SUSE’s Adaptable Linux Platform (ALP) Raises the Bar on Confidential Computing

SUSE has just released the third prototype of ALP, named “Piz Bernina” (the highest mountain in the Swiss Alps).  The new prototype has a strong focus on security and demonstrates an innovative concept with confidential computing and a zero-trust approach. 

ALP stands for SUSE’s Adaptable Linux Platform, providing a new approach to enterprise Linux for evolving use cases in a cloud-native world – from core to cloud to edge. ALP is an application-centric, secure, and flexible platform designed to focus on workloads while abstracting from the hardware and the application runtime layers. Every three months we publish a new prototype with newly implemented features, approaches, and significant changes. 

Credits: Xavier von Erlach on Unsplash

SUSEs newly published ALP “Piz Bernina” consists of two separate prototypes which are momentarily close to each other, but will in the future deviate according to different use-cases and as more services are added: 

• the server-oriented version (codename “Bedrock”) 
• the cloud-native oriented version (codename “Micro”) 

Major changes in Piz Bernina 

The new SUSE ALP Piz Bernina focuses on security and provides many enhancements from our previous December prototype (Punta Baretti):  

• Confidential Computing: provides a Trusted Execution Environment that protects data in use by isolating, encrypting, and executing virtual machines. 
• Hardware and runtime attestation to verify the integrity of workloads and together with FDE (Full Disk Encryption) mark the starting point for end-to-end data security. 

• Foundation for future extended Confidential Virtual Machine support (CVM), covering support for more hardware vendors and making use of the most recent hardware for confidential computing.  
• Integration of NeuVector: to support a secure ecosystem, ALP-users can run NeuVector to identify malicious behaviors and prevent those affecting the underlying host OS or potentially other containerized workloads.  
• Support for s390x architecture: in addition to the already supported x86_64 and aarch64 architectures. 
• FDE (Full Disk Encryption) with TPM can now be selected at installation-time to support data security at rest. 

With NeuVector running on Piz Bernina, SUSE secure software supply chain gets stronger than ever, starting with source code analysis, a certified build system environment producing the distributions and artifacts like packages and containers, and now a runtime scanner for malicious workloads. Once installed and enabled on ALP system, NeuVector will automatically scan all running containers on the system, detect potential vulnerabilities and other threats. It will learn how containers behave and allow users to put some additional restrictions based on this learning. 

Enhanced Full Disk Encryption and Data Security 

The previously introduced FDE (Full Disk Encryption) with TPM (Trusted Platform Module ) is now available to be selected at installation-time to support data security at rest.  

What has changed from the previous December prototype Punta Baretti is that everything works equally with both LVM (Logical Volume Manager) and plain partition. An important change for usability is now there is no need to enter the passphrase on the first boot. As an engineer in you may wonder: “how can you do that?”. The non-interactive first boot is possible because we have the temporary passphrase hardcoded in the Grub2 configuration – which, of course, is fully erased (from both the encryption device and the Grub2 configuration) during the first boot and, soon after that, the TPMv2 is configured and fully utilized for all subsequent boots.  

With new support for FDE with TPM and confidential computing, ALP “Piz Bernina” provides an all-in-one security solution for all types of data, from data-at-rest to data-in-transit to data-in-use. 

Finally, Piz Bernina is adding support for the s390x architecture on top of the already supported x86_64 and aarch64 architectures. 

Useful links: 

• Documentation:  https://documentation.suse.com/#alp
  

• Sam Varghese at iTWire in conversation with Vojtech Pavlik on confidential computing and zero-trust: https://itwire.com/business-it-news/open-source/suse-claims-new-era-of-confidential-computing-through-its-adaptable-linux-platform.html