Full disk encryption for Confidential Computing guests

Modern confidential computing technologies like AMD SEV-SNP and Intel TDX provide a reliable way to isolate guest workload and data in use from the virtualization or cloud infrastructure. Protecting data at rest is, however, not something you get ‘by default’. The task is particularly challenging for traditional operating systems where users expect to get full read/write experience.

The good news is that Linux OS already offers a number of great technologies which can be combined to achieve the goal: dm-verity and dm-integrity, LUKS, discoverable disk images and others. Doing it all right, however, is left as an “exercise to the reader”. In particular, the proposed solution must allow for meaningful remote attestation at any time in the lifetime of the guest.

The talk will focus on the recent developments in various upstream projects like systemd and dracut which are focused on making full disk encryption consumable by confidential computing guests running in a cloud.