Update AMD Use-Cases #279
Update AMD Use-Cases #279
Conversation
Draft updating the AMD use-case reflecting SEV deprecation. Signed-Off-By: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
✅ Deploy Preview for katacontainers ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
I think the changes in the first paragraph are good. The second paragraph I feel like it could use some work. We don't need to reference work from 7 years ago. Furthermore, the "in process of investing" - I feel like that needs to be made more current. We are investing in development of Kata and the like. |
| ## AMD | ||
|
|
||
| With confidential computing, customers have to have absolute trust that data is not being exposed. In regulated environments, where governments are putting stricter rules like heath data in place, it has to be ascertained that the hypervisors can get access to the data, but it sees no value in it. Encryption plays a key role so the confidential or container based workloads can be coupled with the technologies that are coming out like AMD Secure Encrypted Virtualization (SEV). | ||
| With confidential computing, customers have to have absolute trust that data is not being exposed. In regulated environments, where governments are putting stricter rules like heath data in place, it has to be ascertained that the hypervisors can get access to the data, but it sees no value in it. Encryption plays a key role so the confidential or container based workloads can be coupled with the AMD Secure Encrypted Virtualization - Secure Nested Paging (SEV-SNP) family of technologies. Initially, Kata Containers had offered dedicated support for both SEV and SNP. However, since our customers' needs have evolved, SEV support has been deprecated, and the focus has shifted to the more advanced Secure Nested Paging (SNP), which builds on SEV by adding strong memory integrity protection to prevent malicious hypervisor-based attacks. |
There was a problem hiding this comment.
| With confidential computing, customers have to have absolute trust that data is not being exposed. In regulated environments, where governments are putting stricter rules like heath data in place, it has to be ascertained that the hypervisors can get access to the data, but it sees no value in it. Encryption plays a key role so the confidential or container based workloads can be coupled with the AMD Secure Encrypted Virtualization - Secure Nested Paging (SEV-SNP) family of technologies. Initially, Kata Containers had offered dedicated support for both SEV and SNP. However, since our customers' needs have evolved, SEV support has been deprecated, and the focus has shifted to the more advanced Secure Nested Paging (SNP), which builds on SEV by adding strong memory integrity protection to prevent malicious hypervisor-based attacks. | |
| With confidential computing, customers have to have absolute trust that data is not being exposed. In regulated environments, where governments are putting stricter rules like heath data in place, it has to be ascertained that the hypervisors can get access to the data, but it sees no value in it. Encryption plays a key role so the confidential or container based workloads can be coupled with the AMD Secure Encrypted Virtualization - Secure Nested Paging (SEV-SNP) family of technologies. Following our customers' needs, we are working upstream with the Kata Containers community to focus on the more advanced Secure Nested Paging (SNP) technique, which builds on SEV by adding strong memory integrity protection to prevent malicious hypervisor-based attacks. |
There was a problem hiding this comment.
I suggest to remove the notes about deprecation, as it is too detailed information for this page. It could be described in a blog post in more detail if y'all see value in that.
| With confidential computing, customers have to have absolute trust that data is not being exposed. In regulated environments, where governments are putting stricter rules like heath data in place, it has to be ascertained that the hypervisors can get access to the data, but it sees no value in it. Encryption plays a key role so the confidential or container based workloads can be coupled with the technologies that are coming out like AMD Secure Encrypted Virtualization (SEV). | ||
| With confidential computing, customers have to have absolute trust that data is not being exposed. In regulated environments, where governments are putting stricter rules like heath data in place, it has to be ascertained that the hypervisors can get access to the data, but it sees no value in it. Encryption plays a key role so the confidential or container based workloads can be coupled with the AMD Secure Encrypted Virtualization - Secure Nested Paging (SEV-SNP) family of technologies. Initially, Kata Containers had offered dedicated support for both SEV and SNP. However, since our customers' needs have evolved, SEV support has been deprecated, and the focus has shifted to the more advanced Secure Nested Paging (SNP), which builds on SEV by adding strong memory integrity protection to prevent malicious hypervisor-based attacks. | ||
|
|
||
| With the 2018 Kata Containers prototype that AMD has had in place with the SEV technology, it’s been possible for AMD to offer confidentiality, meaning that they can turn it on and the containers would run in an encrypted mode. Teams at AMD are currently in the process of investing in Kata Containers. They are working with the community and teams at IBM to further explore needs and opportunities for confidential computing technology. |
There was a problem hiding this comment.
I agree with Ben's comments regarding this paragraph. It would be great to refresh this with some new information and developments.
|
Getting back to this, please correct the spelling of health.
I would add in that it's not just governments putting in stricter regulations like health data. There are governing bodies like PCI Security Standards Council, Cloud Security Alliance, etc. Not all environments are regulated, so we need to reflect that in the writeup as well. Also, I don't love this statement, In SNP, the hypervisor does not have access to the data in memory for the SNP-enabled VM. It's not a question of seeing value, but being able to see it at all. And if it can see anything, what is seen (actual data, nothing at all, or just a dump of ciphertext that's hidden behind a string of zeroes (0)? |
Draft updating the AMD use-case reflecting SEV deprecation.