{"id":13642081,"url":"https://github.com/intel/confidential-cloud-native-primitives","last_synced_at":"2026-01-11T03:38:02.194Z","repository":{"id":175291090,"uuid":"653556072","full_name":"intel/confidential-cloud-native-primitives","owner":"intel","description":"Build Trusted Chain for Cloud Native in Confidential Computing Envrionment","archived":true,"fork":false,"pushed_at":"2024-02-22T19:56:15.000Z","size":4167,"stargazers_count":22,"open_issues_count":5,"forks_count":12,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-04-14T09:39:01.793Z","etag":null,"topics":["cloud-native","confidential-computing","measurement","tcb","tdx","tpm","trusted-computing"],"latest_commit_sha":null,"homepage":"https://intel.github.io/confidential-cloud-native-primitives/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/intel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-14T09:24:24.000Z","updated_at":"2024-06-12T16:30:13.442Z","dependencies_parsed_at":null,"dependency_job_id":"ad491ba8-e961-4efd-8e0d-a3fb7c58fbe3","html_url":"https://github.com/intel/confidential-cloud-native-primitives","commit_stats":{"total_commits":220,"total_committers":19,"mean_commits":"11.578947368421053","dds":0.7772727272727273,"last_synced_commit":"70d8f9285191bb95ae0ba97255eee1ca3e0628b7"},"previous_names":["intel/confidential-cloud-native-primitives"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intel%2Fconfidential-cloud-native-primitives","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intel%2Fconfidential-cloud-native-primitives/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intel%2Fconfidential-cloud-native-primitives/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intel%2Fconfidential-cloud-native-primitives/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/intel","download_url":"https://codeload.github.com/intel/confidential-cloud-native-primitives/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249918700,"owners_count":21345405,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-native","confidential-computing","measurement","tcb","tdx","tpm","trusted-computing"],"created_at":"2024-08-02T01:01:27.245Z","updated_at":"2026-01-11T03:38:02.144Z","avatar_url":"https://github.com/intel.png","language":"Go","funding_links":[],"categories":["Beyond SGX Enclave Projects"],"sub_categories":["Memory Protection"],"readme":"PROJECT NOT UNDER ACTIVE MANAGEMENT\n\nThis project will no longer be maintained by Intel.\n\nIntel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project. \n\nIntel no longer accepts patches to this project.\n\nIf you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project. \n\nContact: webadmin@linux.intel.com\n\n\u003e [!NOTE] \n\u003e The project has been moved to CC-API organization. Go to https://github.com/cc-api/confidential-cloud-native-primitives for more information.\n\n# Confidential Cloud-Native Primitives (CCNP)\n\n![CI Check License](https://github.com/intel/confidential-cloud-native-primitives/actions/workflows/pr-license-python.yaml/badge.svg)\n![CI Check Spelling](https://github.com/intel/confidential-cloud-native-primitives/actions/workflows/pr-doclint.yaml/badge.svg)\n![CI Check Python](https://github.com/intel/confidential-cloud-native-primitives/actions/workflows/pr-pylint.yaml/badge.svg)\n![CI Check Shell](https://github.com/intel/confidential-cloud-native-primitives/actions/workflows/pr-shell-check.yaml/badge.svg)\n![CI Check Rust](https://github.com/intel/confidential-cloud-native-primitives/actions/workflows/pr-check-rust.yaml/badge.svg)\n![CI Check Golang](https://github.com/intel/confidential-cloud-native-primitives/actions/workflows/pr-golang-check.yaml/badge.svg)\n![CI Check Container](https://github.com/intel/confidential-cloud-native-primitives/actions/workflows/pr-container-check.yaml/badge.svg)\n![CC Foundation Image Customize](https://github.com/intel/confidential-cloud-native-primitives/actions/workflows/image-rewriter.yaml/badge.svg)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8325/badge)](https://www.bestpractices.dev/projects/8325)\n\n## 1. Introduction\n\nConfidential Computing technologies like Intel® TDX provides an isolated encryption runtime\nenvironment to protect data-in-use based on hardware Trusted Execution Environment (TEE).\nIt requires a full chain integrity measurement on the launch-time or runtime environment\nto guarantee \"consistent behavior in an expected way\" of confidential\ncomputing environment for tenant's zero-trust use case.\n\nThis project is designed to provide cloud native measurement for the full measurement\nchain from TEE TCB -\u003e Firmware TCB -\u003e Guest OS TCB -\u003e Cloud Native TCB as follows:\n\n![](/docs/cc-full-meaurement-chain.png)\n\n_NOTE: Different from traditional trusted computing on non-confidential environment,\nthe measurement chain is not only started with Guest's `SRTM` (Static Root Of Measurement)\nbut it also needs to include the TEE TCB because the CC VM environment is created by TEE\nvia `DRTM` (Dynamic Root of Measurement) like Intel® TXT on the host._\n\nFrom the perspective of a tenant's workload, `CCNP` will expose the [CC Trusted API](https://github.com/cc-api/cc-trusted-api)\nas the unified interfaces across diverse trusted foundations like `RTMR+MRTD+CCEL`\nand `PCR+TPM2`. Learn more details of CCNP design at [CCNP documentation](https://intel.github.io/confidential-cloud-native-primitives/).\n\n![](/docs/ccnp-architecture-high-level.png)\n\nFinally, the full trusted chain will be measured into a CC report as follows using Intel TDX as an example:\n\n![](/docs/cc-full-measurement-tdreport.png)\n\n_NOTE:_\n\n- The measurement of TEE, Guest's boot, OS is per CC VM, but cluster/container measurement\nmight be per cluster/namespace/container for cloud native architecture.\n- Please refer to structure [`TDREPORT`](https://github.com/tianocore/edk2/blob/master/MdePkg/Include/IndustryStandard/Tdx.h).\n- The CCNP project collects container level primitives by implementing unified APIs defined in [CC Trusted API](https://github.com/cc-api/cc-trusted-api). The project will be moved to [CC Trusted API](https://github.com/cc-api/cc-trusted-api) in the near future. \n\n\n## 2. Installation\n\n### 2.1 Configuration for Host and Guest for Host and Guest\n\nCCNP collects primitives of confidential cloud native environments running in confidential VMs (CVM), such as Intel TDX guest. The primitives are not only from the TEE + CVM boot process + CVM OS but also from the environments running workloads, e.g. Kubernetes cluster or Docker containers. Thus, you need to check below configuration for both hosts and guests.\n\nYou can setup an Intel TDX enlightened host and then boot a TD guest on it. The feasible configurations are as below.\n\n| CPU | Host OS | Host packages | Guest OS | Guest packages | Attestation packages |\n|---|---|---|---|---|---|\n| Intel® Emerald Rapids | Ubuntu 22.04| Build packages referring to [here](https://github.com/intel/tdx-tools/tree/tdx-1.5/build/ubuntu-22.04) | Ubuntu 22.04 | Build packages referring to [here](https://github.com/intel/tdx-tools/tree/tdx-1.5/build/ubuntu-22.04) | You can either use containerized [PCCS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/pccs), [QGS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/qgs) or install packages from [here](https://download.01.org/intel-sgx/sgx-dcap/1.19/linux/distro/ubuntu22.04-server/)\n| Intel® Emerald Rapids | Ubuntu 23.10 | Setup TDX host referring to [here](https://github.com/canonical/tdx) | Ubuntu 22.04 | Build packages referring to [here](https://github.com/intel/tdx-tools/tree/tdx-1.5/build/ubuntu-22.04)| Setup containerized [PCCS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/pccs) and [QGS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/qgs) on the host | \n\n_NOTE: The Platform certificate caching service (PCCS) is used to retrieve and cache PCK certificates locally to your cluster from Intel's Platform Certificate Service. This is necessary to attest the authenticity of a TD guest before a workload is started in it. The Quote Generate Service (QGS) runs on the host in a specialized enclave to generate and use TD quotes. For convenient setup these can run inside a Docker container. Learn more at https://download.01.org/intel-sgx/sgx-dcap/1.17/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf. The PCCS and QGS are used to get Quote for a TD guest. They need to be installed on TDX hosts._\n\n### 2.2 Deploy CCNP Services in Confidential VM\n\n_NOTE: the following installation will be performed in a confidential VM. Make sure you have confidential VM booted before moving forward._\n\nIt supports to deploy CCNP services as DaemonSets in Kubernetes cluster or docker containers on a single confidential VM. Please refer to below guides for different deployment environments.\n\n- [CCNP deployment guide - K8S](deployment/README.md): on confidential VM node of Kubernetes cluster.\n\n- [CCNP deployment guide - Docker](deployment/README.md): on confidential VM using docker compose.\n\n### 2.3 Install SDK\n\nCCNP SDK can be used by a workload for cloud native primitives collecting. It needs to be installed within the workload container image and called whenever the primitives are required. For example, in your workload written in Python, you can install the SDK from PyPI using the command:\n\n```\npip install ccnp\n```\n\nAlternatively, the CCNP can be installed from source code with the following command. Make sure to clone the repository into your confidential VM and then run the following command:\n\n```\ncd sdk/python3\npip install -e .\n```\n\n### 2.4 Install CCNP Device Plugin\nFollow the CCNP device plugin [Installation Guide](device-plugin/ccnp-device-plugin/README.md).\n\n## 3. Contributing\n\nThis project welcomes contributions and suggestions. Most contributions require\nyou to agree to a Contributor License Agreement (CLA) declaring that you have the\nright to, and actually do, grant us the rights to use your contribution. For details,\ncontact the maintainers of the project.\n\nWhen you submit a pull request, a CLA-bot will automatically determine whether you\nneed to provide a CLA and decorate the PR appropriately (e.g., label, comment).\nSimply follow the instructions provided by the bot. You will only need to do this\nonce across all repos using our CLA.\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for details on building, testing, and contributing\nto these libraries.\n\n## 4. Provide Feedback\n\nIf you encounter any bugs or have suggestions, please file an issue in the Issues\nsection of the project.\n\n\n_Note: This is pre-production software and, as such, it may be substantially modified as updated versions are made available._\n\n## 5. Reference\n\n[Trusted Computing](https://en.wikipedia.org/wiki/Trusted_Computing)\n\n[TCG PC Client Platform TPM Profile Specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/)\n\n[TCG PC Client Platform Firmware Profile Specification](https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/)\n\n## 6. Contributors\n\n\u003c!-- spell-checker: disable --\u003e\n\n\u003c!-- readme: contributors -start --\u003e\n\u003ctable\u003e\n\u003ctr\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/Ruoyu-y\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/70305231?v=4\" width=\"100;\" alt=\"Ruoyu-y\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eRuoyu Ying\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/hairongchen\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/105473940?v=4\" width=\"100;\" alt=\"hairongchen\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eHairongchen\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/kenplusplus\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/31843217?v=4\" width=\"100;\" alt=\"kenplusplus\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eLu Ken\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/hjh189\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/88485603?v=4\" width=\"100;\" alt=\"hjh189\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eJiahao Huang\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/ruomengh\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/90233733?v=4\" width=\"100;\" alt=\"ruomengh\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eRuomeng Hao\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/HaokunX-intel\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/108452001?v=4\" width=\"100;\" alt=\"HaokunX-intel\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eHaokun Xing\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/hwang37\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/36193324?v=4\" width=\"100;\" alt=\"hwang37\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eWang, Hongbo\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/dongx1x\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/34326010?v=4\" width=\"100;\" alt=\"dongx1x\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eXiaocheng Dong\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/LeiZhou-97\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/102779531?v=4\" width=\"100;\" alt=\"LeiZhou-97\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eLeiZhou\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/Yanbo0101\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/110962880?v=4\" width=\"100;\" alt=\"Yanbo0101\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eYanbo Xu\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/jialeif\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/88661406?v=4\" width=\"100;\" alt=\"jialeif\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eJialei Feng\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/jiere\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/6448681?v=4\" width=\"100;\" alt=\"jiere\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eJie Ren\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\u003c/tr\u003e\n\u003ctr\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/rdower\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/15023397?v=4\" width=\"100;\" alt=\"rdower\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eRobert Dower\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/zhlsunshine\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/4101246?v=4\" width=\"100;\" alt=\"zhlsunshine\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eSteve Zhang\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\n \u003ctd align=\"center\"\u003e\n \u003ca href=\"https://github.com/wenhuizhang\"\u003e\n \u003cimg src=\"https://avatars.githubusercontent.com/u/2313277?v=4\" width=\"100;\" alt=\"wenhuizhang\"/\u003e\n \u003cbr /\u003e\n \u003csub\u003e\u003cb\u003eWenhui Zhang\u003c/b\u003e\u003c/sub\u003e\n \u003c/a\u003e\n \u003c/td\u003e\u003c/tr\u003e\n\u003c/table\u003e\n\u003c!-- readme: contributors -end --\u003e\n\n\u003c!-- spell-checker: enable --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintel%2Fconfidential-cloud-native-primitives","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fintel%2Fconfidential-cloud-native-primitives","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintel%2Fconfidential-cloud-native-primitives/lists"}