Executive summary

Confidential computing is enabled on IBM® LinuxONE (s390x processor architecture) by using IBM Secure Execution for Linux [SEL] technology, which is an advanced security feature introduced with IBM z15® and IBM® LinuxONE III and newer models. With IBM Secure Execution, workloads can be securely deployed in a hybrid environment to ensure the integrity and confidentiality of boot images and server authenticity. Applications are isolated from the operating system, admins, and hypervisor. Therefore, they provide more privacy and security. IBM Secure Execution helps to create encrypted Linux images that can run on a public, private, or hybrid cloud with their in-use memory protected. The workload or data is protected from external and insider threats.

IBM offers a confidential virtual machine image operating system called IBM Confidential Computing Container Runtime, which leverages IBM Secure Execution for Linux technology. This solution provides an easy-to-use container runtime that includes a hardware-based, attested Trusted Execution Environment (TEE) for the protection of data in use. It allows for the deployment of any Open Container Image (OCI) based on an encrypted contract, also known as a Confidential Computing Contract.

The Red Hat OpenShift sandboxed containers add-on introduces a new attestation operator as part of its confidential container feature. This allows for the deployment and management of Trustee services within an OpenShift cluster. The Trustee services, which include the Key Broker Service (KBS) and the Attestation Service (AS), can be securely deployed in an CCRV instance that functions as a Trusted Execution Environment (TEE) through a Confidential Computing Contract. The Confidential Computing Contract is an encrypted document that contains embedded secrets, such as keys, API tokens, and seeds for data volume protection. These secrets can only be decrypted within the CCRV-based TEE.

The following diagram shows a typical deployment of Trustee on CCRV:

Figure: Trustee on CCRV architecture diagram