Skip to content

Commit

Permalink
AA: Clean Out-of-date documents and move documents about KBS to CDH.
Browse files Browse the repository at this point in the history
Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
  • Loading branch information
jialez0 committed Jan 16, 2024
1 parent e7ef6d8 commit 6bb4f6e
Show file tree
Hide file tree
Showing 9 changed files with 23 additions and 498 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Rust implementation of the OCI image encryption library.
[api-server-rest](api-server-rest)
CoCo Restful API server.

[coco-keyprovider](attestation-agent/coco_keyprovider/)
[coco-keyprovider](coco_keyprovider/)
CoCo Keyprovider. Used to encrypt the container images.

## Build
Expand Down
69 changes: 12 additions & 57 deletions attestation-agent/README.md
Original file line number Diff line number Diff line change
@@ -1,29 +1,20 @@
# Attestation Agent

Attestation Agent (AA for short) is a service function set for attestation procedure
in Confidential Containers. It provides kinds of service APIs that need to make
requests to the Relying Party (Key Broker Service) in Confidential Containers,
and performs an attestation and establishes connection between the Key Broker Client (KBC)
and corresponding KBS, so as to obtain the trusted services or resources of KBS.


Current consumers of AA include:

- [ocicrypt-rs](../ocicrypt-rs)
- [image-rs](../image-rs)
in Confidential Containers.

## Components

The main body of AA is a rust library crate, which contains KBC modules used to communicate
with various KBS. In addition, this project also provides a gRPC service application,
The main body of AA is a rust library crate.
In addition, this project also provides a gRPC service application,
which allows callers to call the services provided by AA through gRPC.

## Library crate

Import AA in `Cargo.toml` of your project with specific KBC(s):
Import AA in `Cargo.toml` of your project:

```toml
attestation-agent = { git = "https://github.com/confidential-containers/guest-components", features = ["sample_kbc"] }
attestation-agent = { git = "https://github.com/confidential-containers/guest-components" }
```

**Note**: When the version is stable, we will release AA on https://crate.io.
Expand All @@ -42,10 +33,10 @@ cd guest-components/attestation-agent
make && make install
```

or explicitly specify the KBS modules it contains. Taking `sample_kbc` as example:
For details of building parameters, run:

```shell
make KBC=sample_kbc
```
make help
```

#### Musl
Expand Down Expand Up @@ -73,18 +64,18 @@ attestation-agent --help
Start AA and specify the endpoint of AA's gRPC service:

```shell
attestation-agent --keyprovider_sock 127.0.0.1:50000 --getresource_sock 127.0.0.1:50001
attestation-agent --attestation_sock 127.0.0.1:50002
```

Or start AA with default keyprovider address (127.0.0.1:50000) and default getresource address (127.0.0.1:50001):
Or start AA with default address (127.0.0.1:50002):

```
attestation-agent
```

If you want to see the runtime log:
```
RUST_LOG=attestation_agent attestation-agent --keyprovider_sock 127.0.0.1:50000 --getresource_sock 127.0.0.1:50001
RUST_LOG=attestation_agent attestation-agent
```

### ttRPC
Expand All @@ -97,42 +88,6 @@ make ttrpc=true && make install
ttRPC AA now only support Unix Socket, for example:

```shell
attestation-agent --keyprovider_sock unix:///tmp/keyprovider.sock --getresource_sock unix:///tmp/getresource.sock
```

## Supported KBC modules

AA provides a flexible KBC module mechanism to support different KBS protocols required to make the communication between KBC and KBS. If the KBC modules currently supported by AA cannot meet your use requirement (e.g, need to use a new KBS protocol), you can write a new KBC module complying with the KBC development [GUIDE](docs/kbc_module_development_guide.md). Welcome to contribute new KBC module to this project!

List of supported KBC modules:

| KBC module name | README | KBS protocol | Maintainer |
| ------------------ | ------------------------------------------------------------------- | ------------ | ------------------------- |
| sample_kbc | Null | Null | Attestation Agent Authors |
| offline_fs_kbc | [Offline file system KBC](kbc/src/offline_fs_kbc/README.md) | Null | IBM |
| eaa_kbc | [EAA KBC](kbc/src/eaa_kbc/README.md) | EAA protocol | Alibaba Cloud |
| offline_sev_kbc | [Offline SEV KBC](kbc/src/offline_sev_kbc/README.md) | Null | IBM |
| online_sev_kbc | [Online SEV KBC](kbc/src/online_sev_kbc/README.md) | simple-kbs | IBM |
| cc_kbc | [CC KBC](kbc/src/cc_kbc/README.md) | [CoCo KBS protocol](https://github.com/confidential-containers/kbs/blob/main/kbs/docs/kbs_attestation_protocol.md) | CoCo Community |

### CC KBC

CC KBC supports different kinds of hardware TEE attesters, now
| Attester name | Info |
| ------------------- | -------------------------- |
| tdx-attester | Intel TDX |
| sgx-attester | Intel SGX DCAP |
| snp-attester | AMD SEV-SNP |
| az-snp-vtpm-attester| Azure SEV-SNP CVM |
| az-tdx-vtpm-attester| Azure TDX CVM |
| cca-attester | Arm Confidential Compute Architecture (CCA) |

To build cc kbc with all available attesters and install, use
```shell
make KBC=cc_kbc && make install
attestation-agent --attestation_sock unix:///tmp/attestation.sock
```

## Tools

- [Sample Keyprovider](./coco_keyprovider): A simple tool for encrypting container images with skopeo, please refer to its [README](./coco_keyprovider/README.md).

144 changes: 0 additions & 144 deletions attestation-agent/docs/IMPLEMENTATION.md

This file was deleted.

115 changes: 0 additions & 115 deletions attestation-agent/docs/kbc_module_development_guide.md

This file was deleted.

Loading

0 comments on commit 6bb4f6e

Please sign in to comment.