Key Broker Service (KBS)
This service facilitates remote attestation and secret delivery
Trustee contains tools and components for attesting confidential guests and providing secrets to them. Collectively, these components are known as Trustee. Trustee typically operates on behalf of the “workload provider” / “data owner” and interacts remotely with guest components.
Trustee is developed for the Confidential Containers project, but can be used with a wide variety of applications and hardware platforms.
Trustee is flexible and can be deployed in several different configurations. This figure shows one common way to deploy these components in conjunction with certain guest components.
flowchart LR AA -- attests guest ----> KBS CDH -- requests resource --> KBS subgraph Guest CDH <.-> AA end subgraph Trustee KBS -- validates evidence --> AS RVPS -- provides reference values--> AS end client-tool -- configures --> KBS
CDH
: Confidential Data HubAA
: Attestation AgentKBS
: Key Broker ServiceRVPS
: Reference Value Provider ServiceAS
: Attestation ServiceThis service facilitates remote attestation and secret delivery
This service verifies TEE evidence
This service manages reference values used to verify TEE evidence
Simple tool to test or configure Key Broker Service and Attestation Service