github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2025-10-21 23:48:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: remove outdated guide

Browse Source 
The non-tee guide predates the sample attester, which
allows us to use the attestation flow without hardware
support.

Before that we had a workaround in the operator
that would provision a guest image with certain
keys already baked into that.

This is known as the ssh-demo in the operator,
but it shoudn't be confused with the ssh-demo
that we have in this repo, which is just a container
that ships with an ssh daemon inside of it.

The ssh-demo in this repo doesn't necessarily require
attestation and is unrelated.

We are removing the ssh-demo operator CRD so the nontee
guide should go as well.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
This commit is contained in:
Tobin Feldman-Fitzthum
2024-05-02 17:06:51 -04:00
parent 8de20e19e0
commit 08c031e9fb
2 changed files with 1 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
quickstart.md
View File

@@ -243,9 +243,6 @@ Secrets are provisioned to the guest in conjunction with an attestation, which i
The rest of this guide focuses on setting up more substantial encrypted/signed workloads using attestation
and confidential hardware.
See [this guide](./guides/nontee_demo.md) if you would like to deploy an example encrypted image without
confidential hardware.
CoCo has a modular attestation interface and there are a few options for attestation.
CoCo provides a generic Key Broker Service (KBS) that the rest of this guide will be focused on.
The SEV runtime class uses `simple-kbs`, which is described in the [SEV guide](./guides/sev.md).
@@ -407,7 +404,7 @@ EOT
Be sure to replace `[REGISTRY_URL]` with the desired registry URL of the encrypted image generated in previous step, replace `[RUNTIME_CLASS]` with kata runtime class for CC HW.
Then configure `/opt/confidential-containers/share/defaults/kata-containers/configuration-<RUNTIME_CLASS_SUFFIX>.toml` to add `agent.aa_kbc_params=cc_kbc::<KBS_URI>` to kernal parameters. Here `RUNTIME_CLASS_SUFFIX` is something like `qemu-tdx`, `KBS_URI` is the address of Key Broker Service in KBS cluster like `http://123.123.123.123:8080`.
Then configure `/opt/confidential-containers/share/defaults/kata-containers/configuration-<RUNTIME_CLASS_SUFFIX>.toml` to add `agent.aa_kbc_params=cc_kbc::<KBS_URI>` to kernel parameters. Here `RUNTIME_CLASS_SUFFIX` is something like `qemu-tdx`, `KBS_URI` is the address of Key Broker Service in KBS cluster like `http://123.123.123.123:8080`.
Deploy encrypted image as a workload: