Hi, Thank you Felix, Takashi and Sean for weighing in and sharing invaluable information about both currently ongoing work as well as history and background on past work items and decisions. I've been seeing some uptake in demands for confidential computing related methods and features, due to a raising bar in the areas of cybersecurity, data protection, etc. The Kata Containers and Confidential Containers projects are looking into integration points with platforms such as OpenStack, to deliver related functionality to more users. I passed along the information y'all shared and will keep encouraging the communities to reach out with any questions and to collaborate on next steps as they get ready to take them. Thanks and Best Regards, Ildikó
On Feb 25, 2025, at 04:29, Sean Mooney <smooney@redhat.com> wrote:
On 25/02/2025 08:21, Felix Kronlage-Dammers wrote:
On Tue, Feb 25, 2025 at 04:17:02PM +0900, Takashi Kajinami wrote:
this:
Honestly speaking I've been struggling to gather attention about the work basically counts for:
There was a discussion in the past nova PTG about adding support for Intel SGX, but unfortunately I've seen no progress about it. as well. The colleagues at OSISM were doing the work to see that the SGX-patchsets were brought in shape in order to upstream them. During PTG it became clear that it would need quite a bit of re-work. Before diving into that we wanted to make sure that people (users, operators) are really interested in it: however we've failed to identify basically _any_ interest among users and operators. As such we halted this effort.
nova is also a bit hesitant to accept invasive change for this because we did have integration with openattssation/trusted compute pool
in the past that was developed by intel and then because abandon ware almost imeadetly once it was upstream
the inital series was done 13 years ago https://review.opendev.org/q/owner:fred-yang
https://blueprints.launchpad.net/nova/+spec/trusted-computing-pools
the trusted compute filter was finally deprecated in pike and removed in queens
https://github.com/openstack/nova/commit/3806ead0e09f76b8b984054875682fbc68e...
the orgianl trusted compute work was never properly tested and broke shortly after it was merged because the open attention spec it was based on was made obsolete.
if we add confidential computing feature going forward we need to make sure they are documented, tested and maintainable by the core team, we don't accept experimental feature in tree any more like we did when that was first done and our over all testing requirement are much higher. having an operator/user need for this also goes a long way to priorities these types of features.
cheers
felix