use we

22:21

have right now we are supporting both

22:22

the CV and SMP

22:25

specific data and then the attestational

22:28

URL uh to which the world needs to

22:31

contact you send the measurement and

22:33

obtain the lock secreting change if they

22:35

measurement is successful

22:37

so I'm going to run ca27u

22:42

specifying this container this

22:44

configuration file I'm going to pass the

22:47

ACB certificate this is something

22:48

specific about the CP SMP for instance

22:50

doesn't need this uh this argument

22:53

I'm going to give the original image

22:56

name and I'm going to provide also a new

22:59

oci image which is going to be the same

23:00

one-cw

23:03

now he's asked us to run it into a

23:05

building share which we are going to do

23:06

right away

23:08

and now what it's doing is what we're

23:09

talking for is basically automatically

23:11

creating a file which is this image it's

23:14

going to generate a random encryption

23:16

key it's going to be Larry formatting it

23:18

with relax it's going to mount it

23:21

somewhere copy the contents of the

23:23

original image and then as you can see

23:25

here create a new oci image with the

23:28

this image among all the configuration

23:30

file and in action figure first value

23:33

the under certificate

23:34

now by the at the end of this process it

23:37

will also register it with the

23:38

destination server we will have run

23:40

right here for demonstration purposes

23:44

so we can see here we will save a

23:47

register wordload

23:49

and now we should be able to run it

23:51

using random using a run as a random

23:55

so I'm going to do exactly that

23:59

I'm going to also pass the 8080 board

24:03

CW

24:07

I think we should be it

24:11

now this this 90 will take you longer

24:14

because we are asking the hardware to

24:16

authenticate the memory and generate

24:18

data station I encrypt it but the other

24:21

STC has already done that it has already

24:24

sent the attestation and the measurement

24:26

to the attestation server it has

24:28

received back the receipt back the key

24:31

which has been used to unlock and mount

24:34

the route the Lux encrypted loop system

24:36

and the HTTP server has started yes as

24:39

we it happened in the uh non-encrypted

24:42

in the non-completed world of case

24:44

now I should be able to do call again

24:47

with this one and yes we have the same

24:50

Secret

24:51

but let's try to start a secret the same

24:54

way we did before from memory and both

24:55

storage

24:56

so let's find out the process ID

25:10

and here we find a fin that something

25:12

different because instead of finding our

25:14

hello openshift the example we see that

25:17

this is running with cran-k run which

25:20

means it's running in IBM and more

25:22

precisely an interesting environment in

25:25

this case

25:26

and we can still dump this whole memory

25:29

of this VM of course

25:34

but since the memory is encrypted we

25:37

should not be able to find anything

25:39

interesting

25:41

on it

25:50

and it doesn't now in some cases uh we

25:52

are talking in this case we are we are

25:54

able to dump the memory of the VM of the

25:57

trust execution environment is not of

26:00

use to us because it's encrypted and

26:02

there are other companies Computing

26:03

technology in which directly you can the

26:04

host can not even dump that memory so it

26:08

depends on the computer technology but

26:09

the result is the same is that the host

26:12

is not able to extract plane plain text

26:14

secret find plain text secrets into that

26:16

memory

26:17

so let's try to do the same thing with

26:19

the storage

26:22

proxy

26:24

[Laughter]

26:26

I'm going to do for a flower

26:32

find out the endpoints

26:34

okay here we are

26:36

let's find what it says and this time

26:40

what we have here is not the binary but

26:42

this image that is Lex encrypted

26:47

foreign

26:54

we try to find something interesting on

26:57

it

26:58

we won't be able to do so

27:00

now you may see that we have other

27:03

things here that we haven't talked

27:05

before such as the entry point uh this

27:08

entry point is simply a binary which is

27:10

only mission is to do this

27:12

in case you run it this you attempt to

27:15

run this oci image without uh without

27:18

the k run runtime with a specified

27:20

decline runtime you get this message

27:23

this is the only purpose of it this is

27:26

there are no secrets here there are no

27:27

secrets here and there are no secrets in

27:29

the certification either and the only

27:31

thing is we are in this this encrypted

27:34

image

27:37

and that's basically all I had today uh

27:41

I hope you enjoy it and if you have any

27:42

questions I'll be around

27:45

thank you Sergio um there are two

27:47

questions in the Q a the first one is uh

27:51

t-e-e-l-u-k-s what does it what do these

27:53

acronyms mean

27:55

DEA is a trusted execution environment

27:59

uh which in this particular context it

28:02

means a VM that is using relying on

28:06

Hardware to have memory encryption and

28:08

another station

28:10

and Lex is just uh one of the well the

28:14

main way in which you can encrypt disks

28:16

and Linux is one of the the mechanisms

28:19

to do that

28:21

all right thank you and the next

28:22

question is can libk run coexist with

28:24

running VMS running KVM and or

28:27

virtualbox

28:30

with running what exactly running VMS

28:34

that are running KVM and or virtualbox

28:38

well computer Computing if the question

28:40

is about nesting configure Computing

28:43

does not support this team by Design not

28:45

with the look around not with any other

28:47

technology and now what you can have is

28:50

on the same host uh containers that are

28:53

running with uh with encryption SDS and

28:56

regular containers running with other

28:57

runtimes

29:02

all right um so we are out of time over

29:05

here thank you so much Sergio but I

29:07

think there are two more questions in

29:08

chat if you can just take a quick look

29:10

and answer them

29:12

but yeah thank you all and next session

29:15

is containers on cars