Confidential Computing

Confidential Computing is a technology which allows protection of data in use by using hardware-based Trusted Execution Environment (TEE), the type of environments that provide increased level of security for data integrity, data confidentiality, and code integrity.

1. Confidential Computing with Uyuni

The trustworthiness of the TEE is checked with the attestation process. Uyuni can be used as an attestation server for the systems registered to it. It generates a report page for the systems which run in this mode. These systems need to be attested and checked on regular base. The history of the past checks is also stored and available per request.

Confidential Computing Attestation depends on the used hardware and environment where the attested systems are running on.

Confidential Computing Attestation is only available on x86_64 architecture.

2. Requirements

Confidential Computing can be set up in an environment with the following characteristics:

  • Attested system (virtual machine) is SLES15 SP6 and bootstrapped to Uyuni

  • Hardware must have AMD EPYC Milan CPU or AMD EPYC Genoa CPU

  • BIOS must be configured to allow Confidential Computing attestation

  • Host OS and the virtualization software (KVM and libvirt) must support Confidential Computing.

3. Limitations

  • SLES15 SP6 has Confidential Computing attestation as technology preview.

  • Uyuni has Confidential Computing attestation as technology preview.

  • Secure boot is attested. However, currently KVM secure boot and SNP Guest are not working together.

4. Use Confidential Computing in Uyuni

For the exact steps for setting up and configuring Confidential Computing on your host, refer to the OS Vendor documentation.

Procedure: Enabling Attestation Container During the Uyuni Installation
  1. The attestation container is enabled during the installation of Uyuni with mgradm install podman.

  2. Add the following to file mgradm.yaml.

    coco:
        replicas: 1
Procedure: Enabling Attestation Container After the Uyuni Installation
  1. To enable the attestation container after the installation, use the command line parameter mgradm.

  2. Run the command

    mgradm scale --coco-replicas 1
Procedure: Enabling Attestation Container After the Uyuni Installation
  1. To disable the already enabled attestation container, run the command:

    mgradm scale --coco-replicas 0
Procedure: Enabling Attestation
  1. For the selected system, go to tab Audit  Confidential Computing  Settings.

  2. Enable the attestation by selecting the toggle button.

  3. In the field Environment Type select the correct option from the drop-down list.

  4. Click button Save to save the changes.

    attestation1 v2
Procedure: Scheduling New Attestation
  1. For the selected system, go to tab Audit  Confidential Computing  List Attestations.

  2. Click Schedule Attestation. The new form opens.

  3. In the field Earliest select the time of running the attestation.

  4. If needed, add the newly created attestation to the action chain by selecting Add to option.

  5. Click button Schedule to save and schedule the new attestation execution.

    attestation2 v2
  6. For the selected system, go to tab Audit  Confidential Computing  List Attestations.

  7. Find and select the report you want to view.

    attestation3 v2
  8. After clicking the selected attestation report tab Overview will open.

    attestation4 v2
  9. Move to the next tab SEV-SNP.

    attestation5 v2
  10. Finally, move to the next tab Secure Boot.

    attestation6 v2
Procedure: Viewing Attestation Reports from Audit
  1. From the navigation bar, select Audit  Confidential Computing.

  2. The list of all attestations will be shown in the main panel.

    attestation7 v2
  3. Find and select the report you want to view.

4.1. Report Statuses

Attestation reports can have one of the following statuses:

Pending

This is the default status of the scheduled attestation. The report is still not available, either because the process has not yet started or completed.

Successful

When the scheduled attestation creates a report which can be viewed, the status of the process is Successful.

Failed

When the scheduled fails and does not create a report as a result, the status of the process is Failed.