Learn about Red Hat Confidential Virtual Machines

What are Red Hat Confidential Virtual Machines? 

Confidential Virtual Machines (CVMs) are a set of hardware and software technologies which provide additional measures for the confidentiality of the data processed within the VMs. Namely, the data is protected from the physical host which runs the VM at all stages: in transit, at rest and in use. These protections are especially important when the owner of the VM differs from the owner of the infrastructure, e.g. when the workload runs on a public cloud.

Red Hat Enterprise Linux aims to support the emerging CVM use-case by enabling the hardware technologies such as AMD SEV-SNP and Intel TDX as well as adding support to the software stack, making sure the confidentiality guarantees are preserved and that the VM can be attested by the owner to prove its qualities.

Introduction to confidential virtual machines

June 8, 2023 - Vitaly Kuznetsov

In this post, we will present confidential virtual machines (CVMs) as one of the use cases of confidential computing as well as the security benefits expected from this emerging technology. We will focus on the high level requirements for the Linux guest operating system to better secure data confidentiality both in use and at rest. This blog follows the recent release of Red Hat Enterprise Linux 9.2 running on Azure Confidential VMs. CVMs are also a critical building block for the upcoming OpenShift confidential containers in OpenShift 4.13 (dev-preview).  Read full post

RHEL confidential virtual machines on Azure: A technical deep dive

June 21, 2023 - Vitaly Kuznetsov

The Red Hat Enterprise Linux 9.2 CVM Preview image for Azure confidential VMs has been released, and it represents an important step forward in confidential virtual machines. In this article, I focus on the changes implemented to support the emerging confidential computing use-case, and some of the expected changes in the future.  Read full post

How to run Red Hat Enterprise Linux 9.2 on Azure confidential virtual machines

July 26, 2023 - Vitaly Kuznetsov

With the release of Red Hat Enterprise Linux 9.2 (RHEL), it's possible to run the Technology Preview of RHEL on an Azure confidential virtual machine (CVM). In a previous article, I provided the high-level requirements for a Linux operating system to support a CVM use-case, as well as the changes made to the RHEL 9.2 operating system to support the features provided by Azure CVMs to better secure data confidentiality. In this article, I focus on how to get access to the CVM Preview image, and how to launch an Azure CVM using that image. Read full post

Red Hat Enterprise Linux 9.3 on Azure confidential virtual machines: What’s new?

November 15, 2023 - Vitaly Kuznetsov

Previously, Red Hat and Microsoft introduced support for Red Hat Enterprise Linux 9.2 (RHEL) on Azure confidential virtual machines (CVMs). The RHEL9.2 CVM Preview image was available as “private preview” and in How to run Red Hat Enterprise Linux 9.2 on Azure confidential virtual machines, I described how to sign up for the preview and get access to the image. With the release of RHEL 9.3 , RHEL CVM Preview image on Azure became available as “public preview” so no specific sign-up process is required. In this article, I will focus on the changes between RHEL 9.2 and RHEL 9.3 for CVM Preview images. Read full post

Red Hat Enterprise Linux and Secure Boot in the cloud

July 17, 2024 - Vitaly Kuznetsov

In this article, we will focus on how to enable and configure Secure Boot for various Red Hat Enterprise Linux (RHEL) image types in AWS, Google Cloud and Microsoft Azure. Read full post

Extending Red Hat Unified Kernel Images By Using Addons

August 2, 2024 - Emanuele Giuseppe Esposito

With the advent of Confidential Virtual Machines (CVMs) in RHEL, a new challenge has emerged: Extending the Red Hat UKI (Unified Kernel Image) more safely and without compromising its security footprint. Starting with Red Hat 9.4, the systemd package (252-31 and onwards) supports UKI addons, which aim to solve this issue. In this blog, I explore the addons that enable safer extension of the UKI kernel command line. Read full post

Confidential VMs in the cloud - DevConf.CZ 2023 

Confidential instance types are the newest addition to public clouds like Microsoft Azure and Google Cloud Platform (GCP) but what does "confidential" really mean? The session will focus on which additional security guarantees are provided and what's required from Linux-based operating systems to make use of these guarantees. Using Azure Confidential VMs as an example, I'll focus on boot process, guest image requirements, Unified Kernel Images (UKIs), full disk encryption with vTPMs and PCR measurements.