EAA/Verdictd support has been deprecated in Confidential Containers
EAA is used to perform attestation at runtime and provide guest with confidential resources such as keys. It is based on rats-tls.
Verdictd is the Key Broker Service and Attestation Service of EAA. The EAA KBC is an optional module in the attestation-agent at compile time, which can be used to communicate with Verdictd. The communication is established on the encrypted channel provided by rats-tls.
EAA can now be used on Intel TDX and Intel SGX platforms.
Before build encrypted image, you need to make sure Skopeo and Verdictd(EAA KBS) have been installed:
- Skopeo: the command line utility to perform encryption operations.
- Verdictd: EAA Key Broker Service and Attestation Service.
- Pull unencrypted image.
Here use alpine:latest for example:
${SKOPEO_HOME}/bin/skopeo copy --insecure-policy docker://docker.io/library/alpine:latest oci:busybox-
Follow the Verdictd README #Generate encrypted container image to encrypt the image.
-
Publish the encrypted image to your registry.
- Build rootfs with EAA component:
Specify AA_KBC=eaa_kbc parameters when using kata-containers rootfs.sh scripts to create rootfs.
- Launch Verdictd
Verdictd performs remote attestation at runtime and provides the key needed to decrypt the image. It is actually both Key Broker Service and Attestation Service of EAA. So when deploy the encrypted image, Verdictd is needed to be launched:
verdictd --listen <$ip>:<$port> --mutualNote The communication between Verdictd and EAA KBC is based on rats-tls, so you need to confirm that rats-tls has been correctly installed in your running environment.
- Agent Configuration
Add configuration aa_kbc_params= 'eaa_kbc::<$IP>:<$PORT>' to agent config file, the IP and PORT should be consistent with verdictd.