Jiewen Yao

In this talk, we will introduce td-shim (https://github.com/confidential-containers/td-shim). Td-shim is a lightweight Intel Trust Domain Extensions (TDX) virtual firmware (TDVF) for the simplified kernel for TD based confidential container (e.g. Kubernetes). In order to match the short start-up time and resource consumption overhead of bare-metal containers, runtime architectures for TD-based containers put a strong focus on minimizing boot time. They must also launch the container payload as quickly as possible. Hardware virtualization-based containers typically run on top of simplified and customized Linux kernels to minimize the overall guest boot time. As such, we introduced the td-shim to replace the traditional Open Virtual Machine Firmware (OVMF) based TDVF for container use case. Currently the rust-based td-shim supports multiple hypervisors such as KVM and cloud hypervisor with smaller size and better boot performance. It provides a secure and efficient way of building the cloud native infrastructure.

Security Protocol and Data Model (SPDM) is a standard published by the Distributed Management Task Force (DMTF) organization Platform Management Components Intercommunication (PMCI) working group. SPDM’s vision is to resolve the long-lasting problem of compatible secure communication solution between two endpoints of embedded systems. Protocols defined by SPDM can be used for a wide range of security functionalities including authentication of hardware/firmware identities, delivering measurements, performing attestation, and establishing session keys for secure communication channels.

This presentation introduces OpenSPDM, an open-source sample implementation which implements an SPDM requester utility to validate a vendor’s responder implementation. The talk covers SPDM 1.0 device authentication and firmware measurement collection, and SPDM 1.1 session creation for data communication protection.

The audience will learn the main components of the SPDM protocol. A firmware solution builder will learn how to implement a SPDM requester to perform device authentication/attestation and create a secured session with a target device. A device builder will learn how to implement a SPDM responder for authentication/measurement requests and create a secured session to protect communications.

Other people: Norbert Kamiński xiaoyuruan