github/confidential-containers
1
0
Fork 0
mirror of https://github.com/confidential-containers/confidential-containers.git synced 2025-04-27 19:15:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
confidential-containers/releases/v0.6.0.md
Tobin Feldman-Fitzthum 6ef8992bc0 releases: fix dead links in release notes 
Our link checker is having problems with GH redirects, so let's update
these links to point to the right place (even for the old releases).

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2025-01-23 13:04:01 -05:00

3.0 KiB
Raw Permalink Blame History

Release Notes for v0.6.0

Release Date: June 7th, 2023

Please see the quickstart guide for details on how to try out Confidential Containers.

Please refer to our Acronyms and Glossary pages for a definition of the acronyms used in this document.

What's new

  • Support for attesting pod VMs with Azure vTPMs on SEV-SNP
  • Support for using Project Amber as an attestation service
  • Support for Cosign signature validation with s390x
  • Pulling guest images with many layers can no longer cause guest CPU starvation.
  • Attestation Service upgraded to avoid several security issues in Go packages.
  • CC-KBC & KBS support with SGX attester/verifier for Occlum and CI for enclave-cc

Hardware Support

Confidential Containers is tested with attestation on the following platforms:

  • Intel TDX
  • AMD SEV(-ES)
  • Intel SGX

The following platforms are untested or partially supported:

  • IBM Secure Execution (SE) on IBM zSystems (s390x) running LinuxONE
  • AMD SEV-SNP

The following platforms are in development:

  • ARM CCA

Limitations

The following are known limitations of this release:

  • Platform support is rapidly changing
    • Image signature validation with AMD SEV-ES is not covered by CI.
  • SELinux is not supported on the host and must be set to permissive if in use.
  • The generic KBS does not yet supported all platforms.
  • The format of encrypted container images is still subject to change
    • The oci-crypt container image format itself may still change
    • The tools to generate images are not in their final form
    • The image format itself is subject to change in upcoming releases
    • Not all image repositories support encrypted container images.
  • CoCo currently requires a custom build of containerd, which is installed by the operator.
    • Codepath for pulling images will change significantly in future releases.
    • crio is only supported with cloud-api-adaptor.
  • Complete integration with Kubernetes is still in progress.
    • OpenShift support is not yet complete.
    • Existing APIs do not fully support the CoCo security and threat model. More info
    • Some commands accessing confidential data, such as kubectl exec, may either fail to work, or incorrectly expose information to the host
    • Container images must be downloaded separately (inside guest) for each pod. More info
  • The CoCo community aspires to adopting open source security best practices, but not all practices are adopted yet.
    • We track our status with the OpenSSF Best Practices Badge, which remained at 64% at the time of this release.
    • Vulnerability reporting mechanisms still need to be created. Public github issues are still appropriate for this release until private reporting is established.

CVE Fixes

None