The industry's first confidential computing container runtime—Inclavare Containers officially enters the CNCF!

Author | Yan Rong

On September 15, 2021, Inclavare Containers officially became the CNCF official sandbox project through the Cloud Native Computing Foundation (CNCF) TOC vote. Inclavare Containers is the industry's first open source container runtime project for confidential computing scenarios that was originally developed by the Alibaba Cloud operating system security team and the cloud native container platform team, and jointly created by Intel.

Inclavare Containers Project address:
https://github.com/alibaba/inclavare-containers

The first open source container runtime for confidential computing-Inclavare Containers

In the cloud native environment, confidential computing technology is based on a hardware executable environment, which provides confidentiality and integrity protection for users' sensitive data in the process of using (computing), but it also faces high barriers to development, use, and deployment. Application containerization is complicated, Kubernetes does not provide native support, and a series of problems such as the lack of a unified cross-cloud deployment solution; Inclavare Containers was born to solve these problems.

<p style="text-align:center">Inclavare Containers system architecture diagram</p>

Inclavare Containers can be integrated with Kubernetes and Docker. It is the industry's first open source container runtime for confidential computing scenarios. Its goal is to provide the industry and open source communities with confidential container technology, confidential cluster technology and universal remote attestation for cloud-native scenarios. Security architecture, and strive to become the de facto standard in this field. The project was open sourced in May 2020 and has developed rapidly in just over a year, attracting the attention and contributions of many experts and engineers in the field.

Five major features to escort user data

Inclavare Containers uses a novel method to launch protected containers in a hardware-based trusted execution environment to prevent entities that are not trusted by the user from accessing the user's sensitive data. Its core functions and features include:

• removes trust in cloud service providers and implements a zero trust model: Inclavare Containers assumes that users do not need to trust cloud service providers, that is, the security of user workloads no longer depends on privileged components controlled by cloud service providers .
• provides a universal remote attestation security architecture: builds a universal and cross-platform remote attestation security architecture that can prove to users that their sensitive workloads are running in a true and trusted hardware-based trusted execution environment, and the hardware is The trusted execution environment can be based on different confidential computing technologies.
• defines the general Enclave Runtime API specification: uses standard API specifications to interface with various forms of Enclave Runtime. While simplifying the connection of specific Enclave Runtime with the cloud native ecosystem, it also provides users with more technical choices. Currently, Occlum, Graphene and WAMR all provide Enclave runtime support for Inclavare Containers.
• OCI compatibility: The Inclavare Containers project has designed and implemented a new OCI runtime rune that complies with the OCI runtime specification, so as to be consistent with the existing cloud-native ecosystem and realize a confidential container form. The user's sensitive applications are deployed and run in the form of confidential containers, and maintain the same experience as using ordinary containers.
• seamlessly integrates with the Kubernetes ecosystem: Inclavare Containers can be deployed on any public cloud Kubernetes platform, realizing a unified deployment of confidential containers.

Accelerate cloud-native infrastructure to embrace confidential computing

The Inclavare Containers open source project is committed to accelerating cloud-native infrastructure to embrace confidential computing by combining original research in academia and practical capabilities in industry, and building a cloud-native confidential computing security technology architecture through a neutral community. In addition to having established cooperative relations with Intel, we plan to establish similar cooperative relations with other chip manufacturers in the future; in addition, we have begun to establish new cooperative relations with universities and academia to unearth the importance of Inclavare Containers in the field of confidential computing. More potential.

As the industry's first open source container runtime for confidential computing scenarios, Inclavare Containers will evolve toward a secure, easier-to-use, intelligent and scalable architecture. While continuously deepening the implementation of the zero-trust model principle, it continuously improves the experience of developers and users, and finally completely eliminates the difference in the experience of using ordinary containers. In the future, Inclavare Containers will continue to work side by side with the community and the ecosystem, and is committed to promoting the ecological construction and popularization of cloud-native technologies in the field of confidential computing systems, and expanding the boundaries of cloud-native with global developers.

At present, Inclavare Containers has become one of the projects of the Longli Community Cloud Native Confidential Computing SIG: committed to providing open source and standardized confidential computing technology and security architecture to the industry through the cooperation of open source communities, and promoting confidentiality in the cloud native scenario The development of computing technology.

Click the link below to go directly to the Cloud Native Confidential Computing SIG:
https://openanolis.cn/sig/coco