mirror of
https://github.com/confidential-containers/confidential-containers.git
synced 2025-09-18 16:57:54 +00:00
SEV: Add annotations guide
The shim now supports a nmber of annotations for SEV(-ES), meaning that we no longer need to modify the config file to set things like the guest policy or kbs uri. Update the quickstart guide to spread the news. Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
This commit is contained in:
Tobin Feldman-Fitzthum
committed by
Tobin Feldman-Fitzthum
Tobin Feldman-Fitzthum
parent
e7bac1044c
commit
4b2f89ee47
@@ -55,11 +55,24 @@ sudo ./sevctl/target/debug/sevctl export --full /opt/sev/cert_chain.cert
|
|||||||
|
|
||||||
### Setup and Run the simple-kbs
|
### Setup and Run the simple-kbs
|
||||||
|
|
||||||
The [simple-kbs](https://github.com/confidential-containers/simple-kbs) is a basic key broker service that hosts secret storage and provides secret release policies configurable by container workload creators or users.
|
|
||||||
|
|
||||||
The `simple-kbs` is a prototype implementation under development and is not intended for production use at this time.
|
By default, the `kata-qemu-sev` runtime class uses pre-attestation with the
|
||||||
|
`online-sev-kbc` and [simple-kbs](https://github.com/confidential-containers/simple-kbs) to attest the guest and provision secrets.
|
||||||
|
`simple-kbs` is a basic prototype key broker that can validate a guest measurement according to a policy and conditionally release secrets.
|
||||||
|
To use encrypted images, signed images, or authenticated registries with SEV, you should setup `simple-kbs`.
|
||||||
|
If you simply want to run an unencrypted container image, you can disable pre-attestation by adding the following annotation
|
||||||
|
`io.katacontainers.config.pre_attestation.enabled: "false"` to your pod.
|
||||||
|
|
||||||
For the SEV encrypted image use case, it is required to host the key used to encrypt the container image from the `simple-kbs`.
|
If you are using pre-attestation, you will need to add an annotation to your pod that contains the URI of `simple-kbs`.
|
||||||
|
This annotation should be of the form `io.katacontainers.config.pre_attestation.uri: "<KBS IP>:44444"`.
|
||||||
|
Port 44444 is the default port per the directions below, but it can be configured.
|
||||||
|
The KBS IP must be accessible from inside the guest.
|
||||||
|
Usually it should be the public IP of the node where `simple-kbs` runs.
|
||||||
|
|
||||||
|
The SEV policy can also be set by adding `io.katacontainers.config.sev.policy: "<SEV POLICY>"` to your pod configuration.
|
||||||
|
Setting the second bit of the policy enables SEV-ES.
|
||||||
|
For more information see chapter 3 of the AMD Secure Encrypted Virtualization API.
|
||||||
|
The SEV policy is not the same as the policies that drive `simple-kbs`.
|
||||||
|
|
||||||
The CoCo project has created a sample encrypted container image ([encrypted-image-tests](ghcr.io/fitzthum/encrypted-image-tests:encrypted)). This image is encrypted using a key that comes already provisioned inside the `simple-kbs` for ease of testing. No `simple-kbs` policy is required to get things running.
|
The CoCo project has created a sample encrypted container image ([encrypted-image-tests](ghcr.io/fitzthum/encrypted-image-tests:encrypted)). This image is encrypted using a key that comes already provisioned inside the `simple-kbs` for ease of testing. No `simple-kbs` policy is required to get things running.
|
||||||
|
|
||||||
@@ -67,28 +80,6 @@ The image encryption key and key for SSH access have been attached to the CoCo s
|
|||||||
|
|
||||||
To learn more about creating custom policies, see the section on [Creating a simple-kbs Policy to Verify the SEV Firmware Measurement](#creating-a-simple-kbs-policy-to-verify-the-sev-firmware-measurement).
|
To learn more about creating custom policies, see the section on [Creating a simple-kbs Policy to Verify the SEV Firmware Measurement](#creating-a-simple-kbs-policy-to-verify-the-sev-firmware-measurement).
|
||||||
|
|
||||||
A KBS is not required to run unencrypted containers.
|
|
||||||
Instead, disable pre-attestation by editing the Kata config file located at `/opt/confidential-containers/share/defaults/kata-containers/configuration-qemu-sev.toml`.
|
|
||||||
```
|
|
||||||
guest_pre_attestation = false
|
|
||||||
```
|
|
||||||
Image decryption and signature validation will not work if pre-attestation is disabled.
|
|
||||||
|
|
||||||
> **Note** It is not recommended to edit the Kata configuration file manually.
|
|
||||||
These changes might be overwritten by the operator.
|
|
||||||
|
|
||||||
If you are using attestation, you will need to update the above Kata configuration file to point
|
|
||||||
to the URI of the KBS.
|
|
||||||
|
|
||||||
For example, set
|
|
||||||
`guest_pre_attestation_proxy = "<KBS IP>:44444"`
|
|
||||||
|
|
||||||
You will also need to update the Kata configuration to add an extra kernel parameter specifying KBS information.
|
|
||||||
For example, add `agent.aa_kbc_params=online_sev_kbc::<KBS IP>:44444`
|
|
||||||
to the `kernel_params` field in the configuration file.
|
|
||||||
|
|
||||||
The KBS IP must be accesible from inside the guest. Port 44444 is the default port per the directions below, but it can be configured.
|
|
||||||
|
|
||||||
`docker-compose` is required to run the `simple-kbs` and its database in docker containers:
|
`docker-compose` is required to run the `simple-kbs` and its database in docker containers:
|
||||||
|
|
||||||
* Debian / Ubuntu:
|
* Debian / Ubuntu:
|
||||||
|
|||||||
Reference in New Issue
Block a user