Add basic support for CVM scenario #3947
Conversation
|
Hi @yuguorui ; thanks for this. I have been following the various forms of secure compute for a while, so this is an interest. I think you might be based on some old commits. I see 9 commits here, and 1,140 files changed, when I can see many of those are changes that already exist. Can you check that out, see if you need to rebase, and then bring it down to just the important commit(s)? If it is a lot of changes, but they can be done in sequence, then we can have separate commits. I am looking forward to having this in. |
Thank you for your positive opinion, it means a lot to me. I will rearrange the commits as soon as possible to meet your requirements. |
88fcc38 to
b0cb1d5
Compare
Currently, the most SOTA confidential virtual machine technologies, such as Intel TDX and AMD SEV-SNP, require at least v5.19 kernel version. Update the kernel version so that the image built by linuxkit can be started in the TDX or SNP environment. Signed-off-by: Guorui Yu <GuoRui.Yu@linux.alibaba.com>
Linux kernel reports "Initramfs unpacking failed: read error" when the size of initrd than 4GiB, which is verified both on anolis-5.10 and latest v6.5 upstream kernel. Signed-off-by: Guorui Yu <GuoRui.Yu@linux.alibaba.com>
Signed-off-by: Guorui Yu <GuoRui.Yu@linux.alibaba.com>
Since the EFI format is basically a vfat format, it cannot support individual files larger than 4GiB in size, which makes larger initramfs unable to be stored. But grub is here to save us. Grub supports ext 3/4, and ext 3/4 can undoubtedly support files larger than 4GiB. By constructing two partitions, an EFI partition and an ext4 partition, an initramfs larger than 4GiB can be achieved. Signed-off-by: Guorui Yu <GuoRui.Yu@linux.alibaba.com>
Signed-off-by: Guorui Yu <GuoRui.Yu@linux.alibaba.com>
b0cb1d5 to
aff9f5f
Compare
|
I have removed the patch "Add image push support for Alibaba Cloud" section. It introduced too many changes due to the new dependencies, which leads to an update of the vendor directory. I think this PR should look more readable. |
|
Yes, this looks easier and cleaner. Probably should squash it to a single commit. I will comment inline with some questions. |
| ```sh | ||
| git clone https://github.com/linuxkit/linuxkit.git | ||
| cd linuxkit | ||
| git fetch origin pull/3947/head:cvm && git checkout -b cvm |
There was a problem hiding this comment.
This mostly should go away. This describes how to do it as long as the PR is open. The assumption of the PR is that this will merge into master soon.
|
Can you explain the structure of the changes in here?
Thanks |
- What I did
Confidential virtual machines is a security technology currently being invested in by major CSPs. [1] [2] [3]
It aims to minimize the security impact of the CSP itself on tenant VM instances. By encrypting and isolating memory, registers, interrupt handling, etc., CSPs or unauthorized third parties will not be able to view customer data running on their platforms. The current mainstream confidential virtual machine technologies include: Intel TDX and AMD SEV-SNP, etc.
We believe that immutable distributions like linuxkit are the key technology to support CVM scenarios, because traditional distributions contain too much software (which will lead to unacceptable TCB sizes) and include by default programs that may be considered backdoors in CVM scenarios (such as cloud-init), and cannot be easily rebuilt, etc.
There is a significant benefit of using LinuxKit. Packaging the application into an initramfs can simplify the measurement of the application (by grub) to keep its integrity without resorting to other complex mechanisms (such as IMA).
So I added basic CVM support to linuxkit.
- How I did it
I mainly did the following work:
Add Alibaba Cloud image upload support, which supports Intel TDX currently.(Temporarily removed for readability)Please note step 2 is not necessary, but in practice we find that some applications often require larger initramfs, such as LLM (Large language model).
- How to verify it
You can refer to README-CVM.md to verify my work :).
- Description for the changelog
Add basic support for CVM scenario.
- A picture of a cute animal (not mandatory but encouraged)
