From 47df4e83e94ff8d1262293b3f166bcb02a67317c Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 10 Nov 2022 02:36:39 -0500 Subject: [PATCH] Update SEV quickstart (#71) KBS is no longer required for unencrypted images with SEV Signed-off-by: Tobin Feldman-Fitzthum --- quickstart.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/quickstart.md b/quickstart.md index c6a10db..fe8a144 100644 --- a/quickstart.md +++ b/quickstart.md @@ -398,7 +398,16 @@ The image encryption key and key for SSH access have been attached to the CoCo s To learn more about creating custom policies, see the section on [Creating a simple-kbs Policy to Verify the SEV Firmware Measurement](#creating-a-simple-kbs-policy-to-verify-the-sev-firmware-measurement). -Currently, the SEV unencrypted image use case also requires the `simple-kbs` to be deployed. This will change in a future CoCo release. +A KBS is not required to run unencrypted containers. +Instead, disable pre-attestation by editing the Kata config file located at `/opt/confidential-containers/share/defaults/kata-containers/configuration-qemu-sev.toml`. +``` +guest_pre_attestation = false +``` +Image decryption and signature validation will not work if pre-attestation is disabled. + +> **Note** It is not recommended to edit the Kata configuration file manually. +These changes might be overwritten by the operator. + `docker-compose` is required to run the `simple-kbs` and its database in docker containers: