A process allowing to establish the identity or integrity of a computer resource. In the case of confidential containers, attestation offers guarantees to the owner about the execution environment as well as about the workload running in it.

See Attestation agent.

Attestation agent

A user space authentication service that runs as a daemon inside the VM guest. It provides services to an encrypted container library to help decrypt the encrypted image layers.

The Attestation Agent provides secrets to guest user space after facilitating the measurement of the guest. Usually these secrets are container decryption keys used by the encrypted container library to decrypt confidential workloads.

The Attestation Agent has a modular interface that supports many different Key Broker Clients (KBCs). KBCs carry out secret provisioning in conjunction with a trusted Key Broker Service (KBS):

Encryption

A GetResource gRPC call to the agent results in it requesting one of the following resources:
- Public keyring (the Key Encryption Key) from the KBS.
- Policy File.
- sigstore.
- Configuration file.
Decryption

An encrypted container library makes an UnWrapKey KeyProvider gRPC call. The agent selects the appropriate KBC by looking at the name specified in the UnwrapKey call and uses this to call the appropriate KBS to decrypt the encrypted payload stored in the image layer annotation.

Decoupling the encrypted container library from the KBS implementations provides flexibility since the agent can provide a generic, consistent interface to potentially differing KBS implementations.

In RATS parlance, the AA is the "attester".

See Encrypted Container Image.

Attestation server

A server, such as the attestation agent, that provides attestation services.

Attestation service

Verifies the measurement provided to it by the key broker service.

In RATS parlance, the AS is the "verifier".

Authenticated Encryption

A form of encryption that assures the confidentiality and authenticity of data.

Authenticated Encryption with Associated Data

A form of authenticated encryption that allows the recipient to check the integrity of both the encrypted and unencrypted information in a message.

B

C

CIA triad

The three desirable features of a secure system:

Confidentiality
Integrity
Availability

CIR

Container Image Registry.

Confidential Computing

A form of computing that protects in-use data, as opposed to data at rest (in persistent storage) or in transit (network communications).

See Confidential Computing Technology.

Confidential Computing Architecture

Arm confidential computing technology.

Confidential Computing Technology

Vendor	Architecture	Technology
AMD	`x86_64`, `amd64`	SEV-ES, SEV-SNP
ARM	`aarch64`	CCA
IBM	Power (`ppc64le`)	PEF
IBM	Z & LinuxONE (`s390x`)	SE
Intel	`x86_64`, `amd64`	SGX, TDX

Confidential Containers

An application of confidential computing to run containers. Confidential Containers.

Confidential Computing Consortium

The Confidential Computing Consortium is a community focused on projects securing data in use and accelerating the adoption of confidential computing through open collaboration.

Configuration Firmware Volume

In Intel TDX Virtual Firmware, a configuration volume measured at runtime, to include all the provisioned data.

Container Image Registry

A searchable collection of container images such as https://hub.docker.com and https://quay.io. May be local or accessible remotely.

Container Image Signature File

The result of the signing process used to sign the Encrypted Container Image.

Contains two artefacts:

JSON payload
OpenPGP cryptographic signature of JSON payload created by signing the JSON payload using the owner's private key.

Once created, this will either live in a registry along with the Encrypted Container Image, or in a sigstore.

Control Plane

The part of the system that starts and stops the data plane.

Cloud Native Computing Foundation

The Cloud Native Computing Foundation (CNCF) serves as the vendor-neutral home for many of the fastest-growing open source projects, including Kubernetes, Prometheus, and Envoy.

Cloud Native Security

Cloud Native Security is the security framework in which confidential containers is being developed.

Cloud Service Provider

Cloud service providers are companies that establish public clouds, manage private clouds, or offer on-demand cloud computing components (also known as cloud computing services) like Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service(SaaS). Cloud services can reduce business process costs when compared to on-premise IT.

Working with potentially untrusted infrastructure provided by cloud service providers is an important design objective for confidential containers.

Container Signature

Another name for the Container Image Signature File.

Container Storage Interface

Extensible volume layer for Kubernetes.

Cryptographic Service Provider

A Cryptographic Service Provider provides encryption and decryption services, possibly with the benefit of hardware acceleration.

D

Data Plane

The part of the system that processes data.

See Control plane.

Decryption

Generally refers to decoding the encrypted layers in an Encrypted Container Image.

Before the image can be decrypted it needs to be pulled from an image registry.

When the encrypted image is available locally, only the intended recipient of the image will be able to decrypt it since the encrypted layers of the image were created using the recipients public key and only the recipient has the corresponding private key.

To perform the decryption, the Kata Containers agent, via the encrypted container library, calls the Attestation Agent's UnwrapKey API for each layer in the image, specifying the following details:

Key Broker Client name
Key Broker Service URI
The Image layer annotation details.

The Attestation Agent then communicates these details to the KBS and returns the decrypted PLBCO, including the LEK.

DIE triad

An extension to the CIA triad that adds the following properties:

Distributed
Immutable
Ephemeral

Distribution

Generally refers to uploading an Encrypted Container Image to an image repository.

Docker Content Trust

Alternative image validation technology to the Encrypted Container Image method.

E

Enclave

A secure set of resources. The term is used extensively when referring to Software Guard Extensions.

For more details, see the definition in the Kata Containers Glossary.

Enclave Attestation Architecture

A set of mechanisms, initially defined in Inclavare Containers, to perform attestation across enclaves.

Allows a secure and trusted TLS channel to be established between the Key Broker Client (KBC) and the Key Broker Service (KBS). The TLS channel is used to send the decryption key of the encryption container image.

Encrypted Container Image

A container image based on the OCI image specification but with the addition of encrypted layer metadata.

Notes:

In the context of Confidential Containers, the image only exists in the context of the enclave / Container: it is not accessible from the host environment.

An "encrypted image" has to contain at least one encrypted layer, but may also contain any number of unencrypted layers.

See Encryption and Decryption.

Encrypted Container Library

Projects such as ocicrypt and ocicrypt-rs that implement the encrypted layer media type of the OCI image specification.

Encryption

Generally refers to encoding one or more layers in an Encrypted Container Image.

Steps:

A symmetric key is generated.
The symmetric key is used to encrypt the relevant image layer(s) to create an Encrypted Container Image.

This is handled by the Kata Containers agent calling the Attestation Agent's WrapKey API for each layer in the image.

The Attestation Agent communicates the request to the KBS which encrypts the PLBCO using the KEK.
The symmetric key is then wrapped using KEK, which is owned by the intended recipient of the image.
The wrapped key is added to the container image manifest

The key becomes part of the encrypted PLBCO.

The encrypted image and the wrapped key can then be uploaded to a public registry (distribution).

Extensible Firmware Interface

The Extensible Firmware Interface (EFI) is the original Intel portable platform firmware for Itanium and x86, which evolved into UEFI)

Enclave Held Data

A part of the quote being send during attestation.

F

Firmware Volume

A storage volume accessible by the firmware. See Configuration Firmware Volume

Firmware

Firmware is low-level control software for a particular device or platform. In the case of confidential containers, two pieces of firmware are particularly relevant: the host platform firmware, which provides services necessary to establish a trusted execution environment, and the guest firmware, part of the initial guest boot sequence, which, depending on the platform, may need to provide secrets to the guest or be part of the measured payload during attestation.

G

Galois/Counter Mode

TODO: Add explanation of relevance for CC.

Gramine

A libOS for Software Guard Extensions.

See:

https://github.com/gramineproject

Gramine Shielded Containers

GSC refers to containers protected by Intel SGX enclaves using the Gramine Library OS.

Graphics Output Protocol

TODO: Add explanation of relevance for CC.

Guest Owner Proxy

Another term for Key broker service.

H

Homomorphic Encryption

A type of encryption that allows operations to be performed on the encrypted data without decrypting it first.

TODO: Add explanation of relevance for CC.

Host Key Document

IBM-specific host certificate.

Hardware Security Module

A physical device that safeguards and/or manages cryptographic keys, and provides cryptographic processing, typically to protect the keys against tampering or to enforce specific cryptographic protocols.

HW-TEE

Hardware-based trusted execution environment.

I

Infrastructure as a Service.

TODO: Add explanation of relevance for CC.

Image specification

In the context of confidential containers, this usually refers to the OCI Image Format specification.

Intel Security Libraries for the Data Center

Intel Security Libraries for Data Center, also known as SECL-DC or ISECL, is an open-source remote attestation implementation.

Independent Software Vendor

TODO: Add explanation of relevance for CC.

J

K

Kata Containers

An implementation of a container runtime that uses virtualization to provide additional isolation. There is a significant overlap both in terms of code and community between Kata Containers and Confidential Containers.

Key Broker Client

A Key Broker Client (KBC) is a module of the Attestation Agent and a client of a Key Broker Service (KBS). A KBC carries out whatever operations are required from a guest to facilitate a measurement and receives secrets from a trusted KBS.

An online KBC creates a persistent secure connection with a KBS that can be used to receive secrets for the duration of the guest.
An offline KBC does not have a persistent secure connection and instead relies on secret material injected at startup or provided via a secure boot image.

Key Broker Client instance

A specific instance of the

An instantiated Key Broker Client object that exists in the Attestation Agent and which actually handles [UnWrapKey] requests.

Key Broker Service

A Key Broker Service (KBS) is a trusted service that verifies guest measurements and conditionally provides secrets to a Key Broker Client. Note that this can also be called "Key Broker Server" or Guest Owner Proxy.

In RATS parlance, the KBS is the "relying party".

The KBS:

Provides services to the attestation agent.
Sends the measurement to the Attestation service which verifies it.
Requests a key from the key management service.
Returns the key to the attestation agent.

Key Broker Service protocol

The protocol used by the Key Broker Service and Key Broker Client to communicate. Examples are:

Key Encryption Key

The KEK is the public key used to encrypt the symmetric key which is used to encrypt and decrypt an image.

See Encrypted Container Image.

Key Management Interoperability Protocol

The Key Management Interoperability Protocol is an extensible communication protocol to exchange cryptographic keys with a key management service server.

Key Management Service

A key management service facilitates the storage, management and exchange of cryptographic keys.

Key Provider Program

An application that implements the Key Provider Protocol.

Key Provider Protocol

The Key Provider Protocol provides a protocol for handling Wrapped keys. It defines the following APIs:

WrapKey
UnWrapKey

Key Provider Service

An application, such as the Attestation Agent, that implements the Key Provider Protocol API.

L

Layer Encryption Key

In the encrypted image specification, the Layer Encryption Key is an encryption key specific to each individual layer in the Encrypted Container Image.

Library OS

A "libOS" is a lightweight "runtime" for applications running inside an Enclave. It is usually implemented as a shared library and provides support for libc and system calls.

An example is Gramine.

Linux Unified Key Setup

Linux Unified Key Setup (LUKS) is the Linux disk encryption specification used by dm-crypt and cryptsetup. Confidential containers will use LUKS for in-guest storage, in order to ensure that data at rest remains inaccessible to the host.

Local attestation

Attestation between two parties on the same physical hardware system.

The opposite of Remote attestation.

M

Man-in-the-middle

A kind of attack where a "bad actor" (malicious entity) attempts to listen to and possibly modify a secure communication between two parties.

Measurement

A signed document that provides "evidence" of the system (details of a system artefact, such as an SGX enclave).

N

O

Original Equipment Manufacturer

TODO: Add explanation of relevance for CC.

Open Policy Agent

The Open Policy Agent is a policy-based control for cloud native environments.

Open VM firmware

Open VM Firmware is a specific UEFI firmware used by hypervisors.

P

Platform Adaptation Layer

Functions provided by Gramine's libOS that provide host ABI support for workloads running inside an SGX enclave.

Platform Configuration Register

TODO: Add explanation.

Platform Diffie-Hellman Key

TODO: Add explanation.

Policy File

A JSON file called policy.json which is a required artefact that specifies how Encrypted Container Images are pulled from a registry.

Privacy Enhanced Mail

A base64 (ASCII) encoded digital signature.

Platform Endorsement Key

On AMD SEV, the firmware identifies itself by an asymmetric signing key generated during the one-time configuration steps taken before the platform may be put into production. This key is called the Platform Endorsement Key (PEK) and is used to sign the Platform Diffie-Hellman key (PDH). By signing this key, the firmware authenticates the cryptographic contexts built with the PDH. Reference: section 1.2.2 of Secure Encrypted virtualization API

Protected Container Image

An Encrypted Container Image that has also been signed.

Protected Execution Facility

IBM Power 9 feature that enables SVM's.

Public Key Cryptographic Standard

Public Key cryptography

See public key and private key.

Public Key Infrastructure

PKI is a system for managing digital certificates.

Pull

Refers to downloading an image from a registry.

Private key

The secret half of an public key cryptography asymmetric key pair that must never be shared with other parties. Used for signing.

Public key

The non-private half of an public key cryptography asymmetric key pair that can be shared publicly to any number of parties. Used for checking a file signed with a private key and encrypting files to send to the owner of the private key.

Private Layer Block Cipher Options

A JSON object defined in the encrypted image format that is used to convey private metadata about layer encryption. It is part of a container image's layer annotation.

Public Layer Block Cipher Options

A JSON object defined in the encrypted image format that is used to store public metadata about layer encryption.

Platform Security Processor.

Q

Quote

TODO: Add explanation.

R

Registry

See Container Image Registry.

Remote attestation

Attestation between two parties on different physical hardware systems.

The opposite of Local attestation.

Remote Attestation procedures

Remote Attestation Procedures (RATS) is an IETF specification that defines how a remote entity can assess the trustworthiness of a particular peer.

Request Challenge Attestation Response

Method used by the Key Broker Service (KBS) to facilitate guest attestation and secret injection.

S

Secure Code Execution

A Trusted Execution Environment that allows code to be executed privately and in a tamper proof manner.

See Confidential Computing Technology and Software Guard Extension.

Secure Execution for Linux

IBM SE is a hardware-based security technology built into IBM Z & LinuxONE systems.

Signature Claim File

Another name for the Container Image Signature File.

`Sigstore`

A signature store. This may be a container registry or a separate storage facility (even a local directory).

Secure Encrypted Virtualization

AMD's Secure Encrypted Virtualization (SEV) provides memory encryption, using one key per virtual machine to isolate guests and the hypervisor from one another.

Two variants relevant to confidential variants are:

SEV-ES AMD's Secure Encrypted Virtualization-Encrypted State Adds CPU state integrity protection to SEV by encrypting all CPU register contents in the hypervisor-accessible state.
SEV-SNP AMD's Secure Encrypted Virtualization Secure Nested Paging. SEV-SNP extends SEV-ES to provide integrity protection for memory pages, interrupts and more. Unlike SEV-ES, SEV-SNP provides an attestation report to the guest at runtime.

Secure Virtual Machine

A secured VM.

Signing

Adding a digital signature to a file (which may be in binary or ASCII armored format). The signature is a hash of the original data that is then encrypted using the private key.

This is useful since if it is possible to decrypt the signature with a copy of the public key, this proves the unencrypted file must have been encrypted with the private key, which proves the unencrypted version of the file must have originated from the holder of the private key.

Software Guard Extensions

Intel Software Guard Extensions (SGX), see also SGX in the Kata Containers Glossary.

Secure Hash Algorithm

A secure hash algorithm (SHA) is a family of cryptographically-secure hash functions.

Secure Memory Encryption

TODO: Add explanation of relevance for CC.

Symmetric encryption

A form of cryptographic encryption which uses the same (symmetric) key for encryption as decryption. An example is AES.

Symmetric key

A cryptographic key that is used for both encryption and decryption. Note the difference between this key and a public key or private key: if you possess the symmetric key, you have "full control" over encryption and decryption.

In the context of Confidential Containers, a wrapped symmetric key is used to encrypt and decrypt an image: the underlying symmetric key is protected since it is encoded with the Key Encryption Key.

T

Target Core Mailbox

A Linux kernel iSCSI target (server):

https://docs.kernel.org/target/tcmu-design.html

Target Core Mailbox in Userspace

TCM in Userspace. A UIO iSCSI target (server).

Tenant

The process which "owns" or lives inside the container.

Transparent Data Encryption

Transparent Data Encryption TODO: Add explanation of relevance for CC.

Trusted Boot

TDX Virtual Firmware

Trust Domain

A virtual machine protected by Intel(r) Trust Domain Extensions

Trust Domain Extensions

Trust Domain Extensions (TDX) is one of Intel's core technology for confidential computing. See TDX in the Kata Containers Glossary.

Trusted Domain Extensions

Trust Domain Extensions is sometimes miswritten as Trusted rather than Trust. See TDX in the Kata Containers Glossary.

Trusted Computing Base

The amount of the system relied on for secure operation of the workload in question. See Trusted Computing Base.

Trusted Execution Environment

A Trusted Execution Environment (TEE) is a secure partitioning of memory and compute. It is implemented through technologies like SGX, TDX or SEV.

Transport Layer Security

Cryptographic protocol used to provide a secure channel over a computer network. Used by the Enclave Attestation Architecture.

Trusted Platform Module

A trusted platform module (TPM) is a dedicated secure cryptoprocessor or microcontroller used to store secrets such as cryptographic keys.

Trusted Execution Technology

Intel's Trusted Execution Technology (TXT) is a set of hardware extensions to Intel processors and chipsets that allow the authenticity of a system to be attested.

U

`UnWrapKey`

A Key Provider Protocol API that unwraps (or unpacks) a wrapped key as part of the decryption process.

Userspace I/O

Linux kernel feature that allows device drivers to be run outside the kernel:

https://docs.kernel.org/driver-api/uio-howto.html

Unified Extensible Firmware Interface

Unified Extensible Firmware Interface (UEFI) is a standardized version of EFI.

Universally Unique Identifier

TODO: Add explanation of relevance for CC.

V

Virtual Private Cloud

TODO: Add explanation of relevance for CC.

W

`WrapKey`

A Key Provider Protocol API that wraps a key as part of the encryption process.

Wrapped key

A cryptographic key that has been encrypted using another private key. The protocol used is defined by the Key Provider Protocol.

X

Y

Z

`Zstandard`

A compression algorithm also referred to as zstd, used by the image-rs project to handle compressed container image layers.

`zstd`

See Zstandard.

0-9 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z