From a software point of view, we’re working across the entire cloud infrastructure stack to address these gaps. Some of the projects we’re contributing to are Keylime for TPM-based attestation and the confidential-container project, passing through the Linux kernel , OVMF firmware , and GRUB .
For hardware, we’re actively pursuing projects to extend trust to important, but often neglected, components of modern servers, such as the baseboard management controller (BMC) which manages the entire server. We’re experimenting with OpenBMC and are actively working with the community to enhance the existing ecosystem, as well as extending the concept of secure and measured boot to the BMC firmware, and leveraging the same frameworks used for the operating system attestation (such as Keylime).
We’re also defining an architecture for a "platform root of trust,” to attest entire servers, including peripherals and accelerators. And, as part of the Open Compute Project we’re exploring a pluggable management card (called a data center secure control module, or DC-SCM), along with other techniques. We’re working to improve security and isolation between client-facing resources and internal infrastructure, as well as limit the potential blast radius of possible attacks.
To learn more about the work our team is doing and how it could help shore up your enterprise’s security, be sure to visit the cloud security team page.