Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type RegistrationRequest ¶
type RegistrationRequest struct { WorkloadID string `json:"workload_id"` LaunchMeasurement string `json:"launch_measurement"` Passphrase string `json:"passphrase"` TeeConfig string `json:"tee_config"` // JSON-encoded teeConfig? or specific to the type of TEE? }
RegistrationRequest is the body of the request which we use for registering this confidential workload with the attestation server. https://github.com/virtee/reference-kbs/blob/10b2a4c0f8caf78a077210b172863bbae54f66aa/src/main.rs#L83
type SevWorkloadData ¶
type SevWorkloadData struct { VendorChain string `json:"vendor_chain"` AttestationServerPubkey string `json:"attestation_server_pubkey"` }
SevWorkloadData contains the path to the SEV certificate chain and optionally, the attestation server's public key(?) https://github.com/containers/libkrun/blob/d31747aa92cf83df2abaeb87e2a83311c135d003/src/vmm/src/linux/tee/amdsev.rs#L222
type SnpWorkloadData ¶
type SnpWorkloadData struct {
Generation string `json:"gen"` // "milan" (naples=1, rome=2, milan=3, genoa/bergamo=4)
}
SnpWorkloadData contains the required CPU generation name. https://github.com/virtee/oci2cw/blob/1502d5be33c2fa82d49aaa95781bbab2aa932781/examples/tee-config-snp.json
type TeeConfig ¶
type TeeConfig struct { Flags TeeConfigFlags `json:"flags"` // runtime requirement bits MinFW TeeConfigMinFW `json:"minfw"` // minimum platform firmware version }
TeeConfig contains information about a trusted execution environment.
type TeeConfigFlagBits ¶
type TeeConfigFlagBits int
TeeConfigFlagBits are bits representing run-time expectations.
const ( SEV_CONFIG_NO_DEBUG TeeConfigFlagBits = 0b00000001 // no debugging of guests SEV_CONFIG_NO_KEY_SHARING TeeConfigFlagBits = 0b00000010 // no sharing keys between guests SEV_CONFIG_ENCRYPTED_STATE TeeConfigFlagBits = 0b00000100 // requires SEV-ES SEV_CONFIG_NO_SEND TeeConfigFlagBits = 0b00001000 // no transferring the guest to another platform SEV_CONFIG_DOMAIN TeeConfigFlagBits = 0b00010000 // no transferring the guest out of the domain (?) SEV_CONFIG_SEV TeeConfigFlagBits = 0b00100000 // no transferring the guest to non-SEV platforms SNP_CONFIG_SMT TeeConfigFlagBits = 0b00000001 // SMT is enabled on the host machine SNP_CONFIG_MANDATORY TeeConfigFlagBits = 0b00000010 // reserved bit which should always be set SNP_CONFIG_MIGRATE_MA TeeConfigFlagBits = 0b00000100 // allowed to use a migration agent SNP_CONFIG_DEBUG TeeConfigFlagBits = 0b00001000 // allow debugging )
type TeeConfigFlags ¶
type TeeConfigFlags struct {
Bits TeeConfigFlagBits `json:"bits"`
}
TeeConfigFlags is a bit field containing policy flags specific to the environment. https://github.com/virtee/sev/blob/d3e40917fd8531c69f47c2498e9667fe8a5303aa/src/launch/sev.rs#L172 https://github.com/virtee/sev/blob/d3e40917fd8531c69f47c2498e9667fe8a5303aa/src/launch/snp.rs#L114
type TeeConfigMinFW ¶
TeeConfigFlagMinFW corresponds to a minimum version of the kernel+initrd combination that should be booted.
type TeeType ¶
type TeeType string
TeeType is a supported trusted execution environment type.
const ( // SEV is a known trusted execution environment type: AMD-SEV (secure encrypted virtualization using encrypted state, requires epyc 1000 "naples") SEV TeeType = "sev" // SEV_NO_ES is a known trusted execution environment type: AMD-SEV (secure encrypted virtualization without encrypted state, requires epyc 1000 "naples") SEV_NO_ES TeeType = "sev_no_es" // SNP is a known trusted execution environment type: AMD-SNP (SEV secure nested pages) (requires epyc 3000 "milan") SNP TeeType = "snp" )
type WorkloadConfig ¶
type WorkloadConfig struct { Type TeeType `json:"tee"` TeeData string `json:"tee_data"` // Type == SEV: JSON-encoded SevWorkloadData, SNP: JSON-encoded SnpWorkloadData, others? WorkloadID string `json:"workload_id"` CPUs int `json:"cpus"` Memory int `json:"ram_mib"` AttestationURL string `json:"attestation_url"` }
WorkloadConfig is the data type which is encoded and stored in /krun-sev.json in a container image, and included directly in the disk image. https://github.com/containers/libkrun/blob/57c59dc5359bdeeb8260b3493e9f63d3708f9ab9/src/vmm/src/resources.rs#L57