Protect your data with MariaDB Server and Intel® TDX – MariaDB.org

Now let’s try the same on the Intel® TDX protected VM.

In 2023, Intel launched Intel® Trust Domain Extensions (Intel® TDX), their latest Confidential Computing technology that ensures data in use protection for hardware-isolated virtual machines and verified hardware and software integrity through attestation.

First, the regular VM without Intel® TDX protection:

Prologue

As we can see, an administrator can basically read all the sensitive data, even with data-at-rest and data-in-transit protection.

We’re working on a Ubuntu 24.04 OS installed on top of a system equipped with a CPU from the Xeon Scalable 5^th Gen Emerald Rapids family.

Overall, we perform the following steps:

• A DBA configuring MariaDB on their own VM to store sensitive banking information.
• A third-party hosting provider.

# Memory dump of the TD
:~/memdumps$ virsh dump tdvirsh-trust_domain-ae41a94c-43f3-4bf0-9c30-b66a13ca6b42 ./tdx-dom-mem-dump.file --memory-only

:~/memdumps$ strings tdx-dom-mem-dump.file | grep -aE -B 5 -A 5 'ACC123'
# Nothing!
:~/memdumps$ strings tdx-dom-mem-dump.file | grep -aE -B 5 -A 5 'Razvan'
:~/memdumps$
# Nothing x2!


root@tdx-guest:~# sudo dmesg | grep -i tdx
[ 0.000000] tdx: Guest detected
[ 0.000000] DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2024.02-3+tdx1.0 07/03/2024
[ 0.278473] process: using TDX aware idle routine
[ 0.330149] Memory Encryption Features active: Intel TDX
[ 6.454503] systemd[1]: Detected confidential virtualization tdx.
[ 6.470694] systemd[1]: Hostname set to <tdx-guest>.


Configure MariaDB server

# Clone the Canonical's Intel® TDX repository
git clone -b noble-24.04 https://github.com/canonical/tdx.git

# Setup Intel® TDX in host OS
cd tdx
sudo ./setup-tdx-host.sh

# Reboot
sudo reboot

# Verify that Intel® TDX is enabled
$ sudo dmesg | grep -i tdx
[ 5.340815] virt/tdx: BIOS enabled: private KeyID range [64, 128)
...
...
[ 21.984224] virt/tdx: module initialized


Configure VMs

# Keyfile generation
root@tdx-guest:~# mkdir /etc/mysql/encryption
root@tdx-guest:~# (echo -n "1;" ; openssl rand -hex 32 ) | sudo tee -a /etc/mysql/encryption/keyfile
1;56f9e484de0016b19c4de543430e729367838033db1d3ea724dc9624f1f3ae4b

# Server configuration
root@tdx-guest:~# cat <<EOL >> /etc/mysql/my.cnf

[mariadb]
plugin_load_add = file_key_management
loose_file_key_management_filename = /etc/mysql/encryption/keyfile
innodb_encrypt_log = ON
innodb_encrypt_temporary_tables = ON
innodb_encryption_threads = 4
bind-address = 0.0.0.0
EOL

root@tdx-guest:~# systemctl restart mariadb

We will make use of Intel® TDX from two perspectives:

This year, we engaged in discussions with Intel representatives at SUSECON, leading us to collaborate on testing MariaDB Server with Intel® TDX. As part of this partnership we will publish several blog posts highlighting the combination of MariaDB Server and Intel® TDX.

This specific post will demonstrate how data stored in the server’s memory is protected from unauthorized access, even from attackers exploiting kernel vulnerabilities or rogue administrative users.

# Memory dump of the regular domain
:~/memdumps$ virsh dump tdvirsh-regular_vm-00c643ab-205d-41b5-873d-a60800b284f3 ./regular-dom-mem-dump.file --memory-only

# Suppose ACC123 it's just a standard pattern for identifying the bank and the account type.

:~/memdumps$ strings regular-dom-mem-dump.file | grep -aE -B 5 -A 5 'ACC123'

Balance
Razvan Varzaru
razvan@provider.com
+40700060000
456 Real Rd, Bucharest, Romania
ACC123456789
1000.00i
John Doe
john.doe@provider.com
+40700060001
123 Fake St, Springfield, USA
--
AUE1
default-character-set=utf8mb3
default-collation=utf8mb3_general_ci
infimum
supremum
ACC123456789EUR
ACC444555666GBP
I:6769510
E:ID_MM_CANDIDATE=1
G:systemd
Q:systemd

...
...
# and there's more output to it

Steps executed inside both VM’s after installing MariaDB Server:

# Connect to the server
mariadb -uuser12 -ppassword123 -h localhost -P #FW_PORT#

# Verify that the connection is secured (data-in-transit protection)
MariaDB [(none)]> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+------------------------+
| Variable_name | Value |
+---------------+------------------------+
| Ssl_cipher | TLS_AES_256_GCM_SHA384 |
+---------------+------------------------+

# Check that the encryption plugin is ON (data-at-rest protection)
MariaDB [(none)]> SHOW VARIABLES LIKE '%encryption%';
+------------------------------------------+---------+
| Variable_name | Value |
+------------------------------------------+---------+
| file_key_management_encryption_algorithm | aes_cbc |
| innodb_default_encryption_key_id | 1 |
| innodb_encryption_rotate_key_age | 1 |
| innodb_encryption_rotation_iops | 100 |
| innodb_encryption_threads | 4 |
+------------------------------------------+---------+

MariaDB [(none)]> SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE "%key%";
+---------------------+---------------+
| PLUGIN_NAME | PLUGIN_STATUS |
+---------------------+---------------+
| file_key_management | ACTIVE |
+---------------------+---------------+

:~/tdx/guest-tools/image$ ls -l *qcow*
-rwxrwxrwx 1 root root 1903362048 Oct 17 23:30 regular-guest-ubuntu-24.04-generic.qcow2
-rwxrwxrwx 1 root root 4116250624 Oct 17 06:23 tdx-guest-ubuntu-24.04-generic.qcow2


# Prepare dataset
CREATE DATABASE Customers;
USE Customers;

CREATE TABLE Individuals (
ID INT AUTO_INCREMENT PRIMARY KEY,
Name VARCHAR(100) NOT NULL,
Email VARCHAR(100),
PhoneNumber VARCHAR(15) NOT NULL,
Address VARCHAR(255)
) ENGINE=InnoDB, ENCRYPTED='YES';

INSERT INTO Individuals (Name, Email, PhoneNumber, Address)
VALUES ('Razvan Varzaru', 'razvan@provider.com', '+40700060000', '456 Real Rd, Bucharest, Romania');

INSERT INTO Individuals (Name, Email, PhoneNumber, Address)
VALUES ('John Doe', 'john.doe@provider.com', '+40700060001', '123 Fake St, Springfield, USA');

CREATE TABLE Accounts (
AccountID INT AUTO_INCREMENT PRIMARY KEY,
CustomerID INT,
AccountNumber VARCHAR(50) NOT NULL,
Currency VARCHAR(3) NOT NULL,
Balance DECIMAL(15, 2) NOT NULL,
FOREIGN KEY (CustomerID) REFERENCES Individuals(ID)
) ENGINE=InnoDB, ENCRYPTED='YES';

INSERT INTO Accounts (CustomerID, AccountNumber, Currency, Balance)
VALUES (1, 'ACC123456789', 'EUR', 1000.00);

INSERT INTO Accounts (CustomerID, AccountNumber, Currency, Balance)
VALUES (2, 'ACC444555666', 'GBP', 1500.00);

In conclusion, by leveraging the features of Intel® TDX, we can fully protect our data from unauthorized access and maintain the integrity of our information assets. We will explore in a future blog post how we can address the limits mentioned above.

CREATE USER 'user12'@'%' IDENTIFIED BY 'password123';
GRANT ALL PRIVILEGES ON *.* TO 'user12'@'%' WITH GRANT OPTION;

Dataset preparation.

~/tdx$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04 LTS (Noble Numbat)"

~/tdx$ lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 45 bits physical, 57 bits virtual
Byte Order: Little Endian
CPU(s): 224
On-line CPU(s) list: 0-223
Vendor ID: GenuineIntel
Model name: INTEL(R) XEON(R) PLATINUM 8570
CPU family: 6
Model: 207
Thread(s) per core: 2
Core(s) per socket: 56
Socket(s): 2
Stepping: 2


In this blog post, we will show that MariaDB Server can run correctly on an Intel® TDX enabled VM and that the in-memory data is protected from outside actors, even from the host OS running the VM. By coupling Intel’s Confidential Computing technology with MariaDB Server build in data-at-rest and data-in-transit protection, customers can gain an end-to-end protected solution.

• Install the server. You can download the latest MariaDB Server 11.4 from the downloads page.
• Generate a keyfile for data-at-rest protection
• Enable data-at-rest protection in the server configuration file
• Bind to a public interface to allow remote connections
• Restart the server to apply changes

This advancement is crucial as the growing use of cloud services is inscreasing the need to protect sensitive data. Cloud providers now offer Confidential Computing services based on Intel® TDX. For more technology specific details, see Intel’s website.

On the host side, the BIOS settings were already in place for us as described in Canonical’s instructions. If you’re setting up your own bare-metal instance, remember to enable TDX in the BIOS settings.

./tdvirsh list

Id Name State
---------------------------------------------------------------------------
27 tdvirsh-trust_domain-ae41a94c-43f3-4bf0-9c30-b66a13ca6b42 running (ssh:38231 45017, cid:3)
30 tdvirsh-regular_vm-00c643ab-205d-41b5-873d-a60800b284f3 running (ssh:45545 38053, cid:4)


We just need to run the configuration script.

We will end up with two disk images, under the repository tree.

./tdvirsh new
--td-image ./image/regular-guest-ubuntu-24.04-generic.qcow2
--xml-template ./regular_vm.xml.template

./tdvirsh new
--td-image ./image/tdx-guest-ubuntu-24.04-generic.qcow2
--xml-template ./trust_domain.xml.template