This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Guest Components

Confidential Container Tools and Components

1: API Server Rest

2: Attestation Agent

3: Confidential Data Hub

4: image-rs

5: ocicrypt-rs

Warning

TODO: This was copied with few adaptations from here: https://github.com/confidential-containers/guest-components This needs to be tested and verified if the instructions still work and needs a rework.

This repository includes tools and components for confidential container images.

Attestation Agent: An agent for facilitating attestation protocols. Can be built as a library to run in a process-based enclave or built as a process that runs inside a confidential vm.
image-rs: Rust implementation of the container image management library.
ocicrypt-rs: Rust implementation of the OCI image encryption library.
api-server-rest](api-server-rest): CoCo Restful API server.

License

1 - API Server Rest

Documentation for CoCo Restful API Server

Warning

TODO: This was copied with few adaptations from here: https://github.com/confidential-containers/guest-components/tree/main/api-server-rest This needs to be tested and verified if the instructions still work and needs a rework.

CoCo guest components use lightweight ttRPC for internal communication to reduce the memory footprint and dependency. But many internal services also needed by containers like get_resource, get_evidence and get_token, we export these services with restful API, now CoCo containers can easy access these API with http client. Here are some examples, for detail info, please refer rest API


$ ./api-server-rest --features=all
Starting API server on 127.0.0.1:8006
API Server listening on http://127.0.0.1:8006


$ curl http://127.0.0.1:8006/cdh/resource/default/key/1
12345678901234567890123456xxxx


$ curl http://127.0.0.1:8006/aa/evidence\?runtime_data\=xxxx
{"svn":"1","report_data":"eHh4eA=="}


$ curl http://127.0.0.1:8006/aa/token\?token_type\=kbs
{"token":"eyJhbGciOiJFi...","tee_keypair":"-----BEGIN... "}

2 - Attestation Agent

Documentation for Attestation Agent

Warning

TODO: This was copied with few adaptations from here: https://github.com/confidential-containers/guest-components/tree/main/attestation-agent This needs to be tested and verified if the instructions still work and needs a rework.

Attestation Agent (AA for short) is a service function set for attestation procedure in Confidential Containers. It provides kinds of service APIs that need to make requests to the Relying Party (Key Broker Service) in Confidential Containers, and performs an attestation and establishes connection between the Key Broker Client (KBC) and corresponding KBS, so as to obtain the trusted services or resources of KBS.

Current consumers of AA include:

Components

The main body of AA is a rust library crate, which contains KBC modules used to communicate with various KBS. In addition, this project also provides a gRPC service application, which allows callers to call the services provided by AA through gRPC.

Library crate

Import AA in Cargo.toml of your project with specific KBC(s):


attestation-agent = { git = "https://github.com/confidential-containers/guest-components", features = ["sample_kbc"] }

Note: When the version is stable, we will release AA on https://crate.io.

gRPC Application

Here are the steps of building and running gRPC application of AA:

Build

Build and install with default KBC modules:


git clone https://github.com/confidential-containers/guest-components
cd guest-components/attestation-agent
make && make install

or explicitly specify the KBS modules it contains. Taking sample_kbc as example:


make KBC=sample_kbc

Musl

To build and install with musl, just run:


make LIBC=musl && make install

Openssl support

To build and install with openssl support (which is helpful in specific machines like s390x)

make OPENSSL=1 && make install

Run

For help information, just run:


attestation-agent --help

Start AA and specify the endpoint of AA’s gRPC service:


attestation-agent --keyprovider_sock 127.0.0.1:50000 --getresource_sock 127.0.0.1:50001

Or start AA with default keyprovider address (127.0.0.1:50000) and default getresource address (127.0.0.1:50001):

attestation-agent

If you want to see the runtime log:

RUST_LOG=attestation_agent attestation-agent --keyprovider_sock 127.0.0.1:50000 --getresource_sock 127.0.0.1:50001

ttRPC

To build and install ttRPC Attestation Agent, just run:


make ttrpc=true && make install

ttRPC AA now only support Unix Socket, for example:


attestation-agent --keyprovider_sock unix:///tmp/keyprovider.sock --getresource_sock unix:///tmp/getresource.sock

Supported KBC modules

AA provides a flexible KBC module mechanism to support different KBS protocols required to make the communication between KBC and KBS. If the KBC modules currently supported by AA cannot meet your use requirement (e.g, need to use a new KBS protocol), you can write a new KBC module complying with the KBC development GUIDE. Welcome to contribute new KBC module to this project!

List of supported KBC modules:

KBC module name	README	KBS protocol	Maintainer
sample_kbc	Null	Null	Attestation Agent Authors
offline_fs_kbc	Offline file system KBC	Null	IBM
eaa_kbc	EAA KBC	EAA protocol	Alibaba Cloud
offline_sev_kbc	Offline SEV KBC	Null	IBM
online_sev_kbc	Online SEV KBC	simple-kbs	IBM
cc_kbc	CC KBC	CoCo KBS protocol	CoCo Community

CC KBC

CC KBC supports different kinds of hardware TEE attesters, now

Attester name	Info
tdx-attester	Intel TDX
sgx-attester	Intel SGX DCAP
snp-attester	AMD SEV-SNP
az-snp-vtpm-attester	Azure SEV-SNP CVM

To build cc kbc with all available attesters and install, use


make KBC=cc_kbc && make install

Tools

Sample Keyprovider: A simple tool for encrypting container images with skopeo, please refer to its README.

3 - Confidential Data Hub

Documentation for Confidential Data Hub

Warning

TODO: This was copied with few adaptations from here: https://github.com/confidential-containers/guest-components/tree/main/confidential-data-hub This needs to be tested and verified if the instructions still work and needs a rework.

Confidential Data Hub is a service running inside guest to provide resource related APIs.

Build

Build and install with default KBC modules:


git clone https://github.com/confidential-containers/guest-components
cd guest-components/confidential-data-hub
make

or explicitly specify the confidential resource provider and KMS plugin, please refer to Supported Features


make RESOURCE_PROVIDER=kbs PROVIDER=aliyun

Supported Features

Confidential resource providers (flag RESOURCE_PROVIDER)

Feature name	Note
kbs	For TDX/SNP/Azure-SNP-vTPM based on KBS Attestation Protocol
sev	For SEV based on efi secret pre-attestation

Note: offline-fs is built-in, we do not need to manually enable. If no RESOURCE_PROVIDER is given, all features will be enabled.

KMS plugins (flag PROVIDER)

Feature name	Note
aliyun	Use aliyun KMS suites to unseal secrets, etc.

Note: If no PROVIDER is given, all features will be enabled.

4 - image-rs

Documentation for image-rs

Warning

TODO: This was copied with few adaptations from here: https://github.com/confidential-containers/guest-components/tree/main/image-rs This needs to be tested and verified if the instructions still work and needs a rework.

Container Images Rust Crate

Documentation

Design document

CCv1 Image Security Design document

5 - ocicrypt-rs

Documentation for ocicrypt-rs

Warning

TODO: This was copied with few adaptations from here: https://github.com/confidential-containers/guest-components/tree/main/ocicrypt-rs This needs to be tested and verified if the instructions still work and needs a rework.

ocicrypt-rs

This repo contains the rust version of the containers/ocicrypt library.