Attestation Agent
Categories:
Warning
TODO: This was copied with few adaptations from here: https://github.com/confidential-containers/guest-components/tree/main/attestation-agent This needs to be tested and verified if the instructions still work and needs a rework.Attestation Agent (AA for short) is a service function set for attestation procedure in Confidential Containers. It provides kinds of service APIs that need to make requests to the Relying Party (Key Broker Service) in Confidential Containers, and performs an attestation and establishes connection between the Key Broker Client (KBC) and corresponding KBS, so as to obtain the trusted services or resources of KBS.
Current consumers of AA include:
Components
The main body of AA is a rust library crate, which contains KBC modules used to communicate with various KBS. In addition, this project also provides a gRPC service application, which allows callers to call the services provided by AA through gRPC.
Library crate
Import AA in Cargo.toml
of your project with specific KBC(s):
attestation-agent = { git = "https://github.com/confidential-containers/guest-components", features = ["sample_kbc"] }
Note: When the version is stable, we will release AA on https://crate.io.
gRPC Application
Here are the steps of building and running gRPC application of AA:
Build
Build and install with default KBC modules:
git clone https://github.com/confidential-containers/guest-components
cd guest-components/attestation-agent
make && make install
or explicitly specify the KBS modules it contains. Taking sample_kbc
as example:
make KBC=sample_kbc
Musl
To build and install with musl, just run:
make LIBC=musl && make install
Openssl support
To build and install with openssl support (which is helpful in specific machines like s390x
)
make OPENSSL=1 && make install
Run
For help information, just run:
attestation-agent --help
Start AA and specify the endpoint of AA’s gRPC service:
attestation-agent --keyprovider_sock 127.0.0.1:50000 --getresource_sock 127.0.0.1:50001
Or start AA with default keyprovider address (127.0.0.1:50000) and default getresource address (127.0.0.1:50001):
attestation-agent
If you want to see the runtime log:
RUST_LOG=attestation_agent attestation-agent --keyprovider_sock 127.0.0.1:50000 --getresource_sock 127.0.0.1:50001
ttRPC
To build and install ttRPC Attestation Agent, just run:
make ttrpc=true && make install
ttRPC AA now only support Unix Socket, for example:
attestation-agent --keyprovider_sock unix:///tmp/keyprovider.sock --getresource_sock unix:///tmp/getresource.sock
Supported KBC modules
AA provides a flexible KBC module mechanism to support different KBS protocols required to make the communication between KBC and KBS. If the KBC modules currently supported by AA cannot meet your use requirement (e.g, need to use a new KBS protocol), you can write a new KBC module complying with the KBC development GUIDE. Welcome to contribute new KBC module to this project!
List of supported KBC modules:
KBC module name | README | KBS protocol | Maintainer |
---|---|---|---|
sample_kbc | Null | Null | Attestation Agent Authors |
offline_fs_kbc | Offline file system KBC | Null | IBM |
eaa_kbc | EAA KBC | EAA protocol | Alibaba Cloud |
offline_sev_kbc | Offline SEV KBC | Null | IBM |
online_sev_kbc | Online SEV KBC | simple-kbs | IBM |
cc_kbc | CC KBC | CoCo KBS protocol | CoCo Community |
CC KBC
CC KBC supports different kinds of hardware TEE attesters, now
Attester name | Info |
---|---|
tdx-attester | Intel TDX |
sgx-attester | Intel SGX DCAP |
snp-attester | AMD SEV-SNP |
az-snp-vtpm-attester | Azure SEV-SNP CVM |
To build cc kbc with all available attesters and install, use
make KBC=cc_kbc && make install
Tools
- Sample Keyprovider: A simple tool for encrypting container images with skopeo, please refer to its README.