mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-06-20 04:34:32 +00:00
d808cef2fb
Kata Containers has support for both the IBM Secure Execution trusted
execution environment and the IBM Crypto Express hardware security
module (used via the Adjunct Processor bus), but using them together
requires specific steps.
In Secure Execution, the Acceleration and Enterprise PKCS11 modes of
Crypto Express are supported. Both modes require the domain to be
_bound_ in the guest, and the latter also requires the domain to be
_associated_ with a _guest secret_. Guest secrets must be submitted to
the ultravisor from within the guest.
Each EP11 domain has a master key verification pattern (MKVP) that can
be established at HSM setup time. The guest secret and its ID are to
be provided at `/vfio_ap/{mkvp}/secret` and
`/vfio_ap/{mkvp}/secret_id` via a key broker service respectively.
Bind each domain, and for each EP11 domain,
- get the secret and secret ID from the addresses above,
- submit the secret to the ultravisor,
- find the index of the secret corresponding to the ID, and
- associate the domain to the index of this secret.
To bind, add the secret, parse the info about the domain, and
associate, the s390_pv_core crate is used. The code from this crate
also does the AP online check, which can be removed from here.
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
|
||
|---|---|---|
| .. | ||
| CEX-passthrough-and-coco.md | ||
| GPU-passthrough-and-Kata.md | ||
| Intel-Discrete-GPU-passthrough-and-Kata.md | ||
| Intel-GPU-passthrough-and-Kata.md | ||
| NVIDIA-GPU-passthrough-and-Kata.md | ||
| using-Intel-QAT-and-kata.md | ||
| using-Intel-SGX-and-kata.md | ||
| using-SPDK-vhostuser-and-kata.md | ||
| using-SRIOV-and-kata.md | ||