Ubuntu confidential VMs with Intel® TDX are now in public preview on Azure

ijlal-loutfi

on 12 December 2023

The Canonical confidential computing team is excited to unveil the public preview of Ubuntu Confidential VMs with  Intel® Trust Domain Extensions (Intel TDX) on Microsoft Azure, as part of  the DCesv5 and ECesv5-series VMs. These VMs leverage the cutting-edge capabilities of 4th Gen Intel Xeon Scalable processors equipped with Intel TDX, and they are ready for you to explore right now. This marks a significant achievement in Ubuntu’s mission to drive the future of confidential public clouds.

Confidential computing threat model

Confidential computing aims to bring about a fundamental shift in the traditional threat model of public clouds. Traditionally,  any vulnerability within the millions of lines of code in the cloud’s privileged system software (OS, hypervisor, firmware) would systematically compromise the confidentiality and integrity of your running code and data. The same could be said for any undue access to your VM and/or its platform by a malicious cloud administrator. 

Ubuntu Confidential VMs (CVMs) are here to give you back control over the security guarantees of your VMs. They do this by allowing you to run your workload within a logically isolated hardware-rooted execution environment. 

Intel Trust Domain Extensions 

Intel® TDX  carves out a portion of system memory which is encrypted at run-time by a new AES-128 encryption engine, and by adding new access control checks that mediate access to this memory, and prevent external access to it even from the cloud’s privileged system software. 

Ubuntu confidential VMs

With this launch, Canonical Ubuntu Server 22.04 LTS also supports Full Disk Encryption. It also offers an extensive range of remote attestation solutions. These CVMs seamlessly integrate Microsoft Azure Attestation and incorporate Intel Trust Authority, catering to enterprises seeking operator-independent attestation.

In parallel, Microsoft Azure has also enriched Ubuntu CVMs with important integrity features, including boot-time attestation and confidential disk encryption with enterprise key management options for PMK (platform-managed key) and CMK (customer-managed key) using Managed HSM with FIPS 140-2 Level 3 validation. 

Last but not the least, Ubuntu 22.04 confidential VMs also support ephemeral vTPMs and OS disks, a new feature where disks can be stored on the VM’s OS cache disk or the VM’s temp/resource disk, without needing to be saved to any remote Azure Storage, and where  vTPMs  generate fresh cryptographic material each time the VM boots up. This allows organisations to start building remote attestation protocols with reduced dependency on the underlying cloud infrastructure.  

Try Ubuntu confidential VMs today

Intel TDX Ubuntu Confidential VMs on Azure is a key step towards building a strong foundation for a zero-trust security strategy in the cloud. Try Ubuntu Confidential VMs on Azure today and experience the future of cloud security. We’re excited to hear your feedback.

Other resources

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Join us for Microsoft Ignite

The Canonical team is gearing up for the next big gathering at Microsoft Ignite 2024, which will take place from November 18 – 22, 2024. Get ready to dive...

Deploy confidential computing with Intel® TDX and Ubuntu 24.04 today

Discover how to deploy confidential computing with Intel® Trust Domain Extensions (Intel® TDX) on Ubuntu 24.04 LTS. Enhance your data security with simplified...

Preview Confidential AI with Ubuntu Confidential VMs and NVIDIA H100 GPUs on Microsoft Azure

Learn about Confidential AI preview on Azure with Ubuntu confidental VMs and Nvidia H100 GPUs, and explore how confidential computing in the cloud transforms...