Confidential Computing

In a previous post, I explained that the direction most Confidential Computing deployments are converging toward is to reintroduce the TPM abstraction inside the Confidential VM itself. Rather than relying on a physical TPM, the goal is to expose a TPM interface from within the TEE. This design choice is largely pragmatic. It enables a lift-and-shift model for existing operating systems and workloads that already depend on TPMs for measured boot, disk encryption, and remote attestation. At the same time, it preserves the familiar TPM security guarantees while replacing physical trust assumptions with hardware-enforced isolation. ...

For almost half a decade now, I have been working on Confidential Computing at Canonical. This position has given me a front-row seat to the evolution of Confidential Computing technologies and their applications. One of the most exciting applications is Confidential AI inference, which allows AI models to be hosted and executed in a way that can keep the user’s input data confidential, even from the service provider itself. While Apple is announcing a partnership with Google, to base its own models on Google Gemini and while some might see this as a failure, it is worth noting that Apple Intelligence already has a meaningful legacy. ...

Rethinking the Trust Boundary of Kubernetes Nodes Most Kubernetes security mechanisms implicitly assume that worker nodes are trustworthy. In practice, this assumption is weak. The operating systems running underneath Kubernetes are often mutable, difficult to audit, and only loosely tied to what was originally provisioned. Even when containers are well isolated and supply chains are secured, a compromised or drifted node OS undermines the entire stack. A more robust approach is to treat the node operating system as a security boundary, not just a runtime dependency. This is where immutable and attestable operating systems become relevant. By making the OS immutable and cryptographically verifiable, Kubernetes can rely on a foundation whose integrity is provable rather than assumed. ...