release: Add trusted ephemeral storage description

Signed-off-by: Wang, Arron <arron.wang@intel.com>

releases/release_notes_09_2022.md

@@ -293,5 +293,100 @@ In case the user wants to run the workload on a TDX capable hardware, using QEMU
 
 * *TBD: instructions to build encrypted container image and other requirements (attestation, key etc)* *
 
+# Experience Trusted Ephemeral Storage for container image and RW layer
+
+Container image in COCO is pulled inside guest VM, it will be save in CC HW protected guest memory by default.
+Since memory is an expensive resource, COCO implemented [trusted ephemeral storage](https://github.com/confidential-containers/documentation/issues/39) for container image and RW layer.
+
+This solution is verified with Kubernetes CSI driver [open-local](https://github.com/alibaba/open-local). Please follow this [user guide](https://github.com/alibaba/open-local/blob/main/docs/user-guide/user-guide.md) to install open-local.
+
+We can use following example `trusted_store_cc.yaml` to have a try:
+```
+apiVersion: v1
+kind: Pod
+metadata:
+  name: trusted-lvm-block
+spec:
+  runtimeClassName: kata-qemu-tdx
+  containers:
+   - name: sidecar-trusted-store
+     image: pause
+     volumeDevices:
+     - devicePath: "/dev/trusted_store"
+       name: trusted-store
+   - name: application
+     image: busybox
+     command:
+     - sh
+     - "-c"
+     - |
+         sleep 10000
+  volumes:
+   - name: trusted-store
+     persistentVolumeClaim:
+       claimName: trusted-store-block-pvc
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: trusted-store-block-pvc
+spec:
+  volumeMode: Block
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: open-local-lvm
+```
+Before deploy the workload, we can follow this [documentation](https://github.com/kata-containers/kata-containers/blob/CCv0/docs/how-to/how-to-build-and-test-ccv0.md) and use [ccv0.sh](https://github.com/kata-containers/kata-containers/blob/CCv0/docs/how-to/ccv0.sh) to enable COCO console debug(optional, check whether working as expected).
+
+Create the workload:
+```
+kubectl apply -f trusted_store_cc.yaml
+```
+
+Ensure the pod was created successfully (in running state):
+```
+kubectl get pods
+```
+
+Output:
+```
+NAME                READY   STATUS    RESTARTS   AGE
+trusted-lvm-block   2/2     Running   0          31s
+```
+
+After we enable the debug option, we can login into the VM with `ccv0.sh` script:
+```
+./ccv0.sh -d open_kata_shell
+```
+
+Check container image is saved in encrypted storage with following commands:
+```
+root@localhost:/# lsblk --fs
+NAME                             FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
+sda
+└─ephemeral_image_encrypted_disk                      906M     0% /run/image
+
+root@localhost:/# cryptsetup status ephemeral_image_encrypted_disk
+/dev/mapper/ephemeral_image_encrypted_disk is active and is in use.
+  type:    LUKS2
+  cipher:  aes-xts-plain64
+  keysize: 512 bits
+  key location: dm-crypt
+  device:  /dev/sda
+  sector size:  4096
+  offset:  32768 sectors
+  size:    2064384 sectors
+  mode:    read/write
+
+root@localhost:/# mount|grep image
+/dev/mapper/ephemeral_image_encrypted_disk on /run/image type ext4 (rw,relatime)
+
+root@localhost:/# ls /run/image/
+layers  lost+found  overlay
+```
+
 # Debugging problems
 * *TBD: describe tools to debug problems, logs etc…* *