This repository includes tools and components for confidential container images.
Attestation Agent An agent for facilitating attestation protocols. Can be built as a library to run in a process-based enclave or built as a process that runs inside a confidential vm.
image-rs Rust implementation of the container image management library.
ocicrypt-rs Rust implementation of the OCI image encryption library.
api-server-rest CoCo Restful API server.
confidential-data-hub Confidential Data Hub.
coco-keyprovider CoCo Keyprovider. Used to encrypt the container images.
secret-cli Utility for sealing and unsealing sealed secrets
CDH Client A tool for exercising CDH endpoints
CDH Go Client A Go tool for exercising CDH endpoints
CDH (One Shot) One Shot version of CDH
CoCo Keyprovider Keyprovider endpoint for encrypting images
A Makefile is provided to quickly build Attestation Agent/Api Server Rest/Confidential Data Hub for a given platform.
make build TEE_PLATFORM=$(TEE_PLATFORM)
make install DESTDIR=/usr/local/binThe TEE_PLATFORM parameter can be
none: for tests with non-confidential guestsall: for all following platformsfs: for platforms with encrypted root filesystems (i.e. s390x)tdx: for Intel TDXaz-tdx-vtpm: for Intel TDX with Azure vTPMsev: for AMD SEV(-ES)snp: for AMD SEV-SNPamd: for both AMD SEV(-ES) and AMD SEV-SNPaz-snp-vtpm: for AMD SEV-SNP with Azure vTPMse: for IBM Secure Execution (SE)
by default, kbs/sev as a resource provider will be built in Confidential Data Hub. If you do not want enable any
default except for only builtin offline-fs-kbc, you can build with NO_RESOURCE_PROVIDER flag set to true.
make build TEE_PLATFORM=$(TEE_PLATFORM) NO_RESOURCE_PROVIDER=trueWe provide the following types of release packages:
- RPM Packages: Including source packages (SRPMS) and binary packages (RPMS).
- Alibaba Cloud Linux 3
- AnolisOS 23
We provide reproducible builds implemented with GuanFu to ensure verifiability. This means that anyone can reproduce the same build results in the same environment.
For detailed instructions on how to perform local rebuilds, please refer to the Build Specifications README.
We generate SLSA Level 3+ provenance files to ensure supply chain security, providing additional trust guarantees for users.
Run the following command to generate the unit test coverage report.
cargo llvm-cov --ignore-filename-regex='(image-rs|ocicrypt-rs|confidential-data-hub/hub/src/bin/protos|attestation-agent/kbs_protocol/src/ttrpc_protos|attestation-agent/attestation-agent/src/bin/ttrpc_dep/ttrpc_protocol)/' \
--ignore-run-fail -p attestation-agent \
-p attester \
-p crypto \
-p resource_uri \
-p kbs_protocol \
-p confidential-data-hub \
--features bin,ttrpc,rust-crypto,coco_as,kbs,aliyun,tdx-attester,system-attester \
--html --no-default-features