Acronyms

Acronyms

Note:

Many terms not defined here are defined in the Kata Containers glossary.

See also the Glossary page.

---

0-9 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

---

0-9

A

AA

Attestation agent.

AE

Authenticated Encryption.

AEAD

Authenticated encryption with associated data.

AEK

Algorithm Encryption Key.

ARK

AMD Root Key

ASK

AMD SEV Key

AP

IBM Adjunct Processor.

AS

• Attestation server.
• Attestation service.

B

C

CA

Certificate Authority.

CC

Confidential Computing or Confidential Containers.

CCA

ARM Confidential Computing Architecture.

CCC

Confidential Computing Consortium.

CEK

AMD Chip Endorsement Key. See also VCEK

CFV

Configuration Firmware Volume.

CNCF

Cloud Native Computing Foundation.

CNS

Cloud Native Security.

COCO

Another term for CC.

CRL

Certificate Revocation List

CSI

Container Storage Interface.

CSP

Cloud Service Provider or Cryptographic Service Provider.

D

DCT

Docker Content Trust.

DSS

Digital Signature Standard

E

E2E

End to end.

EAA

Enclave Attestation Architecture.

ECDSA

Elliptical Curve Digital Signature Algorithm

EFI

Extensible Firmware Interface.

EHD

Enclave Held Data.

ES

See SEV-ES

F

FIPS

Federal Information Processing Standards

FV

Firmware Volume, See Configuration Firmware Volume.

FW

Firmware.

G

GCM

Galois/Counter Mode.

GOP

Guest owner proxy, another term for Key Broker Service. In the context of EFI firmware, refers to Graphics output protocol.

GSC

Gramine Shielded Containers.

GUID

Globally Unique Identifier.

See also UUID.

H

HE

Homomorphic encryption.

HKD

Host key document, IBM-specific host certificate.

HSM

Hardware security module.

HW-TEE

Hardware-based trusted execution environment.

I

IAAS

Infrastructure as a Service.

ISECL

Intel Security Libraries for the Data Center.

ISV

Independent Software Vendor.

J

K

KBC

Key broker client.

KBS

Key broker service.

KDS

AMD Key Derivation Service, allowing cloud providers to generate keys for their customers.

KEK

Key Encryption Key.

KMIP

Key Management Interoperability Protocol.

KMS

Key Management Service.

KPP

Key Provider Protocol.

L

LA

Local attestation.

LEK

Layer Encryption Key.

LUKS

Linux Unified Key Setup, Linux disk encryption specification used by dm-crypt and cryptsetup.

M

MIM

Alternate form for MITM.

MITM

Man in the middle or, more infrequently, Meet in the middle, two forms of attack.

N

O

OCA

Owner's Certificate Authority, a certificate and key provided used to provision AMD SEV systems.

OEM

Original Equipment Manufacturer.

OPA

Open Policy Agent, policy-based control for cloud native environments.

OVMF

Open VM Firmware, UEFI firmware used by hypervisors.

P

PAL

Platform Adaptation Layer.

PCR

Platform Configuration Register.

PDH

Platform Diffie-Hellman Key.

PEF

Protected Execution Facility.

PEK

AMD Platform Endorsement Key, an asymetric signing key generated during one-time configuration, used to sign the PDH.

PEM

Privacy Enhanced Mail.

PKCS

Public Key Cryptography Standards.

PKI

Public Key Infrastructure.

PLBCO

Private Layer Block Cipher Options.

PSP

Platform Security Processor.

Q

R

RA

Remote attestation.

RATS

Remote Attestation Procedures.

RCAR

Request Challenge Attestation Response.

RTMR

Runtime measurement register.

S

SCE

Secure Code Execution.

SE

IBM Secure Execution.

SECL-DC

Intel Security Libraries for the Data Center.

SEV

AMD's Secure Encrypted Virtualization. Provides memory encryption, using one key per virtual machine to isolate guests and the hypervisor from one another.

SEV-ES

AMD's Secure Encrypted Virtualization-Encrypted State Adds CPU state integrity protection to SEV by encrypting all CPU register contents in the hypervisor-accessible state.

SEV-SNP

AMD's Secure Encrypted Virtualization Secure Nested Paging. SEV-SNP extends SEV-ES to provide integrity protection for memory pages, interrupts and more.

Unlike SEV-ES, SEV-SNP provides an attestation report to the guest at runtime.

SGX

Intel Software Guard Extensions.

See also SGX in the Kata Containers Glossary.

SHA

Secure Hash Algorithm, a family of cryptographically secure hash functions.

SME

AMD's Secure Memory Encryption. Traditionally, this can also refer to Subject Matter Expert or Small / Medium sized Enterprise.

SNP

See SEV-SNP

SVM

Secure Virtual Machine.

SVSM

Secure VM Service Module, services taking advantage of VMPL to

T

TB

Trusted Boot.

TCB

Trusted Computing Base.

TCM

Target Core Mailbox.

TCMU

Target Core Mailbox in Userspace.

TD

Trust Domain.

TDE

Transparent Data Encryption.

TDVF

TDX Virtual Firmware.

TDX

Intel Trusted Domain Extensions.

TEE

Trusted Execution Environment, such as can be provided by a TPM, SGX, TDX or SEV.

TLS

Transport Layer Security.

TPM

Trusted platform module, a dedicated micro controller used to store secrets such as cryptographic keys, a secure cryptographic processor.

TXT

Intel Trusted Execution Technology, a set of hardware extensions to Intel processors and chipsets that allow the authenticity of a system to be attested.

U

UEFI

Unified Extensible Firmware Interface, a standardized version of EFI.

UIO

Userspace I/O.

UPM

Unmapped Private Memory.

UUID

Universally Unique Identifier.

See also GUID.

V

VCEK

AMD Versioned Chip Endorsement Key, derived from a chip-unique seed. See also CEK

VLEK

AMD Versioned Loaded Endorsement Key, derived from seed in Key Derivation Service (KDS), typically given to cloud provider.

VPC

Virtual Private Cloud.

VMPL

Virtual Machine Privilege Level, a new optional feature in AMD-SEV which allows a guest virtual machine to divide its address space into four levels, which can be used to provide hardware-isolated abstraction layers within a VM. See SVSM for an application

W

X

Y

Z

zstd

Zstandard.

---

0-9 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

---