Explore the intricacies of hardening Linux guest systems for confidential cloud computing in this 50-minute technical deep dive presented by Elena Reshetova from Intel. Delve into the evolving security landscape where cloud tenants no longer need to trust the software stack provided by Cloud Service Providers. Examine the efforts to enhance the mainline Linux kernel for use as a secure VM guest kernel, focusing on the treatment of individual kernel subsystems and communication mechanisms. Learn about implemented hardening security mechanisms and gain insights from fuzzing and manual code audit activities. Discover open-source tools and documentation for the project, and engage with discussion points on memory management, transit execution attacks, and other critical aspects of Linux guest hardening for confidential cloud environments.
Hardening Linux for Confidential Cloud Computing - Deep Dive and Results
Overview
Syllabus
Introduction
Agenda
Why Harden
Methodology
Approach
MSR
cpids
portal
mmio
PCI config space
KVM specific inputs
Shared Memory
Randomness
Timers
ICPI
Panic
Memory Management
Transit Execution Attacks
Example
Results
Discussion Point
Documentation
Taught by
Linux Foundation
