Trust anchors
In Continuum, there are three primary trust anchors that work together to ensure the integrity and security of the platform.
1. Hardware-based roots of trust
The first trust anchor in Continuum is the hardware-based root of trust, which ensures the security of confidential virtual machines (VMs) and GPUs. These properties are based on:
-
CPU Confidential Computing features: Continuum leverages the security features of CPUs that support confidential computing, such as AMD SEV (Secure Encrypted Virtualization) and Intel TDX (Trusted Domain Extensions).These technologies ensure that the VMs running within Continuum are protected against unauthorized access and tampering.
-
GPU Confidential Computing features: For AI workloads that utilize GPUs, Continuum also relies on NVIDIA's confidential computing capabilities, particularly in the H100 series GPUs. These GPUs offer hardware-level protections to ensure that AI computations are secure and isolated from other processes.
Details on the hardware attestation are provided in the hardware attestation page.
2. Reference values for security policies
The second trust anchor involves the reference values that Edgeless Systems provides for the security policies defined in the manifest. These reference values are:
-
Signed and securely delivered: Edgeless Systems signs the reference values and delivers them through a secure supply chain, ensuring their authenticity and integrity.
-
Reproducible from source code: To provide transparency, the image measurements in the manifest are reproducible from the source code. This feature allows users to independently verify that the attestation process is based on accurate and trusted data, making the entire process fully transparent.
3. The client-side verification
The third trust anchor is the client, which integrates all the components to establish a secure and trusted environment. In case of Continuum, the client is the continuum-proxy. The client performs the following tasks:
-
Pulls in reference values: The client retrieves the signed reference values provided by Edgeless Systems to ensure that the security policies are accurate and up-to-date.
-
Verifies attestation reports: The client obtains the hardware attestation report and the manifest from the Continuum platform (i.e., the Attestation Service and the GenAI backend) and verifies them against the reference values within its local trusted environment.
-
Establishes trust chain: By verifying the reference values and the attestation statements from the hardware, the client creates a secure chain of trust that extends from the initial hardware-based root of trust to the final AI processing.
Summary of the trust anchors
In Summary, the trust anchors operate as follows:
- Client: Pulls in reference values and verifies hardware-enforced attestation reports.
- Reference values for security policies: Provided by Edgeless Systems, signed, and reproducible.
- Hardware-based attestation statements: Cryptographic certificates issued by the CPU and GPU hardware.
The trust chain that follows is illustrated here.