This repository contains tools and components for attesting confidential guests and providing secrets to them. Collectively, these components are known as Trustee. Trustee typically operates on behalf of the guest owner and interact remotely with guest components.
Trustee was developed for the Confidential Containers project, but can be used with a wide variety of applications and hardware platforms.
-
Key Broker Service The KBS is a server that facilitates remote attestation and secret delivery. Its role is similar to that of the Relying Party in the RATS model.
-
Attestation Service The AS verifies TEE evidence. In the RATS model this is a Verifier
-
Reference Value Provider Service The RVPS manages reference values used to verify TEE evidence. This is related to the discussion in section 7.5 of the RATS document.
-
Client Tool This is a simple tool which can be used to test or configure the KBS and AS.
For further information, see documentation of individual components.
Trustee is flexible and can be deployed in several different configurations. This figure shows one common way to deploy these components in conjunction with certain guest components.
flowchart LR
AA -- attests guest ----> KBS
CDH -- requests resource --> KBS
subgraph Guest
CDH <.-> AA
end
subgraph Trustee
AS -- verifies evidence --> KBS
RVPS -- provides reference values--> AS
end
client-tool -- configures --> KBS
There are two main ways to deploy Trustee.
One simple way to get started with Trustee is with Docker compose, which can be used to quickly setup a cluster matching the diagram above.
Please refer to the cluster setup guide.
This cluster could be run inside a VM or as part of a managed service.
There are two supported ways of deploying Trustee on Kubernetes. One is via the KBS Operator, which deploys the KBS components. The second option is to use the KBS' provided Kubernetes tooling here.