Uploaded image for project: 'Openshift sandboxed containers'
  1. Openshift sandboxed containers
  2. KATA-3111

Create integrity-protected pod VM image for Azure

XMLWordPrintable

    • Create integrity-protected pod VM image Azure
    • Product / Portfolio Work
    • 5
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • Done
    • KATA-3746 - Confidential Containers on Azure [GA]
    • KATA-3746Confidential Containers on Azure [GA]
    • 0% To Do, 0% In Progress, 100% Done
    • Hide
      .Azure integrity-protected pod VM image

      A Red Hat-created image is now enabled by default for sandboxed containers and Confidential Containers running on Azure, enhancing the security of container and VM images.
      Show
      .Azure integrity-protected pod VM image A Red Hat-created image is now enabled by default for sandboxed containers and Confidential Containers running on Azure, enhancing the security of container and VM images.
    • Feature
    • Done
    • No
    • Kata Sprint #272
    • 0

      Epic Goal

      • Create integrity-protected pod VM image

      Why is this important?

      • For CoCo, it's important to ensure that the VM image has not been tampered with, otherwise secrets can be exfiltrated via tampered software.

      Scenarios

      1. Customer wants to install Sandboxed Containers and use a Red Hat created image
      2. Customer wants to create and use their own image

      Acceptance Criteria 

      (The Epic is complete when...)

      For Release 1.10, we are targeting Scenario 1 only.

      • Release an image that we create/support
      • Publish the reference value that needs to be added to the trustee instance by the admin
      • Trustee can verify the measurement
        • Verification can be automated by trustee, and can prevent the VM from running

       

      In a future release we should add:

      • Instructions to create dm-verity protected CVM image for peer-pods via operator or standalone
      • Instructions to generate measurements of the image
      • TODO: move this to a separate epic

       

       

      Additional context:

       

      Testing the feature

      • dm-verity based pod VM image will be the default for CoCo. So there is no need for specific tests. The usual pod lifecycle management tests will cover this.  The verification of the verity hash as part of the attestation process will be documented and will need Trustee. So the same should be covered as part of e2e attestation tests.
      • Possibilities for negative testing
        • Modify the image (add a file for instance)
        • Modify the reference to create an error
        • Modify the default configuration, maybe to disable it?
      • Upgrade testing
        • What happens to existing containers/VMs when we update OSC?
          • Need to make sure the PodVM image is updated (this is not specific to this Epic, maybe already documented? require verification )
          • Trustee and its settings should be updated before the upgrade of OSC

       

      Upstream has a method that is described in the following blog 

       

      Vitaly has instructions on how create dm-verity protected CVM images in public cloud

              rh-ee-cconte Camilla Conte
              bpradipt Pradipta Banerjee
              Snir sheriber
              John Wilkins John Wilkins
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: