Release notes: Building encrypted image and deploy it with EAA.

Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>

releases/release_notes_09_2022.md

@@ -34,7 +34,10 @@ The following are known limitations of this release:
   * S390x is not supported by the COCO operator
 - Attestation and key brokering support is still under development
   * The disk-based key broker client (KBC) is still the primary method used for development, even if it will never be an acceptable approach in production.
-  * Remote attestion with simple-kbs, a simple key broker service (KBS) is expected to be merged just prior to release
+  * Currently, there are two KBS that can be used:
+    - simple-kbs:  simple key broker service (KBS) is expected to be merged just prior to release.
+    - [Verdictd](https://github.com/inclavare-containers/verdictd): An external project with which Attestation Agent can conduct remote attestation communication and key acquisition via EAA KBC
+  * The full-featured generic KBS and the corresponding KBC are still in the development stage.
   * For developers, other KBCs can be experimented with.
 - Signature support is in a transitory state, and should be replaced in the next release
   * We currently use skopeo, which requires kernel command-line options in order to do signature verification
@@ -293,6 +296,59 @@ In case the user wants to run the workload on a TDX capable hardware, using QEMU
 
 * *TBD: instructions to build encrypted container image and other requirements (attestation, key etc)* *
 
+### Use EAA KBC and Verdictd
+
+EAA is used to perform attestation at runtime and provide guest with confidential resources such as keys.
+It is based on [rats-tls](https://github.com/inclavare-containers/rats-tls).
+
+[Verdictd](https://github.com/inclavare-containers/verdictd) is the Key Broker Service and Attestation Service of EAA.
+The EAA KBC is an optional module in the attestation-agent at compile time,
+which can be used to communicate with Verdictd.
+The communication is established on the encrypted channel provided by rats-tls.
+
+EAA can now be used on intel TDX and intel SGX platforms.
+
+#### Create encrypted image
+
+Before build encrypted image, you need to make sure Skopeo and Verdictd(EAA KBS) have been installed:
+- [Skopeo](https://github.com/containers/skopeo): the command line utility to perform encryption operations.
+- [Verdictd](https://github.com/inclavare-containers/verdictd): EAA Key Broker Service and Attestation Service.
+
+1. Pull unencrypted image.
+
+Here use `alpine:latest` for example:
+
+```sh
+${SKOPEO_HOME}/bin/skopeo copy --insecure-policy　docker://docker.io/library/alpine:latest oci:busybox
+```
+
+2. Follow the [Verdictd README #Generate encrypted container image](https://github.com/inclavare-containers/verdictd#generate-encrypted-container-image) to encrypt the image.
+
+3. Publish the encrypted image to your registry.
+
+#### Deploy encrypted image
+
+1. Build rootfs with EAA component:
+
+Specify `AA_KBC=eaa_kbc` parameters when using kata-containers `rootfs.sh` scripts to create rootfs.
+
+2. Launch Verdictd
+
+Verdictd performs remote attestation at runtime and provides the key needed to decrypt the image.
+It is actually both Key Broker Service and Attestation Service of EAA.
+So when deploy the encrypted image, Verdictd is needed to be launched:
+
+```sh
+verdictd --listen <$ip>:<$port> --mutual
+```
+
+**Note:** The communication between Verdictd and EAA KBC is based on rats-tls,
+so you need to confirm that [rats-tls](https://github.com/inclavare-containers/rats-tls) has been correctly installed in your running environment.
+
+3. Agent Configuration
+
+Add configuration `aa_kbc_params= 'eaa_kbc::<$IP>:<$PORT>'` to agent config file, the IP and PORT should be consistent with verdictd.
+
 # Experience Trusted Ephemeral Storage for container image and RW layer
 
 Container image in COCO is pulled inside guest VM, it will be save in CC HW protected guest memory by default.