The Confidential Containers Key Broker Service (KBS) is a remote attestation entry point, also known as a Relying Party in RATS role terminology.
KBS integrates the Attestation-Service to verify TEE evidence.
KBS can also be deployed as RATS Verifier. In this case, KBS will be responsible for distributing the Attestation Token (Following the RATS Passport model).
The KBS implements and supports a simple, vendor and hardware-agnostic implementation protocol.
KBS implements an HTTP-based, OpenAPI 3.1 compliant API. This API is formally described in its OpenAPI formatted specification.
Start KBS and specify the address it listens to (take 127.0.0.1:8080 as an example):
make kbs
./target/debug/kbs --socket 127.0.0.1:8080A custom, JSON-formatted configuration file can be used:
./target/debug/kbs --socket 127.0.0.1:8080 --config /path/to/config.jsonResource Repository is the storage module of KBS, which is used to manage and store confidential resources. KBS supports a variety of repository implementations, such as database or local file system.
Which resource repository implementation to use is specified by config at startup (the default is the local file system)
Resource files path map to a KBS resource URLs, as follows:
| Resource File Path | Resource URL |
|---|---|
file://<$(KBS_REPOSITORY_DIR)>/<repository_name>/<type>/<tag> |
http://<kbs_address>/kbs/v0/resource/<repository_name>/<type>/<tag> |
The KBS repository directory is specified in config file (if repository type is local file system).
The default KBS repository directory is /opt/confidential-containers/kbs/repository.