Confidential Container Tools and Components

This repository includes tools and components for confidential container images.

Components

Attestation Agent An agent for facilitating attestation protocols. Can be built as a library to run in a process-based enclave or built as a process that runs inside a confidential vm.

image-rs Rust implementation of the container image management library.

ocicrypt-rs Rust implementation of the OCI image encryption library.

api-server-rest CoCo Restful API server.

confidential-data-hub Confidential Data Hub.

coco-keyprovider CoCo Keyprovider. Used to encrypt the container images.

Tools

secret-cli Utility for sealing and unsealing sealed secrets

CDH Client A tool for exercising CDH endpoints

CDH Go Client A Go tool for exercising CDH endpoints

CDH (One Shot) One Shot version of CDH

CoCo Keyprovider Keyprovider endpoint for encrypting images

Build

A Makefile is provided to quickly build Attestation Agent/Api Server Rest/Confidential Data Hub for a given platform.

make build TEE_PLATFORM=$(TEE_PLATFORM)
make install DESTDIR=/usr/local/bin

The TEE_PLATFORM parameter can be

none: for tests with non-confidential guests
all: for all following platforms
fs: for platforms with encrypted root filesystems (i.e. s390x)
tdx: for Intel TDX
az-tdx-vtpm: for Intel TDX with Azure vTPM
sev: for AMD SEV(-ES)
snp: for AMD SEV-SNP
amd: for both AMD SEV(-ES) and AMD SEV-SNP
az-snp-vtpm: for AMD SEV-SNP with Azure vTPM
se: for IBM Secure Execution (SE)

by default, kbs/sev as a resource provider will be built in Confidential Data Hub. If you do not want enable any default except for only builtin offline-fs-kbc, you can build with NO_RESOURCE_PROVIDER flag set to true.

make build TEE_PLATFORM=$(TEE_PLATFORM) NO_RESOURCE_PROVIDER=true

Unit Test Coverage

Run the following command to generate the unit test coverage report.

cargo llvm-cov --ignore-filename-regex='(image-rs|ocicrypt-rs|confidential-data-hub/hub/src/bin/protos|attestation-agent/kbs_protocol/src/ttrpc_protos|attestation-agent/attestation-agent/src/bin/ttrpc_dep/ttrpc_protocol)/' \
    --ignore-run-fail -p attestation-agent \
    -p attester \
    -p crypto \
    -p resource_uri \
    -p kbs_protocol \
    -p confidential-data-hub \
    --features bin,ttrpc,rust-crypto,coco_as,kbs,aliyun,tdx-attester,system-attester \
    --html --no-default-features

Name		Name	Last commit message	Last commit date
Latest commit History 1,306 Commits
.github		.github
APPLICATION		APPLICATION
api-server-rest		api-server-rest
attestation-agent		attestation-agent
confidential-data-hub		confidential-data-hub
dist/dracut/modules.d		dist/dracut/modules.d
image-rs		image-rs
ocicrypt-rs		ocicrypt-rs
.dockerignore		.dockerignore
.gitignore		.gitignore
CODEOWNERS		CODEOWNERS
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
Dockerfile.aa		Dockerfile.aa
Dockerfile.cdh		Dockerfile.cdh
Dockerfile.ci		Dockerfile.ci
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
aa-start.sh		aa-start.sh
build-image-push.sh		build-image-push.sh
cdh-start.sh		cdh-start.sh
rust-toolchain		rust-toolchain
tdx-attest.conf		tdx-attest.conf
version-base.yml		version-base.yml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Confidential Container Tools and Components

Components

Tools

Build

Unit Test Coverage

License

About

Uh oh!

Releases 3

Packages

Uh oh!

Languages

License

inclavare-containers/guest-components

Folders and files

Latest commit

History

Repository files navigation

Confidential Container Tools and Components

Components

Tools

Build

Unit Test Coverage

License

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases 3

Packages 0

Uh oh!

Languages

Packages