Secured Cloud Management Stack aims to enable confidential computing from infrastructure level, provide chip-level data protection capability, and enhance security for cloud computing platform. With SCM, users could make the applications run in a secured virtual machine (VM) or bare metal (BM) environment which are protected by Intel® Software Guard Extensions (SGX) and Intel® Trust Domain Extensions (TDX). And SCM could be applied widely in on-premise cloud and hybrid cloud owe to its excellent protection capability and flexibility. All modifications are made in patch format.
SCM provides automative deployment scripts to help users to quickly build the whole Cloud Software Stack and create SGX/TDX instances for practice.
SGX as a key Trusted Execution Environment (TEE) technology, is enabled in our current version. We know typical security measures may assist data at rest and in transit, but often fall short of protecting data while it is actively used in memory. Intel SGX helps protect data in use via application isolation technology. SGX offers hardware-based memory encryption that isolates code and data of specific application in memory. SGX allows user-level code to allocate private regions of memory, called enclaves, which are designed to be protected from processes running at higher privilege levels.
Intel® Trust Domain Extensions (TDX) refers to an Intel technology that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory Encryption(MK-TME) with a new kind of virtual machine guest called a Trust Domain(TD). A TD runs in a CPU mode that protects the confidentiality of its memory contents and its CPU state from any other software, including the hosting Virtual Machine Monitor (VMM). Please get more details from TDX White Papers and Specifications
OpenStack as a very inflenced open source cloud computing platform, is adopted as IaaS foundation in SCM with its Train release. SCM makes modifications to different OpenStack components to achieve the SGX/TDX enablement in different dimensions and capabilities.
Kubernetes also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications. SCM consolidate the Intel-device-plugin and node feature discovery to enable SGX in kubernetes.
Currently, our SCM solution update to 3.0 release. Below table shows the cotents for each release.
| Release | Stack | Features |
|---|---|---|
| v1.0 | OpenStack (train) | - Automatic SGX capability inspection and SGX nodes discovery; - SGX capability enablement in OpenStack; - SGX VM and BM lifecycle management; - SGX EPC resource management. |
| v2.0 | Kubernetes (v1.23.10) | - Automatic SGX capability inspection and SGX nodes discovery; - SGX capability enablement in Kubernetes; - SGX Pod lifecycle management; - SGX EPC resource management. |
| v3.0 | OpenStack (train) | - Automatic TDX nodes discovery; - TDX/SGX capability enablement in the same OpenStack platform; - TDVM guest image customization; - TDVM instances lifecycle management. |
Customized development of OpenStack component based on a specified branch or tag is submitted to this repo in the form of patch. The whole development process is as follows.
-
Clone this repo.
-
Clone OpenStack component and check out to the specified branch or tag.
-
Apply component's patch in this repo by
git am <patch-file>if it exists. -
Complete development.
-
Format new patch by
git format-patch -<num> --stdout > <patch-file>.Note: num is the number of commits which contains origin patch's commits and new commits.
-
Override component's patch in this repo with newly generated patch.
-
Create pull request and submit