This repository includes tools and components for confidential container images.
Attestation Agent An agent for facilitating attestation protocols. Can be built as a library to run in a process-based enclave or built as a process that runs inside a confidential vm.
image-rs Rust implementation of the container image management library.
ocicrypt-rs Rust implementation of the OCI image encryption library.
api-server-rest CoCo Restful API server.
confidential-data-hub Confidential Data Hub.
coco-keyprovider CoCo Keyprovider. Used to encrypt the container images.
secret-cli Utility for sealing and unsealing sealed secrets
CDH Client A tool for exercising CDH endpoints
CDH Go Client A Go tool for exercising CDH endpoints
CDH (One Shot) One Shot version of CDH
CoCo Keyprovider Keyprovider endpoint for encrypting images
A Makefile is provided to quickly build Attestation Agent/Api Server Rest/Confidential Data Hub for a given platform.
make build TEE_PLATFORM=$(TEE_PLATFORM)
make install DESTDIR=/usr/local/binThe TEE_PLATFORM parameter can be
none: for tests with non-confidential guestsall: for all following platformsfs: for platforms with encrypted root filesystems (i.e. s390x)tdx: for Intel TDXaz-tdx-vtpm: for Intel TDX with Azure vTPMsev: for AMD SEV(-ES)snp: for AMD SEV-SNPamd: for both AMD SEV(-ES) and AMD SEV-SNPaz-snp-vtpm: for AMD SEV-SNP with Azure vTPMse: for IBM Secure Execution (SE)
by default, kbs/sev as a resource provider will be built in Confidential Data Hub. If you do not want enable any
default except for only builtin offline-fs-kbc, you can build with NO_RESOURCE_PROVIDER flag set to true.
make build TEE_PLATFORM=$(TEE_PLATFORM) NO_RESOURCE_PROVIDER=trueThe ttRPC and gRPC protos can be updated via run
make build-protos
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
