Comments (7)
mythi
commented on August 15, 2024
1
Thanks for the quick reply! Is the breaking change introduced by confidential-containers/image-rs@cf2d6d0?
Yes
Thanks. We will want to to update image-rs to a point without the breakages to get the dependency/perfomance updates. We just need to agree what sha the v0.4.0 will point to.
from enclave-cc.
Xynnn007
commented on August 15, 2024
Hi, there is a problem for enclave-cc. Now the test CI under reviewing uses eaa-kbc for confidential resource brokering (both image decryption keys and policy/signature verification key,.etc ). However currently verdictd does not support the same addressing mode as kbs uri. So there might be two options for us:
- Use a fixed version of Attestation-Agent and Verdictd in CI and a fixed rev of
image-rsand keep @huliucheng1 's CI. When SGX verifier support is ready in Attestation Service, we can migrate from eaa-verdictd to CC-KBC, CC-KBS and update the image-rs version. The reason for this is that new image-rs(developing) and AA(reviewing) will use KBS URI to index resources, and currently confidential resource brokering is not a key problem enclave-cc faces. - Refactor Verdictd to fit in KBS URI scheme. This can let the AA and image-rs version up-to-date. However this will take much effort to refactor verdictd, and might let us abondon CI that @huliucheng1 has already made great effort. It's unwise and ruthless.
I prefer option 1, although there will be a time before AS supports SGX verification during which we should use v0.3.0 AA and image-rs.
cc @hairongchen @mythi @haosanzi
from enclave-cc.
mythi
commented on August 15, 2024
@Xynnn007 thanks for the heads-up and sorry for the late reply (it was triggered by @fidencio's PR :-)
I haven't followed the latest attestation-agent/image-rs changes. #110 triggers a test failure with an image I had encrypted using sample-kbs long time ago. Is this related to what you're describing above or something different?
#97 I'm not yet too worried about because it's still WIP and needs a lot of rework still.
from enclave-cc.
Xynnn007
commented on August 15, 2024
I haven't followed the latest attestation-agent/image-rs changes. #110 triggers a test failure with an image I had encrypted using
sample-kbslong time ago. Is this related to what you're describing above or something different?
Yes, that is part of the things I've mentioned. We now have a unified format of AnnotationPacket in encrypted images in attestation-agent. The effection is all the images to be decrypted using previous eaa-kbc and sample-kbc will not pass.
A temporary solution is to still use the old version of image-rs (who imports attestation-agent as a dependency). And in future we can remake new test images with the new key provider which is still under development
from enclave-cc.
mythi
commented on August 15, 2024
Thanks for the quick reply! Is the breaking change introduced by confidential-containers/image-rs@cf2d6d0?
from enclave-cc.
Xynnn007
commented on August 15, 2024
Thanks for the quick reply! Is the breaking change introduced by confidential-containers/image-rs@cf2d6d0?
Yes
from enclave-cc.
Xynnn007
commented on August 15, 2024
cc @fidencio
from enclave-cc.
Related Issues (20)
- add basic build and unit tests for enclave-agent HOT 1
- adapt enclave-agent to containerd Transfer service
- update to Occlum NGO HOT 7
- improve payload image creation v2
- improve CI test coverage with real-world containers
- limiting entry points with rootfs_entry
- Roadmap for enclave-cc to support CoCo Key Broker System HOT 1
- Specification of user defined claims in RA evidence in CC-KBC Attester for SGX
- update boot-instance Occlum to 0.29.7 HOT 8
- build: use APT preferences to force SGX PSW and DCAP versions to what Occlum prefers
- Roadmap to support new image format for eaa-kbc HOT 2
- Resolve FOSSA Failure HOT 2
- create rootfs_key dynamically and seal it HOT 4
- integrate Gramine into enclave-cc HOT 7
- update documentation to reflect new features of enclave-cc HOT 3
- Install the RATS-TLS library in compile env to fix dependency bugs. HOT 5
- cc-operator-daemon-install POD keeps crashing in enclave-cc operator-based deployment. HOT 1
- agent fail to start with "Failed to open Intel SGX device" HOT 11
- secure security_validate policy
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from enclave-cc.