-
Epic
-
Resolution: Done
-
High
-
None
-
None
-
Create integrity-protected pod VM image Azure
-
Product / Portfolio Work
-
5
-
False
-
-
False
-
Not Selected
-
Done
-
KATA-3746 - Confidential Containers on Azure [GA]
-
-
0% To Do, 0% In Progress, 100% Done
-
-
Feature
-
Done
-
No
-
Kata Sprint #272
-
0
Epic Goal
- Create integrity-protected pod VM image
Why is this important?
- For CoCo, it's important to ensure that the VM image has not been tampered with, otherwise secrets can be exfiltrated via tampered software.
Scenarios
- Customer wants to install Sandboxed Containers and use a Red Hat created image
- Customer wants to create and use their own image
Acceptance Criteria
(The Epic is complete when...)
For Release 1.10, we are targeting Scenario 1 only.
- Release an image that we create/support
- Publish the reference value that needs to be added to the trustee instance by the admin
- Trustee can verify the measurement
- Verification can be automated by trustee, and can prevent the VM from running
In a future release we should add:
- Instructions to create dm-verity protected CVM image for peer-pods via operator or standalone
- Instructions to generate measurements of the image
- TODO: move this to a separate epic
Additional context:
Testing the feature
- dm-verity based pod VM image will be the default for CoCo. So there is no need for specific tests. The usual pod lifecycle management tests will cover this. The verification of the verity hash as part of the attestation process will be documented and will need Trustee. So the same should be covered as part of e2e attestation tests.
- Possibilities for negative testing
- Modify the image (add a file for instance)
- Modify the reference to create an error
- Modify the default configuration, maybe to disable it?
- Upgrade testing
- What happens to existing containers/VMs when we update OSC?
- Need to make sure the PodVM image is updated (this is not specific to this Epic, maybe already documented? require verification )
- Trustee and its settings should be updated before the upgrade of OSC
- What happens to existing containers/VMs when we update OSC?
Upstream has a method that is described in the following blog
Vitaly has instructions on how create dm-verity protected CVM images in public cloud
- blocks
-
KATA-3658 Capture measurements of the pod VM image for remote attestation
-
- Closed
-
- links to