Canonical joins the confidential computing consortium

Canonical is committed to enabling Ubuntu users to leverage the strong run-time confidentiality and integrity guarantees that confidential computing provides. That is why we are happy to announce we have joined the  confidential computing consortium, a project community at the Linux Foundation that is focused on accelerating the adoption of confidential computing and driving cross-industry collaboration around relevant open source software, standards and tools.

Why confidential computing

A major gap in today’s security paradigm is the lack of protection for data currently in use. Data breaches can occur when data is in use and have various origins, such as malicious insiders with administrative privileges or hackers exploiting bugs or vulnerabilities in privileged system software (such as the OS, hypervisor, or firmware). 


Confidential computing is here to give you back control over the security guarantees of your workloads.  As the consortium explains, confidential computing aims to  “protect data in use by performing computation in a hardware-based Trusted Execution Environment. These secure and isolated environments prevent unauthorised access or modification of applications and data while in use, thereby increasing the security assurances for organisations that manage sensitive and regulated data”.

This privacy-enhancing technology is  here to address the very challenge of run-time insecurity. Instead of trying to make all system software secure, confidential computing takes a simple and pragmatic approach to privacy-enhancing technologies, which just works today. 

See also  What is MongoDB and why use it for modern web applications?

The need for a consortium

Bringing confidential computing to end users is an industry-wide effort that requires the cooperation of several stakeholders. On the hardware side, silicon providers have been investing considerable resources into maturing their Trusted Execution Environment offerings. Just to cite a few, we have Intel SGX, Intel TDX, and AMD SEV on the X86 architecture; TrustZone and the upcoming ARM CCA for the ARM ecosystem; and Keystone for RISC-V architectures, and Nvidia H100 for GPUs.

Image by Mitchell Luo from unsplash

Public cloud providers (PCPs for short) have been one of the main adopters of hardware trusted execution environments. In order to make running confidential workloads easy for their users, PCPs have been focusing on enabling a “shift and lift” approach, where entire VMs can run unchanged within the TEE.  What this means is that developers neither have to refactor their confidential applications nor rewrite them. What this also means is that the guest operating system needs to be optimised to support the user applications to leverage the platform’s underlying hardware TEE capabilities, and to further protect the VM while it’s booting, and when it’s at rest.


This is exactly what Canonical has been working on. 

The confidential Ubuntu portfolio is growing

Thanks to a close collaboration with the many major cloud providers, Ubuntu users can start their confidential computing journey today! On Azure, for example, it only takes a few clicks to enable and use Ubuntu 22.04 Confidential VMs (CVMs).  They are part of the Microsoft Azure DCasv5/ECasv5 series that leverage the latest security extensions of the third generation of AMD CPUs, Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP). 

At Canonical, we believe that confidential computing and privacy enhancing technologies will be the default way of doing computing in the future. This is why our  confidential computing  portfolio is free on all public clouds . Of course, you can always augment your Ubuntu Confidential VMs with Canonical’s Ubuntu Pro services, which offer expanded security maintenance for 10 years,  certified and hardened images and kernel livepatch capabilities.

Part of Canonical’s security commitment

With our work on confidential computing and our collaboration with the members of the  consortium, we are furthering our commitment to security. This is just the beginning of Canonical’s confidential computing journey.  Stay tuned for many more exciting announcements about our expanding portfolio.

More resources

Leave a Comment

Only people in my network can comment.