Rust based Shim-Firmware for confidential container
- Track: Confidential Computing devroom
- Room: D.confidential (online)
- Location: Online
- Day: Saturday
- Start: 13:00
- End: 13:25
- Video only: dconfidential
- Chat: Join the conversation!
In this talk, we will introduce td-shim (https://github.com/confidential-containers/td-shim). Td-shim is a lightweight Intel Trust Domain Extensions (TDX) virtual firmware (TDVF) for the simplified kernel for TD based confidential container (e.g. Kubernetes). In order to match the short start-up time and resource consumption overhead of bare-metal containers, runtime architectures for TD-based containers put a strong focus on minimizing boot time. They must also launch the container payload as quickly as possible. Hardware virtualization-based containers typically run on top of simplified and customized Linux kernels to minimize the overall guest boot time. As such, we introduced the td-shim to replace the traditional Open Virtual Machine Firmware (OVMF) based TDVF for container use case. Currently the rust-based td-shim supports multiple hypervisors such as KVM and cloud hypervisor with smaller size and better boot performance. It provides a secure and efficient way of building the cloud native infrastructure.
Speakers
Jiewen Yao |