Brussels / 4 & 5 February 2023


Rust based Shim-Firmware for confidential container

In this talk, we will introduce td-shim ( Td-shim is a lightweight Intel Trust Domain Extensions (TDX) virtual firmware (TDVF) for the simplified kernel for TD based confidential container (e.g. Kubernetes). In order to match the short start-up time and resource consumption overhead of bare-metal containers, runtime architectures for TD-based containers put a strong focus on minimizing boot time. They must also launch the container payload as quickly as possible. Hardware virtualization-based containers typically run on top of simplified and customized Linux kernels to minimize the overall guest boot time. As such, we introduced the td-shim to replace the traditional Open Virtual Machine Firmware (OVMF) based TDVF for container use case. Currently the rust-based td-shim supports multiple hypervisors such as KVM and cloud hypervisor with smaller size and better boot performance. It provides a secure and efficient way of building the cloud native infrastructure.


Photo of Jiewen Yao Jiewen Yao