Red Hat smitten by secure enclaves 'cos some sysadmins are evil

Also reveals plans to replace Atomic Host with CoreOS Linux

Red Hat Summit Red Hat has revealed a plan to to work with CPU-makers so that its wares can take advantage of in-silicon security features such as secure enclaves.

The company today told attendees at its 2018 Summit in San Francisco that it will work with major silicon shops, including Arm, Intel, and AMD, to move operations such as handling security keys into secured enclaves that are inaccessible to the operating system.

In those cases, Red Hat says, only the applications themselves would be cleared to access the information in the enclave, meaning an intruder who had compromised a server or VM (such as via a malware infection or side channel attack) would be isolated from the sensitive data.

The use of secure enclaves to isolate data is growing in popularity, as software vendors find ways to employ isolation to tamper-proof applications and services from side-channel attacks.

Red Hat wants to take things further by encrypting whole virtual machines and has already chatted to AMD about how to help do so to mitigate hypervisor-layer attacks. AMD's Epyc can decrypt and encrypt RAM on the fly as in enters and leaves the processor.


Mike Bursell, Red Hat's chief security architect said malicious actors targeting the VM from within the hypervisor is a particularly nasty risk.

"The reason it is nasty is because allowing that is how hypervisors work, hypervisors can map the memory of VMs, they can write, read, and there is very little you can do about that," Bursell said,

"That is fine if you trust all of your sys admins, it is fine if you trust everyone who works at AWS, Google, Microsoft or whatever, it is fine if you never have sensitive data. But if you do, if you are running any of that on a system and you don't have 100 per cent certainty and trust in the sysadmin, you can't be certain they are not looking into those things and changing them as well."

Red Hat also has big plans for one of its former partners that is now a subsidiary: CoreOS.

The RHEL roadmap has added tighter integration with the CoreOS container management tools and the company said CoreOS Container Linux will be released into the public domain and subsequent versions under the new brand "Red Hat CoreOS".

The CoreOS Linux build will also be pitched as the solution for managing Kubernetes containers, eventually replacing the existing RHEL Atomic Host. ®

Keep Reading

Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021