Skip to content

Latest commit

 

History

History
81 lines (60 loc) · 3.09 KB

File metadata and controls

81 lines (60 loc) · 3.09 KB

KBS Cluster

KBS provides a simple cluster defined by docker-compose, include itself, Attestation Service, Reference Value Provider Service and CoCo Keyprovider

Users can use very simple command to:

  • launch KBS service.
  • encrypt images.

Architecture

Start-Up

Run the cluster

git clone https://github.com/confidential-containers/trustee.git
cd trustee
docker compose up -d

The setup container initializes files under kbs/config/docker-compose/ automatically:

  • private.key / public.pub: admin JWT signer and verifier keys for KBS admin API.

  • admin-token: long-lived admin bearer token for local development.

  • ca-cert.pem, token.key, token-cert-chain.pem and related files: attestation token signing and trust chain material used by AS and KBS.

    • token.key + token-cert-chain.pem — configured as AS signer to sign JWTs.
    • ca-cert.pem — root CA listed in KBS [attestation_token].trusted_certs_paths so KBS can validate the x5c chain in token headers.

    See Attestation Token Verification for how these files fit together.

Use the generated admin token with kbs-client:

kbs-client config \
  --url http://127.0.0.1:8080 \
  --admin-token-file kbs/config/docker-compose/admin-token \
  set-resource-policy --allow-all

If --admin-token-file is omitted, kbs-client resolves the admin bearer token in this order:

  1. kbs/config/docker-compose/admin-token — relative to the current working directory (typically the repository root after cd trustee). This file is created by the setup service when the docker-compose trustee starts.
  2. $HOME/.trustee/admin-token — used only when $HOME is set and the file exists.
  3. No token — admin requests are sent without authentication. This only works when KBS admin.authorization_mode is InsecureAllowAll. The docker-compose cluster defaults to AuthenticatedAuthorization, so you need a token from step 1 or 2 (or pass --admin-token-file explicitly).

Note that by default the KBS cluster blocks sample evidence. If you are testing with sample evidence you will need to set a more permissive resource policy.

Then the kbs cluster is launched.

Use skopeo to encrypt an image

# edit ocicrypt.conf
tee > ocicrypt.conf <<EOF
{
    "key-providers": {
        "attestation-agent": {
            "grpc": "127.0.0.1:50000"
        }
    }
}
EOF

# encrypt the image
OCICRYPT_KEYPROVIDER_CONFIG=ocicrypt.conf skopeo copy --insecure-policy --encryption-key provider:attestation-agent docker://busybox oci:busybox_encrypted

The image will be encrypted, and things happens in the background include:

  • CoCo Keyprovider generates a random KEK and a key id. Then encrypts the image using the KEK.
  • CoCo Keyprovider registers the KEK with key id into KBS.

If use the same KBS for key brokering, the image can be decrypted.