Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/intel/confidential-cloud-native-primitives
Build Trusted Chain for Cloud Native in Confidential Computing Envrionment
https://github.com/intel/confidential-cloud-native-primitives
cloud-native confidential-computing measurement tcb tdx tpm trusted-computing
Last synced: about 1 month ago
JSON representation
Build Trusted Chain for Cloud Native in Confidential Computing Envrionment
- Host: GitHub
- URL: https://github.com/intel/confidential-cloud-native-primitives
- Owner: intel
- License: apache-2.0
- Archived: true
- Created: 2023-06-14T09:24:24.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-02-22T19:56:15.000Z (10 months ago)
- Last Synced: 2024-04-14T09:39:01.793Z (8 months ago)
- Topics: cloud-native, confidential-computing, measurement, tcb, tdx, tpm, trusted-computing
- Language: Go
- Homepage: https://intel.github.io/confidential-cloud-native-primitives/
- Size: 3.97 MB
- Stars: 22
- Watchers: 8
- Forks: 12
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
- Awesome-SGX-Open-Source - https://github.com/intel/confidential-cloud-native-primitives
README
PROJECT NOT UNDER ACTIVE MANAGEMENT
This project will no longer be maintained by Intel.
Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project.
Intel no longer accepts patches to this project.
If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project.
Contact: [email protected]
> [!NOTE]
> The project has been moved to CC-API organization. Go to https://github.com/cc-api/confidential-cloud-native-primitives for more information.
# Confidential Cloud-Native Primitives (CCNP)
[](https://www.bestpractices.dev/projects/8325)
## 1. Introduction
Confidential Computing technologies like Intel® TDX provides an isolated encryption runtime
environment to protect data-in-use based on hardware Trusted Execution Environment (TEE).
It requires a full chain integrity measurement on the launch-time or runtime environment
to guarantee "consistent behavior in an expected way" of confidential
computing environment for tenant's zero-trust use case.
This project is designed to provide cloud native measurement for the full measurement
chain from TEE TCB -> Firmware TCB -> Guest OS TCB -> Cloud Native TCB as follows:
_NOTE: Different from traditional trusted computing on non-confidential environment,
the measurement chain is not only started with Guest's `SRTM` (Static Root Of Measurement)
but it also needs to include the TEE TCB because the CC VM environment is created by TEE
via `DRTM` (Dynamic Root of Measurement) like Intel® TXT on the host._
From the perspective of a tenant's workload, `CCNP` will expose the [CC Trusted API](https://github.com/cc-api/cc-trusted-api)
as the unified interfaces across diverse trusted foundations like `RTMR+MRTD+CCEL`
and `PCR+TPM2`. Learn more details of CCNP design at [CCNP documentation](https://intel.github.io/confidential-cloud-native-primitives/).
Finally, the full trusted chain will be measured into a CC report as follows using Intel TDX as an example:
_NOTE:_
- The measurement of TEE, Guest's boot, OS is per CC VM, but cluster/container measurement
might be per cluster/namespace/container for cloud native architecture.
- Please refer to structure [`TDREPORT`](https://github.com/tianocore/edk2/blob/master/MdePkg/Include/IndustryStandard/Tdx.h).
- The CCNP project collects container level primitives by implementing unified APIs defined in [CC Trusted API](https://github.com/cc-api/cc-trusted-api). The project will be moved to [CC Trusted API](https://github.com/cc-api/cc-trusted-api) in the near future.
## 2. Installation
### 2.1 Configuration for Host and Guest for Host and Guest
CCNP collects primitives of confidential cloud native environments running in confidential VMs (CVM), such as Intel TDX guest. The primitives are not only from the TEE + CVM boot process + CVM OS but also from the environments running workloads, e.g. Kubernetes cluster or Docker containers. Thus, you need to check below configuration for both hosts and guests.
You can setup an Intel TDX enlightened host and then boot a TD guest on it. The feasible configurations are as below.
| CPU | Host OS | Host packages | Guest OS | Guest packages | Attestation packages |
|---|---|---|---|---|---|
| Intel® Emerald Rapids | Ubuntu 22.04| Build packages referring to [here](https://github.com/intel/tdx-tools/tree/tdx-1.5/build/ubuntu-22.04) | Ubuntu 22.04 | Build packages referring to [here](https://github.com/intel/tdx-tools/tree/tdx-1.5/build/ubuntu-22.04) | You can either use containerized [PCCS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/pccs), [QGS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/qgs) or install packages from [here](https://download.01.org/intel-sgx/sgx-dcap/1.19/linux/distro/ubuntu22.04-server/)
| Intel® Emerald Rapids | Ubuntu 23.10 | Setup TDX host referring to [here](https://github.com/canonical/tdx) | Ubuntu 22.04 | Build packages referring to [here](https://github.com/intel/tdx-tools/tree/tdx-1.5/build/ubuntu-22.04)| Setup containerized [PCCS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/pccs) and [QGS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/qgs) on the host |
_NOTE: The Platform certificate caching service (PCCS) is used to retrieve and cache PCK certificates locally to your cluster from Intel's Platform Certificate Service. This is necessary to attest the authenticity of a TD guest before a workload is started in it. The Quote Generate Service (QGS) runs on the host in a specialized enclave to generate and use TD quotes. For convenient setup these can run inside a Docker container. Learn more at https://download.01.org/intel-sgx/sgx-dcap/1.17/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf. The PCCS and QGS are used to get Quote for a TD guest. They need to be installed on TDX hosts._
### 2.2 Deploy CCNP Services in Confidential VM
_NOTE: the following installation will be performed in a confidential VM. Make sure you have confidential VM booted before moving forward._
It supports to deploy CCNP services as DaemonSets in Kubernetes cluster or docker containers on a single confidential VM. Please refer to below guides for different deployment environments.
- [CCNP deployment guide - K8S](deployment/README.md): on confidential VM node of Kubernetes cluster.
- [CCNP deployment guide - Docker](deployment/README.md): on confidential VM using docker compose.
### 2.3 Install SDK
CCNP SDK can be used by a workload for cloud native primitives collecting. It needs to be installed within the workload container image and called whenever the primitives are required. For example, in your workload written in Python, you can install the SDK from PyPI using the command:
```
pip install ccnp
```
Alternatively, the CCNP can be installed from source code with the following command. Make sure to clone the repository into your confidential VM and then run the following command:
```
cd sdk/python3
pip install -e .
```
### 2.4 Install CCNP Device Plugin
Follow the CCNP device plugin [Installation Guide](device-plugin/ccnp-device-plugin/README.md).
## 3. Contributing
This project welcomes contributions and suggestions. Most contributions require
you to agree to a Contributor License Agreement (CLA) declaring that you have the
right to, and actually do, grant us the rights to use your contribution. For details,
contact the maintainers of the project.
When you submit a pull request, a CLA-bot will automatically determine whether you
need to provide a CLA and decorate the PR appropriately (e.g., label, comment).
Simply follow the instructions provided by the bot. You will only need to do this
once across all repos using our CLA.
See [CONTRIBUTING.md](CONTRIBUTING.md) for details on building, testing, and contributing
to these libraries.
## 4. Provide Feedback
If you encounter any bugs or have suggestions, please file an issue in the Issues
section of the project.
_Note: This is pre-production software and, as such, it may be substantially modified as updated versions are made available._
## 5. Reference
[Trusted Computing](https://en.wikipedia.org/wiki/Trusted_Computing)
[TCG PC Client Platform TPM Profile Specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/)
[TCG PC Client Platform Firmware Profile Specification](https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/)
## 6. Contributors
Ruoyu Ying
Hairongchen
Lu Ken
Jiahao Huang
Ruomeng Hao
Haokun Xing
Wang, Hongbo
Xiaocheng Dong
LeiZhou
Yanbo Xu
Jialei Feng
Jie Ren
