Skip to content

Confidential Containers Guest Tools and Components

License

Notifications You must be signed in to change notification settings

arronwy/guest-components

 
 

Repository files navigation

Confidential Container Tools and Components

FOSSA Status

This repository includes tools and components for confidential container images.

Components

Attestation Agent An agent for facilitating attestation protocols. Can be built as a library to run in a process-based enclave or built as a process that runs inside a confidential vm.

image-rs Rust implementation of the container image management library.

ocicrypt-rs Rust implementation of the OCI image encryption library.

api-server-rest CoCo Restful API server.

confidential-data-hub Confidential Data Hub.

coco-keyprovider CoCo Keyprovider. Used to encrypt the container images.

Build

A Makefile is provided to quickly build Attestation Agent/Api Server Rest/Confidential Data Hub for a given platform.

make build TEE_PLATFORM=$(TEE_PLATFORM)
make install DESTDIR=/usr/local/bin

The TEE_PLATFORM parameter can be

  • none: for tests with non-confidential guests
  • all: for all following platforms
  • fs: for platforms with encrypted root filesystems (i.e. s390x)
  • tdx: for Intel TDX
  • az-tdx-vtpm: for Intel TDX with Azure vTPM
  • sev: for AMD SEV(-ES)
  • snp: for AMD SEV-SNP
  • amd: for both AMD SEV(-ES) and AMD SEV-SNP
  • az-snp-vtpm: for AMD SEV-SNP with Azure vTPM
  • se: for IBM Secure Execution (SE)

by default, kbs/sev as a resource provider will be built in Confidential Data Hub. If you do not want enable any default except for only builtin offline-fs-kbc, you can build with NO_RESOURCE_PROVIDER flag set to true.

make build TEE_PLATFORM=$(TEE_PLATFORM) NO_RESOURCE_PROVIDER=true

License

FOSSA Status

About

Confidential Containers Guest Tools and Components

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Rust 96.7%
  • Go 1.3%
  • Makefile 1.1%
  • Other 0.9%