Feature Overview (aka. Goal Summary)

Enable production-ready deployment of Confidential Containers on OpenShift bare metal clusters using Intel TDX or AMD SEV-SNP and Telum processor for IBM LinuxONE. This feature graduates Confidential Containers from Technology Preview to General Availability, providing enterprise-grade confidential computing capabilities that protect data in use through hardware-based memory encryption and attestation. Workloads run in hardware-isolated Trusted Execution Environments (TEEs), ensuring workload integrity and confidentiality even in untrusted infrastructure environments.

Goals (aka. expected user outcomes)

Primary User Personas: Platform Administrators, Security Engineers, Compliance Officers, Application Developers working with sensitive data

Observable Functionality:

• Platform administrators can deploy and manage Confidential Containers on bare metal OpenShift clusters with Intel TDX, AMD SEV-SNP and BM LinuxONE hardware with full production support
• Security engineers can enforce hardware-based workload isolation and attestation policies for sensitive workloads using TDX, SEV-SNP and BM LinuxONE TEEs
• Application developers can deploy containerized applications that require confidential computing guarantees without application modification
• Compliance teams can demonstrate that workloads meet regulatory requirements for data protection in use (e.g., GDPR, HIPAA, PCI-DSS)

Expanded Features:

• Builds upon the Technology Preview release with enhanced stability, performance optimization, and supportability
• Integrates with existing OpenShift security features (RBAC, network policies, pod security standards)
• Extends OpenShift's bare metal deployment capabilities with confidential computing options

Requirements (aka. Acceptance Criteria)

Functional Requirements:

• Support for Intel TDX (Trust Domain Extensions) on compatible bare metal hardware
• Support for AMD SEV-SNP (Secure Encrypted Virtualization - Secure Nested Paging) on compatible bare metal hardware
• Support Telum processor for IBM LinuxONE
• Automated attestation and verification of TEE integrity before workload deployment
• Runtime encryption of container memory and CPU state
• Integration with OpenShift node and pod lifecycle management
• Operator-based installation and configuration management
• Support for standard Kubernetes/OpenShift workload types (Deployments, StatefulSets, DaemonSets, Jobs)
• Key management integration for encryption key handling

Non-Functional Requirements:

• Security: Hardware-enforced memory encryption via TDX, SEV-SNP and IBM LinuxONE, secure boot chain, attestation verification, protection against memory snooping attacks
• Maintainability: Automated operator-based lifecycle management, integrated logging and monitoring, clear upgrade paths
• Usability: Clear documentation, integration with standard OpenShift workflows, minimal configuration required for basic use cases
• Supportability: Full Red Hat support including SLA commitments, troubleshooting tools, diagnostic capabilities

Documentation Considerations

Required Documentation:

• Installation Guide:
  • Hardware prerequisites (specific Intel, AMD and Telum for IBM LinuxONE processor models)
  • BIOS/firmware configuration for TDX, SEV-SNP and Telum IBM LinuxONE separately
  • Operator installation
  • Hardware detection and validation procedures
• Administrator Guide:
  • Cluster configuration for TDX, SEV-SNP and IBM LinuxONE environments
  • Resource management
  • Monitoring and troubleshooting (TDX-specific, SEV-SNP-specific and IBM LinuxONE-specific guidance)
  • Security policies
• Developer Guide:
  • RuntimeClass configuration
  • Workload deployment
  • Attestation verification for TDX, SEV-SNP and IBM LinuxONE
  • Technology-specific limitations and considerations
• Architecture Documentation:
  • Component overview
  • Data flow diagrams for TDX, SEV-SNP and IBM LinuxONE attestation flows
  • Security model comparison between TDX, SEV-SNP and IBM LinuxONE
  • Attestation process details
• Hardware Compatibility Matrix:
  • Supported Intel processor models with TDX
  • Supported AMD processor models with SEV-SNP
  • Supported LinuxONE systems processors
  • Required BIOS/firmware versions
  • Known hardware limitations
• Migration Guide:
  • TP to GA migration procedures
  • Configuration changes
  • Compatibility matrix
• Release Notes:
  • Feature highlights
  • Known issues (if any)
  • Hardware compatibility list (Intel TDX, AMD SEV-SNP and IBM LinuxONE specific)
  • Upgrade considerations
  • Explicit statement of unsupported TEE technologies

Questions to Answer

1. Attestation Service Architecture: Will attestation be handled by an in-cluster service, external service, or both? Document what is supported vs recommended best practices
2. Upgrade Path: What is the migration path from Technology Preview to GA for existing users?
3. Mixed Clusters: Can TDX and SEV-SNP nodes coexist in the same cluster? 
4. Hardware Detection: How does the operator automatically detect and differentiate between TDX, SEV-SNP and IBM LinuxONE capable hardware?