guides/sev: point container image link to web UI

Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer
2023-07-10 08:38:23 +02:00
committed by Tobin Feldman-Fitzthum
parent d66d45a839
commit 249b316900

View File

@@ -74,7 +74,7 @@ Setting the second bit of the policy enables SEV-ES.
For more information see chapter 3 of the Secure Encrypted Virtualization API. For more information see chapter 3 of the Secure Encrypted Virtualization API.
The SEV policy is not the same as the policies that drive `simple-kbs`. The SEV policy is not the same as the policies that drive `simple-kbs`.
The CoCo project has created a sample encrypted container image ([encrypted-image-tests](ghcr.io/fitzthum/encrypted-image-tests:encrypted)). This image is encrypted using a key that comes already provisioned inside the `simple-kbs` for ease of testing. No `simple-kbs` policy is required to get things running. The CoCo project has created a sample encrypted container image ([ghcr.io/confidential-containers/test-container:encrypted](https://github.com/orgs/confidential-containers/packages/container/test-container/82546314?tag=encrypted)). This image is encrypted using a key that comes already provisioned inside the `simple-kbs` for ease of testing. No `simple-kbs` policy is required to get things running.
The image encryption key and key for SSH access have been attached to the CoCo sample encrypted container image as docker labels. This image is meant for TEST purposes only as these keys are published publicly. In a production use case, these keys would be generated by the workload administrator and kept secret. For further details, see the section how to [Create an Encrypted Image](#create-an-encrypted-image). The image encryption key and key for SSH access have been attached to the CoCo sample encrypted container image as docker labels. This image is meant for TEST purposes only as these keys are published publicly. In a production use case, these keys would be generated by the workload administrator and kept secret. For further details, see the section how to [Create an Encrypted Image](#create-an-encrypted-image).
@@ -320,8 +320,8 @@ docker:[REGISTRY_URL]:encrypted \
Again, be sure to replace `[REGISTRY_URL]` with the desired registry URL. Again, be sure to replace `[REGISTRY_URL]` with the desired registry URL.
`--insecure-policy` flag is used to connect to the attestation agent and will not impact the security of the project. `--insecure-policy` flag is used to connect to the attestation agent and will not impact the security of the project.
Make sure to use the `docker` prefix in the source and destination URL when running the `skopeo copy` command as demonstrated above. Make sure to use the `docker` prefix in the source and destination URL when running the `skopeo copy` command as demonstrated above.
Utilizing images via the local `docker-daemon` is known to have issues, and the `skopeo copy` command does not return an adequate error Utilizing images via the local `docker-daemon` is known to have issues, and the `skopeo copy` command does not return an adequate error
response. A remote registry known to support encrypted images like GitHub Container Registry (GHCR) is required. response. A remote registry known to support encrypted images like GitHub Container Registry (GHCR) is required.
At this point it is a good idea to inspect the image was really encrypted as skopeo can silently leave it unencrypted. Use At this point it is a good idea to inspect the image was really encrypted as skopeo can silently leave it unencrypted. Use
@@ -394,7 +394,7 @@ The `simple-kbs` can be configured with a policy that requires the kata shim to
These steps will use the CoCo sample encrypted container image, but the image URL can be replaced with a user created image registry URL. These steps will use the CoCo sample encrypted container image, but the image URL can be replaced with a user created image registry URL.
To create the policy, the value of the SEV guest firmware measurement must be calculated. To create the policy, the value of the SEV guest firmware measurement must be calculated.
`pip` is required to install the `sev-snp-measure` utility. `pip` is required to install the `sev-snp-measure` utility.