Skip to main content
FOSDEM PWA

Securing the Linux Boot Process with COCONUT-SVSM

UD6.215 | Day 2 | 09:10 - 09:30 | Speakers: Jörg Rödel

Securing the Linux Boot Process with COCONUT-SVSM
A picture of a devroom at FOSDEM 2024
Open in browser

Notes

Abstract

Hardware extensions for confidential computing establish a strict trust boundary between a virtual machine and the host hypervisor. From the guest’s perspective, any interaction crossing this boundary must be treated as untrusted and potentially malicious. This places significant hardening demands on guest operating systems, especially around firmware interfaces, device drivers, and boot components.

This talk explores how COCONUT-SVSM can act as a trusted proxy between the hypervisor and the Linux guest, restoring trust in key firmware and memory-integrity interfaces. By offloading sensitive interactions to the SVSM, we can simplify guest OS hardening and provide a more secure boot process for confidential VMs.

Speakers

Jörg Rödel

Jörg is Principal Member of Technical Staff at AMD. Prior to this, he lead the Confidential Computing efforts at SUSE, working with AMD on enabling SEV and related technologies. In this role he implemented major parts of the AMD SEV-ES guest support in the Linux kernel and brought it upstream into kernel 5.10. He is also active in the Linux kernel community as the maintainer for the IOMMU subsystem and a contributor to other areas like KVM or the X86 architecture.

Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.