From 4b2f89ee4728133b024242ca0aa56e59e2f0f32b Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 4 Apr 2023 12:26:47 -0400 Subject: [PATCH] SEV: Add annotations guide The shim now supports a nmber of annotations for SEV(-ES), meaning that we no longer need to modify the config file to set things like the guest policy or kbs uri. Update the quickstart guide to spread the news. Signed-off-by: Tobin Feldman-Fitzthum --- guides/sev.md | 41 ++++++++++++++++------------------------- 1 file changed, 16 insertions(+), 25 deletions(-) diff --git a/guides/sev.md b/guides/sev.md index 97be355..b8915f4 100644 --- a/guides/sev.md +++ b/guides/sev.md @@ -55,11 +55,24 @@ sudo ./sevctl/target/debug/sevctl export --full /opt/sev/cert_chain.cert ### Setup and Run the simple-kbs -The [simple-kbs](https://github.com/confidential-containers/simple-kbs) is a basic key broker service that hosts secret storage and provides secret release policies configurable by container workload creators or users. -The `simple-kbs` is a prototype implementation under development and is not intended for production use at this time. +By default, the `kata-qemu-sev` runtime class uses pre-attestation with the +`online-sev-kbc` and [simple-kbs](https://github.com/confidential-containers/simple-kbs) to attest the guest and provision secrets. +`simple-kbs` is a basic prototype key broker that can validate a guest measurement according to a policy and conditionally release secrets. +To use encrypted images, signed images, or authenticated registries with SEV, you should setup `simple-kbs`. +If you simply want to run an unencrypted container image, you can disable pre-attestation by adding the following annotation +`io.katacontainers.config.pre_attestation.enabled: "false"` to your pod. -For the SEV encrypted image use case, it is required to host the key used to encrypt the container image from the `simple-kbs`. +If you are using pre-attestation, you will need to add an annotation to your pod that contains the URI of `simple-kbs`. +This annotation should be of the form `io.katacontainers.config.pre_attestation.uri: ":44444"`. +Port 44444 is the default port per the directions below, but it can be configured. +The KBS IP must be accessible from inside the guest. +Usually it should be the public IP of the node where `simple-kbs` runs. + +The SEV policy can also be set by adding `io.katacontainers.config.sev.policy: ""` to your pod configuration. +Setting the second bit of the policy enables SEV-ES. +For more information see chapter 3 of the AMD Secure Encrypted Virtualization API. +The SEV policy is not the same as the policies that drive `simple-kbs`. The CoCo project has created a sample encrypted container image ([encrypted-image-tests](ghcr.io/fitzthum/encrypted-image-tests:encrypted)). This image is encrypted using a key that comes already provisioned inside the `simple-kbs` for ease of testing. No `simple-kbs` policy is required to get things running. @@ -67,28 +80,6 @@ The image encryption key and key for SSH access have been attached to the CoCo s To learn more about creating custom policies, see the section on [Creating a simple-kbs Policy to Verify the SEV Firmware Measurement](#creating-a-simple-kbs-policy-to-verify-the-sev-firmware-measurement). -A KBS is not required to run unencrypted containers. -Instead, disable pre-attestation by editing the Kata config file located at `/opt/confidential-containers/share/defaults/kata-containers/configuration-qemu-sev.toml`. -``` -guest_pre_attestation = false -``` -Image decryption and signature validation will not work if pre-attestation is disabled. - -> **Note** It is not recommended to edit the Kata configuration file manually. -These changes might be overwritten by the operator. - -If you are using attestation, you will need to update the above Kata configuration file to point -to the URI of the KBS. - -For example, set -`guest_pre_attestation_proxy = ":44444"` - -You will also need to update the Kata configuration to add an extra kernel parameter specifying KBS information. -For example, add `agent.aa_kbc_params=online_sev_kbc:::44444` -to the `kernel_params` field in the configuration file. - -The KBS IP must be accesible from inside the guest. Port 44444 is the default port per the directions below, but it can be configured. - `docker-compose` is required to run the `simple-kbs` and its database in docker containers: * Debian / Ubuntu: