Confidential Containers with the Crun-Krun Container Runtime – Tyler Fanelli, Red Hat
The crun-krun container runtime empowers users to run OCI containers surrounded by lightweight KVM-based VMs. Virtualization of these containers allows users to gain extra process isolation capabilities for workloads that are potentially buggy or malicious. One emerging virtualization technology is known as confidential computing (using CPU Trusted Execution Environments). Confidential computing allows for CPU encryption of guest memory for VM’s running on a host system, effectively preventing potentially-malicious hypervisors from reading or tampering with guest VM memory. crun-krun has recently added support for a number of TEE architectures, giving users the ability to have the same lightweight KVM-based containers yet with added confidential computing support. Recently, podman has introduced support for building crun-krun containers. In this talk, I’d like to discuss crun-krun’s architecture (especially the virtualization project that enables it, libkrun). I’d also like to explain how it achieves process isolation with negligible performance increases, and how it incorporates confidential computing into the runtime to run confidential containers.
