The Southern California Linux Expo (SCaLE) is an annual open source conference held in Los Angeles, California, since 2002.
Last weekend, Enarx co-founder Nathaniel McCallum gave two talks at SCaLE:
Confidential Computing: why it HAS to be open source
Confidential Computing is the use of hardware-based TEEs (e.g. Intel's SGX and AMD's SEV) to protect data and applications in use: that means that you can run workloads on a compromised or malicious system while still be assured that their confidentiality and integrity is protected. Setting this all up and deploying it is complex and has lots of moving parts. This session will discuss the core components, and look at the impact of who's running them, who supplied them, and whether they're open source. It will use the Enarx project as an example open source project to show what choices can be made to prioritise security and the importance of openness (in not just the code, but it's development) to the project and its success.
Wyrcan: the Container Bootloader Saga
Wyrcan is a bootloader that boots into a container. That's all it does.
But of course, that's not the only thing that Wyrcan implies. Using Wyrcan to boot a container also means that you can use a tried and trusted software packaging ecosystem to have a bare-metal OS that is:
Stateless: Booting a container with Wyrcan means that nothing is installed on the disk. There is no state to manage except the state you put into your container. You never have to worry about whether packages are updated: you can schedule reboots to make sure you always have the latest OS. And if all your mounts of local storage are noexec, you can just reboot when compromised.
Memory-Resident: The full operating system is resident in RAM. That means it is fast. However, you can also set up swap in your container so that unused pages are written to disk, saving memory for your application.
Declarative: Your bare-metal operating system is developed using the same delarative tooling that you have come to expect from the container development pipeline. But your OS config in git. Host it in your favorite git forge (GitHub, GitLab, Bitbucket, etc). Build the images automatically. Host them in your favorite container repo.