Skip to content

wenhuizhang/confidential-cloud-native-primitives

 
 

Repository files navigation

Confidential Cloud-Native Primitives (CCNP)

CI Check License CI Check Spelling CI Check Python CI Check Shell CI Check Rust CI Check Golang CI Check Container CC Foundation Image Customize OpenSSF Best Practices

1. Introduction

Confidential Computing technology like Intel TDX provides isolated encryption runtime environment to protect data-in-use based on hardware Trusted Execution Environment (TEE). It requires a full chain integrity measurement on the launch-time or runtime environment to guarantee "consistently behavior in expected way" (defined by Trusted Computing) of confidential computing environment for tenant's zero-trust use case.

This project is designed to provide cloud native measurement for the full measurement chain from TEE TCB -> Firmware TCB -> Guest OS TCB -> Cloud Native TCB as follows:

NOTE: Different with traditional trusted computing on non-confidential environment, the measurement chain is not only started with Guest's SRTM (Static Root Of Measurement) but also need include the TEE TCB, because the CC VM environment is created by TEE via DRTM (Dynamic Root of Measurement) like Intel TXT on the host.

From the perspective of tenant's workload, CCNP will expose the CC Trusted API as the unified interfaces across diverse trusted foundations like RTMR+TDMR+CCEL and PCR+TPM2. The definitions and structures follows standard specifications like TCG PC Client Platform TPM Profile Specification, TCG PC Client Platform Firmware Profile Specification

This project should also be able deployed on diverse cloud native PaaS frameworks like confidential cluster, container, kubevirt etc. An example of landing architecture on confidential cluster is as follows, please refer detail deployment steps

Finally, the full trusted chain will be measured into CC report as follows using TDX as example:

NOTE:

  • The measurement of TEE, Guest's boot, OS is per CC VM, but cluster/container measurement might be per cluster/namespace/container for cloud native architecture.
  • Please refer structure TDREPORT

2. Design

CCNP includes several micro-services as BaaS(Backend as a Service) to provides cloud native measurement, then exposes CC trusted API via cloud native SDK:

  • Services are designed to hide the complexity of different TEE platforms and provides common interfaces and scalability for cloud-native environment to address the fetching the fetching of quote, measurement and event log.

  • SDK is provided to simplify the use of the service interface for development, it covers communication to the service and parses the results from the services. With such SDK, users can perform related actions with one simple API call.

  • A CCNP device plugin is provided as the dependency for services such as Quote Server and Measurement Server. It will help with device mount and folder injection within the service.

SDK PyPI package can be found here. Please check our documentation for more details.

Note: For Intel TDX, it bases on Linux TDX Software Stack at tdx-tools, the corresponding white paper is at Whitepaper: Linux* Stacks for Intel® Trust Domain Extension 1.0.

3. Installation

Here provides the description on the installation steps for the services and the SDK.

CCNP deployment guide introduces how to deploy CCNP services, which also includes an example of running CCNP example pod to get cloud native primitives using CCNP SDK.

You can also use the following guides as alternatives of installing each service separately.

For SDK, user can simply install from PyPI using command:

pip install ccnp

Or to install from source code with the following command:

cd sdk/python3
pip install -e .

For the ccnp device plugin, user can find the installation guide under the 'Installation' section here

4. Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, contact the maintainers of the project.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

See CONTRIBUTING.md for details on building, testing, and contributing to these libraries.

5. Provide Feedback

If you encounter any bugs or have suggestions, please file an issue in the Issues section of the project.

Note: This is pre-production software and, as such, it may be substantially modified as updated versions are made available.

6. Contributors

Ruoyu-y
Ruoyu Ying
hairongchen
Hairongchen
kenplusplus
Lu Ken
hjh189
Jiahao Huang
ruomengh
Ruomeng Hao
HaokunX-intel
Null
hwang37
Wang, Hongbo
dongx1x
Xiaocheng Dong
LeiZhou-97
LeiZhou
Yanbo0101
Yanbo Xu
jialeif
Jialei Feng
jiere
Jie Ren
rdower
Robert Dower
zhlsunshine
Steve Zhang
wenhuizhang
Wenhui Zhang

About

Landing Confidential Computing into Cloud Native Computing

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 27.3%
  • Shell 23.2%
  • Rust 23.1%
  • Python 21.3%
  • Dockerfile 1.9%
  • Smarty 1.6%
  • Other 1.6%