README
¶
mkcw: PoC for building confidential workload images 
This is mainly a proof of concept for integrating logic for building images suitable for use in trusted execution environments in buildah. It will be archived, so don't depend on it.
Documentation
¶
Index ¶
- func TeeConvertImage(ctx context.Context, systemContext *types.SystemContext, store storage.Store, ...) (string, reference.Canonical, digest.Digest, error)
- func TeeRegisterImage(ctx context.Context, systemContext *types.SystemContext, store storage.Store, ...) error
- type TeeConvertImageOptions
- type TeeRegisterImageOptions
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func TeeConvertImage ¶
func TeeConvertImage(ctx context.Context, systemContext *types.SystemContext, store storage.Store, options TeeConvertImageOptions) (string, reference.Canonical, digest.Digest, error)
TeeConvertImage takes the rootfs and configuration from one image, generates a LUKS-encrypted disk image that more or less includes them both, and puts the result into a new container image. Returns the new image's ID and digest on success, along with a canonical reference for it if a repository name was specified.
func TeeRegisterImage ¶
func TeeRegisterImage(ctx context.Context, systemContext *types.SystemContext, store storage.Store, options TeeRegisterImageOptions) error
TeeRegisterImage reads the workload ID and attestation URL from an image, verifies that the passed-in passphrase can be used to decrypt the image, and submits a fresh registration request to the attestation server. This isn't expected to used often, but if a conversion fails at this step, and the error is treated as a warning, it will be necessary.
Types ¶
type TeeConvertImageOptions ¶
type TeeConvertImageOptions struct {
// Required parameters.
InputImage string
// If supplied, we'll tag the resulting image with the specified name.
Tag string
OutputImage types.ImageReference
// If supplied, we'll register the workload with this server.
// Practically necessary if DiskEncryptionPassphrase is not set, in
// which case we'll generate one and throw it away after.
AttestationURL string
// Used to measure the environment. If left unset (0, ""), defaults will be applied.
CPUs int
Memory int
// Can be manually set. If left unset ("", false, nil), reasonable values will be used.
TeeType mkcw.TeeType
IgnoreChainRetrievalErrors bool
IgnoreAttestationErrors bool
WorkloadID string
DiskEncryptionPassphrase string
Slop string
BaseImage string
Logger *logrus.Logger
// Passed through to buildah.BuilderOptions. Most settings won't make
// sense to be made available here because we don't launch a process.
ContainerSuffix string
PullPolicy buildah.PullPolicy
BlobDirectory string
SignaturePolicyPath string
ReportWriter io.Writer
IDMappingOptions *buildah.IDMappingOptions
Format string
MaxPullRetries int
PullRetryDelay time.Duration
OciDecryptConfig *encconfig.DecryptConfig
MountLabel string
}
TeeConvertImageOptions provides both required and optional bits of configuration for TeeConvertImage().
type TeeRegisterImageOptions ¶
type TeeRegisterImageOptions struct {
// Required parameters.
Image string
DiskEncryptionPassphrase string
// Can be manually set. If left unset (false, nil), reasonable values will be used.
Logger *logrus.Logger
// Passed through to buildah.BuilderOptions. Most settings won't make
// sense to be made available here because we don't launch a processes.
ContainerSuffix string
PullPolicy buildah.PullPolicy
BlobDirectory string
SignaturePolicyPath string
ReportWriter io.Writer
IDMappingOptions *buildah.IDMappingOptions
Format string
MaxPullRetries int
PullRetryDelay time.Duration
OciDecryptConfig *encconfig.DecryptConfig
MountLabel string
}
TeeRegisterImageOptions provides both required and optional bits of configuration for TeeRegisterImage().
Source Files
Directories