Add cca-kata (Run Confidentail Containers using Arm CCA and Trustee) Learning Path #2642
Conversation
… Arm CCA and Trustee) Learning Path Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
anta5010
changed the title
|
moved to draft and merging into main for tech review |
paulhowardarm
left a comment
paulhowardarm
left a comment
There was a problem hiding this comment.
Excellent LP. Thanks, Anton. I was tempted to suggest we could do a little more concept explaining in the text. But thinking about it, we have probably progressed beyond the need to do too much of that, and we are correctly referencing earlier LPs that do more of this, so I think it's probably fine as it is. Most of my comments have ended up more editorial than technical.
| @@ -0,0 +1,66 @@ | |||
| --- | |||
| title: Run Confidentail Containers with encrypted images using Arm CCA and Trustee | |||
|
|
|||
|
|
||
| learning_objectives: | ||
| - Overview of Confidential Containers | ||
| - Understand how Trustee services are used for CCA realm attestation to unlock the confidential processing of data. |
There was a problem hiding this comment.
Nitpick: "CCA realm attestation" should either be expanded to "CCA realm and platform attestation" or contracted to just "CCA attestation" (rather than specifically saying "realm", due to the way that CCA attestation is partitioned into realm/platform, and we need to consider both).
| learning_objectives: | ||
| - Overview of Confidential Containers | ||
| - Understand how Trustee services are used for CCA realm attestation to unlock the confidential processing of data. | ||
| - Use an encrypted image to deploy a Confidential Containers in a CCA realm on an Armv9-A AEM Base Fixed Virtual Platform (FVP) that has support for RME extensions. |
There was a problem hiding this comment.
Grammar "a Confidential Containers"
| --- | ||
|
|
||
|
|
||
| ## Confidentail Containers |
There was a problem hiding this comment.
Typo: "Confidentail"
|
|
||
| ## Design overview | ||
|
|
||
| Confidential computing projects are largely defined by what is inside the enclave and what is not. |
There was a problem hiding this comment.
Suggest we try to stabilise terminology, because we've just slid from "Trusted Execution Environments" to "enclave". I would introduce the term "Trusted Execution Environment (TEE)" in the opening paragraph, since it's fairly industry-standard now, and then use TEE throughout.
| Confidential Containers also provides components inside the guest and elsewhere to facilitate attestation. | ||
| Attestation is a crucial part of confidential computing and a direct requirement of many guest operations. | ||
| For example, to unpack an encrypted container image, the guest must retrieve a secret key. | ||
| Inside the guest the **confidential-data-hub** and **attestation-agent** handle operations involving secrets and attestation. |
There was a problem hiding this comment.
Let's make sure we clearly link the terms to their acronyms that are used further down: introduce as "Confidential Data Hub (CDH)" and "Attestation Agent (AA)".
| This is a simplified diagram of the attestation process | ||
|  | ||
|
|
||
| In this Learnig Path the attestation process will be used to obtain an encryption key required to decrypt a container image. |
| @@ -0,0 +1,304 @@ | |||
| --- | |||
| # User change | |||
| title: Run confidentail containers with encrypted images using Arm CCA and Trustee | |||
| ``` | ||
| {{% /notice %}} | ||
|
|
||
| You have successfully run a confidentail container with Arm CCA using an encrypted image. |
3 participants
Before submitting a pull request for a new Learning Path, please review Create a Learning Path
Please do not include any confidential information in your contribution. This includes confidential microarchitecture details and unannounced product information.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the Creative Commons Attribution 4.0 International License.