/coco-guest-components

Confidential Containers Guest Tools and Components

Primary LanguageRustApache License 2.0Apache-2.0

Confidential Container Tools and Components

FOSSA Status

This repository includes tools and components for confidential container images.

Components

Attestation Agent An agent for facilitating attestation protocols. Can be built as a library to run in a process-based enclave or built as a process that runs inside a confidential vm.

image-rs Rust implementation of the container image management library.

ocicrypt-rs Rust implementation of the OCI image encryption library.

api-server-rest CoCo Restful API server.

confidential-data-hub Confidential Data Hub.

coco-keyprovider CoCo Keyprovider. Used to encrypt the container images.

Tools

secret-cli Utility for sealing and unsealing sealed secrets

CDH Client A tool for exercising CDH endpoints

CDH Go Client A Go tool for exercising CDH endpoints

CoCo Keyprovider Keyprovider endpoint for encrypting images

Build

A Makefile is provided to quickly build Attestation Agent/Api Server Rest/Confidential Data Hub for a given platform.

make build TEE_PLATFORM=$(TEE_PLATFORM)
make install DESTDIR=/usr/local/bin

The TEE_PLATFORM parameter can be

  • none: for tests with non-confidential guests
  • all: for all following platforms
  • fs: for platforms with encrypted root filesystems (i.e. s390x)
  • tdx: for Intel TDX
  • az-tdx-vtpm: for Intel TDX with Azure vTPM
  • sev: for AMD SEV(-ES)
  • snp: for AMD SEV-SNP
  • amd: for both AMD SEV(-ES) and AMD SEV-SNP
  • az-snp-vtpm: for AMD SEV-SNP with Azure vTPM
  • se: for IBM Secure Execution (SE)

by default, kbs/sev as a resource provider will be built in Confidential Data Hub. If you do not want enable any default except for only builtin offline-fs-kbc, you can build with NO_RESOURCE_PROVIDER flag set to true.

make build TEE_PLATFORM=$(TEE_PLATFORM) NO_RESOURCE_PROVIDER=true

License

FOSSA Status