Attestation Agent (AA for short) is an user space service for attestation procedure. In Kata Confidential Containers (Kata CC for short), AA implements the WrapKey API defined by keyprovider protocol, which is responsible for performing attestation and obtaining the Key Encryption Key (KEK for short) from Key Broker Service (KBS for short) , or requesting KBS to decrypt the encrypted payload stored in the image layer annotation.
Current consumers of AA include:
Here are the steps of building and running AA:
Build and install AA with all KBC modules:
git glone https://github.com/containers/attestation-agent
cd attestation-agent
make && make installor explicitly specify the KBS modules it contains. Taking sample_kbc as example:
make KBC=sample_kbcTo build and install with musl, just run:
make MUSL=1 && make installFor help information, just run:
attestation-agent --helpStart AA and use grpc_sock parameter to specify the endpoint of AA's keyprovider service, e.g, listen on local 47777 port:
attestation-agent --grpc_sock 127.0.0.1:47777If you want to see the runtime log:
RUST_LOG=attestation_agent attestation-agent --grpc_sock 127.0.0.1:4777
AA provides a flexible KBC module mechanism to support different KBS protocols required to make the communication between KBC and KBS. If the KBC modules currently supported by AA cannot meet your use requirement (e.g, need to use a new KBS protocol), you can write a new KBC module complying with the KBC development GUIDE. Welcome to contribute new KBC module to this project!
List of supported KBC modules:
| KBC module name | README | KBS protocol | Maintainer |
|---|---|---|---|
| sample_kbc | Null | Null | Attestation Agent Authors |
| offline_fs_kbc | Offline file system KBC | Null | IBM |
| eaa_kbc | EAA KBC | EAA protocol | Alibaba Cloud |
| offline_sev_kbc | Offline SEV KBC | Null | IBM |