It’s been a busy time since we announced Enarx and our vision for running workloads more securely to the world in August 2019. At the time, we had produced a proof of concept demo, creating and attesting a Trusted Execution Environment (TEE) instance using AMD’s Secure Encrypted Virtualization (SEV) capability, encrypting a tiny workload (literally a few instructions of handcrafted assembly language) and sending it to be executed. Beyond that, we had lots of ideas, some thoughts about design, and an ambition to extend the work to other platforms. And since then, a lot has happened, from kicking off the Confidential Computing Consortium to demos with AMD’s SEV and Intel’s Software Guard Extensions (SGX), from contributor improvements to the recent efforts to provide a Wasm module for multiple silicon vendor architectures.
Continue reading “Enarx – project maturity update”
If you run software on someone’s servers, you have a problem. You can’t be sure your data and code aren’t being observed, or worse, tampered with — trust is your only assurance. But there is hope, in the form of Trusted Execution Environments (TEEs) and a new open source project, Enarx, that will make use of TEEs to minimize the trust you need to confidently run on other people’s hardware. This article delves into this problem, how TEE’s work and their limitations, providing a TEE primer of sorts, and explaining how Enarx aims to work around these limitations. It is the next in a series that started with Trust No One, Run Everywhere–Introducing Enarx.
Continue reading “Current Trusted Execution Environment landscape”
When you run a workload as a VM, container or in a serverless environment, that workload is vulnerable to interference by any person or software with hypervisor, root or kernel access. Enarx, a new open source project, aims to make it simple to deploy workloads to a variety of trusted execution environments (TEEs) in the public cloud, on your premises or elsewhere, and to ensure that your application workload is as secure as possible.
When you run your workloads in the cloud, there are no technical barriers to prevent the cloud providers–or their employees–from looking into your workloads, peeking into the data, or even changing the running process. That’s because when you run a workload as a VM, container or serverless, the way that these are implemented means that a person or software entity with sufficient access can interfere with any process running on that machine.
Continue reading “Trust No One, Run Everywhere–Introducing Enarx”
As people move workloads to shared and public cloud environments, what methods are available to attest their environment has not been tampered with? Is there a good way to use a standardized cryptographic module to do remote attestation, trusted system boot, and so on?
In this post we’ll introduce the Keylime project in some detail, and save a technology demo for a following hands-on article.
Keylime is an open source community-based project endeavoring to be the go-to technology for establishing and maintaining trusted infrastructure in distributed system deployments via two technologies: the use of embedded Trusted Platform Module (TPM) hardware (version 2 and later); and the Linux kernel subsystem – Integrity Measurement Architecture (IMA).
Continue reading “Keylime: Using TPM to Secure Your Slice of the Cloud”
In this video from the Red Hat Summit 2018, Chief Security Architect Mike Bursell takes an enthusiastic look at three open source security technologies: DevSecOps, serverless computing, and Trusted Execution Environments.
These technologies are examples of where Red Hat’s longview is aimed for the security realm.
Continue reading “Getting Strategic About Security”
The goal of the Keylime project is to connect the features of Trusted Platform Modules (TPMs) and cloud computing. Keylime is a scalable trusted cloud key management system, providing an end-to-end solution for both bootstrapping hardware-rooted cryptographic identities for Infrastructure-as-a-Service (IaaS) nodes and for system-integrity monitoring those nodes via periodic attestation. Keylime extends the attestation capabilities of the TPM into the cloud, allowing tenants to verify that their applications, operating systems, and everything down to the hardware have not been tampered with.
A TPM (Trusted Platform Module) is a chip, present in most modern computers, that can perform various cryptographic statements in a tamper-proof fashion. In particular, through UEFI secure boot, a TPM can be used to verify at boot time that anything from the firmware up through the kernel and applications has not been modified from what the distributor originally shipped.
Continue reading “Building trust in cloud computing with Keylime”
In this video from Red Hat Summit 2018, Red Hat Chief Technology Officer Chris Wright gives a view into the future direction of Red Hat technologies.
Continue reading “Charting New Territories with Red Hat”
At the first signs of Spring, all Red Hatters turn at least one eye toward Red Hat Summit. Over the years, we’ve had many conversations with attendees about what kind of information and perspectives they’d like to hear at Summit. We learned that attendees appreciated the actionable technical information they received, but that they were interested in getting some insight into Red Hat’s point of view on emerging technology trends and their thoughts on the future. That was the motivation behind a new set of sessions from the Office of the CTO that we’re very excited to announce.
Continue reading “Introducing the Red Hat Summit Office of the CTO Sessions”
Blockchain is everybody’s latest buzzword–right up there with AI and IoT–but what does it mean, and how is it relevant to the enterprise?
The answer to those questions is likely “a lot,” but before we get to that, let’s define what a blockchain is–and isn’t.
Continue reading “The Long View on Blockchain”
If you could visualize the code that comprises our current technology landscape, you might imagine in your mind’s eye a glowing field of interconnected lines with bright bits of information flowing along the lines’ paths. Here and there, you might see flaws in the network–places where human error have introduced gaps and openings among the lines.
Continue reading “Open Source Strength Within Distributed Weakness Filing”