Use Case 2:

Privacy-preserving confidential computing platform that enables mitigation of internal threats for telecom cloud providers

This use-case will provide enablement for confidential computing in the form of a defined platform that can be applied in the telecom clouds.

A current problem with confidential computing is that in many cases it depends on new hardware architectures – notably Intel’s TDX and AMD’s SEV. Industry moves towards VM-based Trusted Execution Environments, but their enablement is still in the early phases. Open-source projects – like RedHat’s Enarx69 and ARM’s Veracruz70 – are working on the subject, but have approaches that need more research.

Big cloud companies – like Microsoft, Google and Amazon – only recently introduced confidential computing support, and this support is currently limited in many aspects. Microsoft Azure and Google

Cloud Platform offer so-called Confidential VMs, but remote attestation APIs and capabilities are not satisfying. None of the cloud providers offer Confidential Containers71 and Kubernetes support for VM, although Apple is working on a version with Kata containers72.

This use-case will leverage the cryptographic enablers and confidential toolkit developed in WP2, confidential computing HW platform abstractions and remote attestation handling developed in WP3 and confidential networking (especially quantum-safe TLS) and orchestration developed in WP4 to provide easy enablement of Intel and AMD VMs in an automated manner (via Ansible or similar scripts and cloud APIs). After that, confidential container support in Kubernetes will be developed, so that Kubernetes clusters can be formed with confidential VMs. Finally, application of Software Management Agent within the enclave will ensure secure TLS connections between VMs, secure key and certificate exchange and remote attestation handling.

The key validation: (i) automated handling of confidential VMs, including their creation and initialization in a programmable manner and using cloud APIs; (ii) TEE abstractions to help cloud providers enable TEEs in the cloud; (iii) software framework for handling remote attestations; (iv) software management agent (SMA) for management of secure VMs and enablement of secure TLS connections within enclaves; (v) confidential container framework and Kubernetes support.

KPIs: (i) 50% simplification for deploying confidential VMs; (ii) 30% finer-grained remote attestation handling configuration; (iii) enablement of quantum-safe TLS support within secure enclaves; (iv) enablement of Kubernetes support for confidential containers.