Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Hugo Huang
on 20 September 2023

Start your Ubuntu Confidential VM with Intel® TDX on Google Cloud


Confidential computing directly addresses the question of trust between cloud providers and their customers, with guarantees of data security for guest machines enforced by the underlying hardware of the cloud. According to the Confidential Computing Consortium, confidential computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment.

The close technical collaboration between Canonical and Google Cloud ensures that Ubuntu is optimised for Google Cloud operations at scale. Confidential Computing requires multiple pieces to align and we are delighted to offer full Ubuntu support for this crucial capability with Google Cloud. Organizations gain peace of mind that large classes of attacks on cloud guests are mitigated by Confidential Computing.

Intel® Trust Domain Extensions (Intel® TDX)

As an active contributor in confidential computing domain, Intel introduced Intel® Trust Domain Extensions (TDX) to its confidential computing portfolio with the launch of its new 4th Gen Xeon enterprise processors in January, 2023. Intel® Trust Domain Extensions is a combination of hardware and software features that provide isolation and security for virtual machines (VMs) running on Intel processors. Intel® TDX introduces architectural innovations to enable the deployment of hardware-isolated virtual machines (VMs), known as trust domains (TDs). The primary objective of Intel® TDX is to create a robust isolation layer between TDs and the virtual-machine manager (VMM)/hypervisor, as well as other non-TD software, offering comprehensive protection against a wide spectrum of potential threats. These hardware-isolated TDs encompass several critical components, including the Secure-Arbitration Mode (SEAM), which hosts the Intel® TDX module, an Intel-provided, digitally-signed security-services module. Additional features of TDX include:

  • the shared bit in the GPA, 
  • Secure EPT for address-translation integrity, 
  • the Physical-address-metadata table (PAMT) for page management, 
  • the Intel Total Memory Encryption-Multi Key (Intel TME-MK) engine for memory encryption and integrity, 
  • remote attestation 

All of the features are integral to ensuring the security and trustworthiness of TD execution within the Intel® TDX system.

In essence, Intel® TDX, a feature accompanying the latest 4th Generation Intel® Xeon CPUs, empowers you to execute your workloads within a logically isolated hardware-based execution environment in Google Compute Engine C3 machines. This remarkable capability is achieved through TDX’s allocation of a dedicated segment of system memory, which undergoes real-time encryption via an advanced AES-128 encryption engine. Additionally, TDX introduces stringent access control measures that meticulously govern memory access, effectively thwarting external access, including from the cloud’s privileged system software.

How Ubuntu supports Intel® TDX

Intel® TDX requires multiple pieces in the operating system to align with Intel CPUs. Ubuntu supports Intel® TDX through the Linux Stack for Intel® TDX. The Linux stack, denoting the strata of software constituting the Linux operating system, encompasses critical layers:

  • The kernel: At its nucleus, the kernel serves as the foundational pillar of the operating system, furnishing essential services upon which all other software builds.
  • Device drivers: These specialised software components act as intermediaries, facilitating seamless communication between the operating system and the hardware devices within the system.
  • System libraries: An arsenal of system libraries offers a repertoire of shared functions that find widespread utility across applications.
  • Userspace applications: At the outermost realm, userspace applications emerge as the tangible interface through which users engage directly with the system’s functionalities.

How to start your Ubuntu Confidential VM with Intel® TDX on Google Cloud

To get started with confidential computing on Google Cloud Intel® TDX, in the Google Cloud CLI, use instance create subcommand and specify — confidential-compute-type=TDX to select new C3 machines series that uses 4th Gen Intel® Xeon Scalable CPUs and enable Intel® TDX technology. Such as:

gcloud alpha compute instances create INSTANCE_NAME \
  --machine-type MACHINE_TYPE --zone us-central1-a \
  --confidential-compute-type=TDX \
  --on-host-maintenance=TERMINATE \
  --image-family=IMAGE_FAMILY_NAME \
  --image-project=IMAGE_PROJECT \
  --project PROJECT_NAME

Where:

  • MACHINE_TYPE is the C3 machine type to use.
  • IMAGE_FAMILY_NAME is the name of the Confidential VM-supported image family to use, such as Ubuntu 22.04 LTS and Ubuntu 22.04 LTS Pro Server.

In a few seconds, you will enjoy the latest advancements in security technology.

How to start a Ubuntu Pro VM with Intel® TDX pre-enabled

gcloud alpha compute instances create INSTANCE_NAME \
  --machine-type MACHINE_TYPE --zone us-central1-a \
  --confidential-compute-type=TDX \
  --on-host-maintenance=TERMINATE \
  --image=projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2204-jammy-v20231213a

Ubuntu Pro offers several benefits aimed at enhancing the experience for businesses and organizations that require additional features, support, and security for their Ubuntu-based infrastructure. Here are some key benefits of Ubuntu Pro:

  1. Enhanced Security: Ubuntu Pro provides advanced security features such as live kernel patching, which allows critical security updates to be applied without rebooting, ensuring continuous uptime and protection against vulnerabilities.
  2. Extended Maintenance and Support: Subscribers to Ubuntu Pro receive long-term support (LTS) with ten years of maintenance, including essential security updates, bug fixes, and patches. This prolonged support period ensures stability and reliability for enterprise environments.
  3. FIPS and CIS Compliance: Ubuntu Pro includes compliance with security standards like FIPS (Federal Information Processing Standard) and CIS (Center for Internet Security), making it suitable for industries with stringent regulatory requirements such as government agencies and financial institutions.

Additional resources for confidential computing:

Related posts


Hugo Huang
2 October 2024

Launching Your Ubuntu Confidential VM with Intel® TDX on Google Cloud: A Guide to Enhanced Security

Ubuntu Article

In the world of cloud computing, we rely on abstraction layers to manage complex systems. While this simplifies development, it also creates vulnerabilities for sensitive data. Traditionally, privileged software within the cloud has access to your data, and could pose a significant security risk, if not managed properly. But there’s a new ...


Canonical
14 December 2023

Canonical and Intel’s strategic collaboration brings you confidential computing with Intel® TDX on Ubuntu

Canonical announcements Article

Ensuring data security at run-time has long been an open computing challenge and a tough problem to solve. This gap arises because data must be decrypted in system memory for processing, even when it is stored encrypted. This exposes it to a large attack surface of threats posed by potentially malicious system software, such as ...


ijlal-loutfi
3 November 2023

Intel® TDX 1.0 technology preview available on Ubuntu 23.10

Confidential computing Confidential computing

Today’s security landscape faces a significant challenge: the lack of adequate protection for data in active use. Data breaches can happen at runtime (that is, when computation is taking place on a machine’s main memory), stemming from a range of vectors such as malicious insiders with elevated privileges or hackers exploiting vulnerabili ...