Skip to content

Cosmian VM

Cosmian VM offers:

  • a hardened pre-configured Linux distribution (based on Ubuntu 22.04 or RHEL 9) with LUKS disk encryption designed for confidential computing machines.
  • a seamless, unique experience across all confidential hardware (Intel TDX, AMD SEV-SNP, soon NVIDIA H100) and cloud providers (AWS, Azure, GCP)
  • an extended verifiability of the hardware, OS, and binaries running on the VM.

Specifically, the Cosmian VM provides the following features:

  • Confidentiality: the whole environment runs in a Trusted Execution Environment (TEE) with encrypted memory on top of encrypted storage.
  • Verifiability: the user can verify the integrity of the hardware, OS, and executables at any time and compare them against a reference snapshot
  • Genericity: compatible with AMD SEV-SNP, Intel TDX, and TPM or vTPM. Works identically on all cloud providers.
  • No code modification: no third-party library or any change to applications
  • Simplicity: manual configuration is reduced to the bare minimum. A Linux administrator enjoys the same experience as that of a standard VM.

Use cases

Cosmian VM is used in these two scenarios:

  • Quickly migrate an on-premise application to the public cloud without modifications while running it with the same level of confidentiality, e.g., migrating an HR application to the cloud.
  • offer confidential SaaS services to your customers/users, protecting their privacy against the cloud provider and any extra-territorial law, e.g., offering confidential AI/Gen. AI in the public cloud.

setup flow

Threat Model

Cosmian VM is designed to secure your application against passive (honest-but-curious) and active (malicious) cloud provider staff member

Extended Verifiability

Cosmian VM provides memory and disk encryption on a hardened system and extends the hardware remote attestation supplied by Intel and AMD to the verifiability of the operating system, as well as the binary files or other files marked as verifiable on the system. A user can quickly check the integrity of the whole system (no hardware change, no OS change, known binaries running or having run) before sending sensitive data for processing.

To do this, Cosmian VM builds on the following components:

  • Trusted Execution Environment (TEE) such as AMD SEV-SNP or Intel TDX for memory encryption
  • Trusted Platform Module (TPM) or vTPM (virtual TPM) to store secrets and attest the content of some memory region
  • Integrity Measurement Architecture (IMA), a Linux kernel module used to maintain a measurement log of all executables

To securely tie these components together, Cosmian VM image contains the following software:

  • cosmian_vm_agent: an agent running in the confidential VM to forward attestations, collaterals (e.g. root certificates) and measurement log
  • cosmian_certtool to ease the generation of Let’s Encrypt certificates if needed
  • cosmian_fstool to ease the generation of LUKS container with the secret key stored in the TPM/vTPM (automount on reboot)

Our client CLI cosmian_vm can be used to interact with cosmian_vm_agent and verify the trustworthiness of a specific instance launched with Cosmian VM as base image.

Audit

Cosmian VM image construction process can be found in this repository: https://github.com/Cosmian/cosmian_vm/packer

Usage: table of contents

Setup flow

A Cosmian VM is instantiated from a cloud provider marketplace on top of a confidential computing machine. Once the system administrator has installed the application and its dependencies, a snapshot of the VM is taken. Integrity checks can then be performed on the running VM to verify the running code, OS, and hardware.

setup flow

Snapshot of the system

The snapshot of the system is a crucial step performed by cosmian_vm_agent to produce a JSON file with:

  • TEE policy
  • TPM policy
  • List of measured files and their hash digests

It’s a one-time process that is done before you decide to freeze the instance and expect no more modification.

The content will be compared against TEE attestation, TPM/vTPM attestation and IMA measurement log to verify the trustworthiness of the remote instance.

Verification of the remote instance

The verification process of the Cosmian VM is performed using client CLI cosmian_vm, which will check:

  • IMA (Integrity Measurement Architecture) measurement log with the list of executable and configuration file’s hash digest, to be compared against the snapshot
  • TPM (Trusted Platform Module) attestation of the IMA measurement log
  • TEE (Trusted Execution Environment) attestation to ensure the instance is running on secure hardware with encrypted memory

The verification is successful if files in IMA measurement log and snapshot have the same hash digests, TPM or vTPM correctly attested the IMA measurement log content and finally if TEE attestation is valid.

simple verification flow

detailed verification flow

Cloud providers support

Cosmian VM already supports AMD SEV-SNP and Intel TDX but low-level access to the hardware might differ depending on the cloud provider.

Replace X.Y.Z in the 3 following tables by the last Cosmian base image version.

AWS images

Official image OS image OS version Cosmian base image
AWS - AMD SEV ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-20240523.1 Ubuntu 24.04 base-image-X-Y-Z-ubuntu-sev
AWS - AMD SEV RHEL-9.3.0_HVM-20240117-x86_64-49-Hourly2-GP3 Redhat 9.3 base-image-X-Y-Z-ubuntu-sev

Azure images

Official image OS image OS version Cosmian base image Version
Azure - Intel TDX Canonical-0001-com-ubuntu-confidential-vm-jammy-22_04-lts-cvm Ubuntu 22.04.202404090 base-image-ubuntu-tdx X.Y.Z
Azure - AMD SEV Canonical-0001-com-ubuntu-confidential-vm-jammy-22_04-lts-cvm Ubuntu 22.04.202404090 base-image-ubuntu-sev X.Y.Z
Azure - AMD SEV Redhat-rhel-cvm-9_3_cvm_sev_snp Redhat 9.3.2023111017 base-image-rhel-sev X.Y.Z

GCP images

Official image OS image OS version Cosmian base image
GCP - Intel TDX ubuntu-2204-tdx-v20240220 Ubuntu 22.04 base-image-X-Y-Z-ubuntu-tdx
GCP - AMD SEV ubuntu-2404-noble-amd64-v20240523a Ubuntu 24.04 base-image-X-Y-Z-ubuntu-sev
GCP - AMD SEV rhel-9-v20240515 Redhat 9.3 base-image-X-Y-Z-rhel-sev

Marketplace Image content

The Cosmian VM image built on the marketplaces of GCP, Azure, or AWS contains four primary executables:

  • cosmian_vm_agent is designed to be deployed on the Cosmian VM. It serves on demand the collaterals used to verify the trustworthiness of the Cosmian VM, such as the IMA file, the TEE quote, or the TPM quote
  • cosmian_certtool is designed to generate a certificate signed by Let’s Encrypt or an RATLS certificate
  • cosmian_fstool is designed to generate a LUKS container and enroll the TPM to be automatically started on reboot
  • cosmian_vm is a CLI designed to be used on your host. It queries the cosmian_vm_agent to get the collaterals used to verify the integrity/trustworthiness of the Cosmian VM

This image:

  • contains the fully configured IMA
  • contains the fully configured SELinux
  • disables the auto-update (to avoid any modification of the Cosmian VM after having snapshotted it)
  • contains the fully configured cosmian_vm_agent

This is an abstract of the updated file tree:

.
├── etc
│   ├── apt
│   │    └── apt.conf.d
│   │       └── 10periodic
│   ├── cosmian_vm
│   │   └── agent.toml
│   ├── default
│   │   └── grub
│   ├── ima
│   │   └── ima-policy
│   └── systemd
│       └── system
│           ├── cosmian_vm_agent.service
│           └── mount_luks.service
├── root
│   ├── mount_luks.sh
├── usr
│   └── sbin
│       ├── cosmian_certtool
│       ├── cosmian_fstool
│       └── cosmian_vm_agent
└── var
    └── lib
        └── cosmian_vm
            ├── container   <--- LUKS container
            ├── tmp
            └── data        <--- LUKS container mounted
                ├── cert.pem
                └── cert.key

© Copyright 2018-2024 Cosmian. All rights reserved.