Red Hat Blog

Based on Kata Containers, the Confidential Containers (CoCo) project is a community solution to enable hardware technologies for virtualized memory encryption in container environments through attestation. CoCo SEV enables an encrypted container launch feature by utilizing a remote key broker service to verify the guest measured environment before releasing the image decryption key during orchestration. This blog demonstrates how to prepare an EPYC™ CPU-powered machine for SEV and CoCo, how to install CoCo using a Kubernetes operator, and how to create an encrypted image and start a containe

I imagine I am not the only systems administrator who struggled with driving security compliance across a disparate fleet of Linux systems. It took up hours of administrative time and often required interaction with a third-party auditor to validate the results. Let’s talk about the multiplication here: You may have a batch of systems that handle payment processing, so they are required to comply with the rules for PCI-DSS. You may have another set of systems that handle your patient’s medical records, which would fall under the purview of HIPAA. Many of these certifications require com

As the world's leading provider of enterprise-ready open source software, Red Hat is uniquely positioned to help prepare the widely varying users of its embedded platform cryptography for the transition to a post-quantum world. In fact, the US Government calls it "imperative" in a recent National Security Memorandum: [Becoming quantum-ready is] imperative across all sectors of the United States economy, from government to critical infrastructure, commercial services to cloud providers, and everywhere else that vulnerable public-key cryptography is used — NSM-10 Part of Red Hat's

Peer-pods is a new Red Hat OpenShift feature that enables an OpenShift sandboxed container (OSC) running on a bare-metal deployment to run on OpenShift in a public cloud and on VMware. It's not uncommon to want to run OpenShift in a virtual machine instead of on the bare-metal nodes. While it's possible to run a virtual machine inside a virtual machine, it demands a whole new subset of support concerns when you do it in production. In this article, I'll demonstrate how to solve this problem, using a combination of peer-pods and libvirt. By the end of this tutorial, you'll know how to create a

This article is the last in a six-part series (see my previous blog) presenting various usage models for Confidential Computing, a set of technologies designed to protect data in use. In this article, I explore interesting support technologies under active development in the confidential computing community. Kernel, hypervisor and firmware support Confidential Computing requires support from the host and guest kernel, the hypervisor, and firmware. At the time of writing, that support is uneven between platforms. Hardware vendors tend to develop and submit relatively large patch series, w

The Red Hat Enterprise Linux 9.2 CVM Preview image for Azure confidential VMs has been released, and it represents an important step forward in confidential virtual machines. In this article, I focus on the changes Implemented to support the emerging confidential computing use-case, and some of the expected changes in the future. For this article, I'm using confidential virtual machines (CVMs) with the Technology Preview of Red Hat Enterprise Linux 9.2, running as a guest on Microsoft Azure confidential VMs. This builds on my previous post in which I discussed the high-level requirements fo

The Common Vulnerability Scoring System (CVSS) is well known in the world of product security, development and IT. “The Common Vulnerability Scoring System provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity,” per FIRST’s definition. In layman’s terms, CVSS is used to assign a common score to a discovered vulnerability to let people know, at a glance, how technically severe the vulnerability is and to provide vendors a starting point for assessing the risk of a vulnerability towards their product. There

Cybersecurity is front of mind for public and private sector organizations. Today, Red Hat is pleased to announce that CyberCX is conducting an assessment of Red Hat OpenShift Service on AWS (ROSA) through the InfoSec Registered Assessors Program (IRAP). This assessment is part of Red Hat's ongoing commitment to provide innovative platforms that maintain stronger security posture. ROSA is a turnkey application platform that allows developers to build, deploy and manage containerized applications on the AWS cloud. It provides a more scalable platform with enhanced IT security capabilities fo

Confidential Computing is a set of technologies designed to protect data in use (for example, it provides memory encryption). This article is fifth in a six-part series (see the previous article), about various Confidential Computing usage models, and the requirements to get the expected security and trust benefits. In this article, I explore the many available Confidential Computing platforms, and discuss how they differ in implementation, and specifically in how to perform attestation: AMD Secure Encrypted Virtualization (SEV) in its three generations (SEV, SEV-ES and SEV-SNP) Intel

As a Solution Architect, I’m often asked what Red Hat’s best practices are for patch management. In this article, I'm going to cut through the noise, linking to relevant work and materials where appropriate, to offer some focused guidance around what exactly a best practice is and what tools you can leverage as part of your patch management toolkit. After reading this article, you'll have a clearer idea about the tools and approaches you can leverage to deliver patches—and the best practices around defining that process—for your organization. Calling something a "best practice" i