Terms and Concepts

Hosting Provider:

A hosting provider, also known as a server provider, is an individual(s) that offers hosting services for websites, applications, and other online services.

Enclave:

At a high level, enclave is a secure and isolated area of a computer’s memory(typically in RAM) that only the processor can access, to protect information from unauthorized access or modification.

OVMF

Open Virtual Machine Firmware(OVMF) provides a secure and stable environment for running virtual machines, with features such as UEFI (Unified Extensible Firmware Interface) support and secure boot.

Kernel:

Kernel is responsible for handling system calls, managing memory, controlling input/output operations, and enforcing security policies. P2PCloud uses predefined kernel for VM attestation.

Note: Kernel is going to be something that providers can agree on 5.19 or later

InitramFS:

An initial RAM file system that is loaded into memory during the Linux kernel boot process. It contains a minimal set of tools and drivers necessary to mount the root file system and complete the boot process. P2P checks if the boot drive is encrypted with LUKS. if it’s not, then it wipes and reinstall the OS ensuring it’s properly encrypted.

Cmdline:

Parameters of kernel to start.

launchdigest

A breakdown of: Cmdline, InitramFS, OVMF, Kernel that is being initiated using a combination of AMD algorithms to generate the launch digest.

NAT:

Network Address Translation is a process of modifying the network address of Internet Protocol (IP) packets while they are in transit across a traffic routing device. P2P utitilzes NAT for VMs without static IPV4 addresses. It provides outbound connections, WebSSH, and forwards 5 ports to every VM by default for inbond traffic.

LUKS:

Linux Unified Key Setup(LUKS) is a disk encryption specification that provides disk encryption using a passphrase. P2PCloud protects disk integrity and security using LUKS in combination with Trusted Execution Environment.

Attestation:

A process of verifying and validating the authenticity, integrity, and security of a system, software, or hardware components.

trusted execution environment:

Trusted Execution Environment is a secure area of a computer system that provides a secure and isolated execution environment for sensitive applications, such as security-critical software.

initramfs:

Initramfs (Initial RAM File System) is a temporary file system used by the Linux kernel during the boot process before the root file system is mounted. initramfs contains the necessary modules and utilities to initialize the hardware, unlock the encrypted partition, or assemble the RAID array, and then mount the root file system.

environment variables:

A set of variables that is generated and sent to the new VM as a set of instructions encrypted with user’s secret

keystore/keyring:

An algorythm for storage and generation of WebSSH keys and launch secrets. Uses Argon2 to stretch seed into a main key. The seed can be derived from a signature or any other 32-byte sequence.

yggdrasil

Open-source, decentralized IPv6 networking protocol that enables peer-to-peer connections and routing.

local(ephemeral) and network(persistent) storage

Local (ephemeral) storage refers to the temporary storage space that is available on a computer or server for data that is not required to be persistent. Network (persistent) storage refers to the storage space that is available on a networked file system or storage device for data that needs to be persistent and shared across multiple systems.

AMD SEV, AMD SEV-ES, AMD SEV-SNP

Trusted Execution Environment technologies build in to AMD EPYC SoC.

hoster CPU certificates

Certificates generated by AMD SEV chip, unique for every CPU.