Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Introduction

Confidential computing is a technology that protects data processing security on trusted hardware. The Arm processors for confidential computing adopt the TrustZone technology.

Trusted execution environments (TEEs) of traditional TrustZone solutions are dedicated to terminal devices. Trusted applications (TAs) can run in the TEE OS only after being authenticated by terminal device vendors, but cannot be used in general-purpose computing. The TEE Kit is a next-generation confidential computing technology implemented in virtual machines (VMs). It is compatible with the existing application ecosystem and extends confidential computing from the application layer to the OS layer. This document describes the software architecture and features of the Confidential Computing TEE Kit powered by a new Kunpeng 920 processor model, and how to set up the TEE Kit environment and use confidential virtual machines (cVMs).

Table 1 TEE features

Feature Name

Feature Description

Application Scenario

Remote attestation

Proves the trustworthiness of cVMs and confidential computing platforms to users, including:

  • Whether cVMs are running in a real confidential computing environment
  • Whether cVMs are tampered with

Confidential cloud hosts and secure database enclaves

Full-disk encryption (FDE)

Encrypts the entire disk drive partition to protect sensitive information in cVM images.

Drive and database encryption

Sealing key

Generates a key inside a cVM and binds it to the cVM. The sealing key remains unchanged after the cVM restarts.

Drive and database encryption

Confidential device passthrough

Switches PCIe devices into a confidential computing environment and passes them through to cVMs to protect data-in-transit.

AI model protection, confidential cloud hosts, and secure database enclaves

Confidential containers

Protects containers from end to end by leveraging core capabilities of cVMs and basic functions provided by the Kata/Coco community, such as encryption, decryption, signature verification, and remote attestation.

AI model protection, serverless, and PaaS

Secure memory encryption

Implements transparent memory-encryption protection for TEEs based on the hardware root key.

Prevention of near-end attacks

SM acceleration

Enhances SM algorithm performance and enables algorithm offload through the KAE in cVMs.

Secure database enclaves and cryptographic computing

DPDK-OSV network acceleration

Attaches vhost-user devices to cVMs to enable network acceleration.

Encrypted cloud hosts

Cloud management platforms

Manages cVMs on the OpenStack cloud platform, enabling access to compute, storage, and network virtualization services.

Encrypted cloud hosts

Live VM migration

Live migrates cVMs across nodes when device passthrough is not used.

Encrypted cloud hosts
Parent topic: Feature Description