Confidential computing
This guide outlines how to enable Confidential Computing on a CRN.
Hardware requirement
To enable Confidential Computing, your system must be equipped with 4th Generation AMD EPYC™ Processors that support Secure Encrypted Virtualization (SEV).
The supported processors include the 9004 Series Processors and 8004 Series Processors.
Note that the 4004 Series Processors do not provide SEV and are therefore not supported.
ℹ️ The 4th Generation requirement stems from security vulnerabilities discovered in SEV on Zen3 and earlier architectures.
Additional Software Requirements
In addition to the standard software requirements, the following must be configured:
- BIOS Configuration: SEV support must be enabled in the BIOS (refer to Section 2.1 of the document). (see Section 2.1).
- Kernel and Platform Support: The operating system kernel must support SEV. For example, Ubuntu 24.04 includes this support by default.
- sevctl: The sevctl tool must be installed. This utility is included in the aleph-vm Debian package and is installed at
/opt/sevctl
. - QEMU: QEMU must be installed on the system.
apt install cloud-image-utils qemu-utils qemu-system-x86
To verify that your system supports AMD SEV, run the following command: /opt/sevctl ok
A successful output should include:
[ PASS ] - Secure Encrypted Virtualization (SEV)
For more details on enabling SEV and troubleshooting, refer to the official AMD SEV documentation.
Enabling the confidential computing feature
To enable SEV in the aleph-vm
configuration, modify the supervisor.env file, by default located at /etc/aleph-vm/supervisor.env
. Add or update the following lines:
After starting the server, verify that Confidential Computing is enabled by checking the configuration endpoint at:
http://localhost:4020/status/config
The endpoint should return: