Commit Graph

99 Commits

Author SHA1 Message Date
Jiale Zhang
cf2cfd873d QuickStart: Reorganize and refined simplification
Fixed: #96

The current quick start is relatively lengthy,
this commit make the technology stacks for special HW separate markdown pages:

- Use simple-kbs to encrypt container image and deploy it on SEV: `guides/sev-guide.md`
- Use Verdictd to encrypt container image and deploy it on TDX: `guides/eaa-verdictd-guide.md`

Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
2023-04-03 08:10:44 +02:00
Pradipta Banerjee
bae433e921
Update architecture doc and diagrams (#111)
The patch includes number of fixes for the architecture doc.
Fixes the logical flow between the attestation agent and relying party
for all the diagrams.
Fixes the architecture diagram for process-based TEEs and replaces
references to inclavare with enclave-cc.
Added the architecture diagram for peer-pods approach.
Finally updated the markdown to use relative paths for the images to make
it easier for viewing during reviews and editors.

Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
2023-04-01 15:41:59 +05:30
Dan Middleton
720bf64b69 Formatting fixups and date fix
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-30 07:51:24 -05:00
Dan
5b1a1f478c Add KBS as a new feature
Co-authored-by: Jiale Zhang <652716685@qq.com>
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-30 07:51:24 -05:00
Dan
96fe6d46a0 Add KBS Resource URI as a new feature.
Co-authored-by: Xynnn_ <xynnn@linux.alibaba.com>
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-30 07:51:24 -05:00
Dan
06a9707741 Add SEV annotation config feature
Co-authored-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-30 07:51:24 -05:00
Dan Middleton
fe4521dbe4 Update security badge status
Since last release the final repos have added unit test coverage and
linting hooked into CI.

Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-30 07:51:24 -05:00
Dan Middleton
c078719588 Add enclave-cc / SGX support
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-30 07:51:24 -05:00
Dan Middleton
d277154b22 Initial draft of v0.5 release notes
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-30 07:51:24 -05:00
Dan Middleton
b3922ef78e Fix formatting
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-03 16:21:26 -06:00
Dan Middleton
5eae0f00b7 Fix KBC release notes
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-03 16:21:26 -06:00
Dan Middleton
88923984de Add docs links and release overview comment
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-03 16:21:26 -06:00
Dan
fe4784640a Add oci-crypt link
Co-authored-by: Christophe de Dinechin <christophe@dinechin.org>
2023-03-03 16:21:26 -06:00
Dan
f6b7d4bffa Remove redundant KBS
Co-authored-by: Christophe de Dinechin <christophe@dinechin.org>
2023-03-03 16:21:26 -06:00
Dan
d5f6ccd76e Define KBS
Co-authored-by: Christophe de Dinechin <christophe@dinechin.org>
2023-03-03 16:21:26 -06:00
Dan
37d484813b Fix s390x naming
Co-authored-by: Christophe de Dinechin <christophe@dinechin.org>
2023-03-03 16:21:26 -06:00
Dan
5948dbe382 Update releases/v0.4.0.md
Co-authored-by: Christophe de Dinechin <christophe@dinechin.org>
2023-03-03 16:21:26 -06:00
Dan Middleton
d2d4bc2ed5 Remove SEV KBS limitation from release notes
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-03 16:21:26 -06:00
Dan Middleton
94e09c394c release notes v0.4.0 initial commit
Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2023-03-03 16:21:26 -06:00
Ryan Savino
948ec86535 sev: update skopeo encrypt command to use 'docker' target
Fixes: #97

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
2023-02-10 16:32:27 -05:00
Thomas Fossati
514fabbc3b small typo
Signed-off-by: Thomas Fossati <thomas.fossati@arm.com>
2023-02-04 14:17:11 -06:00
Thomas Fossati
63139b3ada update ref to RATS architecture
update ref to RATS architecture, it's been published as RFC9334

Signed-off-by: Thomas Fossati <thomas.fossati@arm.com>
2023-02-04 14:17:11 -06:00
Fabiano Fidêncio
f688f82f06 quickstart: How to use a different KBC with enclave-cc
Let's add a small piece of documentation about what the users should do
in case they want to try enclave-cc with a different KBC.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-01-20 08:46:19 +01:00
Tobin Feldman-Fitzthum
8a8ff5af02 Update release notes
Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2023-01-19 18:36:35 +01:00
Tobin Feldman-Fitzthum
920e5fd3f9 Quickstart: change quay to ghcr
Avoid issues with quay support for encrypted images.
For now ghcr image is hosted via my gh.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2023-01-18 11:54:19 +01:00
Tobin Feldman-Fitzthum
63f79170a7 Quickstart: Update info on enabling debug console
Now we can use the debug console without rebuilding
the initrd.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2023-01-18 11:54:19 +01:00
Tobin Feldman-Fitzthum
a673039e03 quickstart: add KBS URI information
Soon this will be set via annotation and modiying the kata config
will not be required.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2023-01-18 11:54:19 +01:00
Unmesh Deodhar
130745e34a Remove outdated SEV documentation
Removing old instructions for SEV.

Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
2023-01-17 18:30:30 +01:00
Fabiano Fidêncio
9faf24a7f2 quickstart: Update the required vCPU numbers to 4
While preparing the `v0.3.0` release, we've noticed that using a VM with
2 vCPUs would lead to:
```
Name:           cc-operator-controller-manager-79797456f6-spmss
Namespace:      confidential-containers-system
...
Events:
  Type     Reason            Age    From               Message
  ----     ------            ----   ----               -------
  Warning  FailedScheduling  4m12s  default-scheduler  0/1 nodes are available: 1 Insufficient cpu. preemption: 0/1 nodes are available: 1 No preemption victims found for incoming pod.
```

And this is *NOT* something introduced between `v0.2.0` and `v0.3.0`, as
it also happen with the previous release.

For now, let's update the documentation accordingly and revisit this
after the release in case we need to really rely on deploying in nodes
with 2 vCPUs.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-01-17 15:34:38 +01:00
Fabiano Fidêncio
fdf5f4b2d2 quickstart: Update description of the qemu-tdx runtime class
Now it's prepared to be used with Verdictd and EAA KBC.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-01-17 15:34:38 +01:00
Fabiano Fidêncio
a7f1716eae quickstart: Use v0.3.0 as example, instead of v0.2.0
As we're about to release v0.3.0, let's update the quickstart guide so
it's easier for folks to try it out using the correct latest release.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-01-17 15:34:38 +01:00
Fabiano Fidêncio
41d23524f7 quickstart: Adapt to the operator using kustomize
Let's adapt the instructions to using kustomize for deploying the sample
ccruntime custom resource.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2023-01-17 15:34:38 +01:00
Wainer dos Santos Moschetta
0c2ea2f441 quickstart: Add a note on prequisites about SELinux
The operator does not work(**) with SELinux enabled and enforced. Added
a note about it on the prequisites section.

(**) https://github.com/confidential-containers/operator/issues/115

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2023-01-16 18:57:09 +01:00
Wainer dos Santos Moschetta
6b5d0edfd2 quickstart: Add a note about troubleshooting image pull issue
The CoCo Pod might fail when *IfNotPresent* policy is set. Add some
words about that on the troubleshoot section.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2023-01-16 18:57:09 +01:00
Wainer dos Santos Moschetta
9368189fa4 quickstart: note about checking the image is encrypted
skopeo can leave the image unencrypted without any notice. Added a
comment about checking it is not the case for an image built by the
user.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2023-01-16 18:57:09 +01:00
Wainer dos Santos Moschetta
d91527685f quickstart: Detail the key spec for SEV offline KBC
Mentioned that the encryption key for SEV offline KBC should have 32
bytes and be base64 encoded.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2023-01-16 18:57:09 +01:00
Wainer dos Santos Moschetta
43c12f208d quickstart: Add a note about a bug on sevctl for RHEL/Fedora
There is a bug(**) on sevctl affecting some versions of the package on RHEL
and Fedora. Added a note mentioning it might be needed to build the tool
from the sources.

(**) https://bugzilla.redhat.com/show_bug.cgi?id=2037963

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2023-01-16 18:57:09 +01:00
Wainer dos Santos Moschetta
bf7b50c696 quickstart: Update link to sevctl project
sevctl repository at enarx organization is now read-only as the development moved to
https://github.com/virtee/sevctl. The URL was updated in the quickstart.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2023-01-16 18:57:09 +01:00
hairongchen
f381a4a594 update according to comments
Signed-off-by: hairongchen <hairong.chen@intel.com>
2023-01-13 21:07:33 +01:00
hairongchen
019e9fb93b update according to comments
Signed-off-by: hairongchen <hairong.chen@intel.com>
2023-01-13 21:07:33 +01:00
hairongchen
372bd93a5a update according to comments
Signed-off-by: hairongchen <hairong.chen@intel.com>
2023-01-13 21:07:33 +01:00
hairongchen
934a9e1ed9 update workload deployment using hardware mode with encrypted and
cosign signed image

Signed-off-by: hairongchen <hairong.chen@intel.com>
2023-01-13 21:07:33 +01:00
stevenhorsman
96977efa8c Authenticated registry support
Add new feature for authenticated registry support and point to
the design docs. We might have more info on how to set it up in future
but that is probably linked to configuration the guest image for
offline_fs_kbc configuration in non-TEE scenario and separated for
other confidential hardware, so we might need the quickstart guide
to be broken down into separate topics first

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2022-12-02 16:21:49 +01:00
Unmesh Deodhar
6af93de108 Adding extra information about the flag.
Adding extra information about the flag in skopeo copy command.

Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>

Fixing newline change.

Fixing the newline change.

Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>

Removing sudo for docker commands

Assuming user has setup the docker correctly, we do not need to use sudo for docker commands.

Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>

quickstart: Filling gaps in the SEV documentation.

Fixing a couple of permission issues and command line parameters for skopeo.

Signed-off-by: Unmesh Deodhar <udeodhar@amd.com>
2022-11-22 13:48:52 -05:00
Tobin Feldman-Fitzthum
8df30c9b91 Blank release notes for v0.3.0
Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2022-11-21 16:30:17 +01:00
Shirong Hao
5e3e36fe3b quickstart: fix Ansible docker_container module install command
Signed-off-by: Shirong Hao <shirong@linux.alibaba.com>
2022-11-21 16:29:59 +01:00
Fabiano Fidêncio
40d3394918 quickstart: Add a note about Enclave CC limitations with Kind
Enclave CC requires the Kind cluster to be prepared with
`/opt/confidential-containers` to **not** be mounted on an overlayfs,
but rather being part of the `hostPath` mount.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2022-11-10 12:13:12 +01:00
Fabiano Fidêncio
9b797d0ddf quickstart: Add a note about QEMU limitation with Kind / Minikube
It's a known limitation that QEMU based runtime classes will not work
with Kind or Minikube, leading to:
```
Events:
  Type     Reason                  Age   From               Message
  ----     ------                  ----  ----               -------
  Normal   Scheduled               42s   default-scheduler  Successfully assigned default/nginx-kata-qemu to minikube
  Warning  FailedCreatePodSandBox  9s    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create containerd task: failed to create shim task: Failed to Check if grpc server is working: rpc error: code = DeadlineExceeded desc = timed out connecting to vsock 3189232285:1024: unknown
```

This needs further debug in order to get to the root cause of the issue,
and potentially to a fix.  However, for now, we should make sure that we
document such limitation.

One issue already reported about this is
https://github.com/confidential-containers/operator/issues/124, and
that's also been observed by Pradipta during the early tests of v0.1.0.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2022-11-10 12:13:12 +01:00
Tobin Feldman-Fitzthum
47df4e83e9
Update SEV quickstart (#71)
KBS is no longer required for unencrypted images with SEV

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2022-11-10 13:06:39 +05:30
Dan Middleton
c0d557f55c Quickstart remove redundant hardware section
This is tracked in release notes. Maintain that info in one place.

Signed-off-by: Dan Middleton <dan.middleton@intel.com>
2022-11-10 08:29:06 +01:00