20. June 2023 #1391
dimakuv
started this conversation in
Meeting notes
20. June 2023
#1391
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Agenda
(please write your proposed agenda items in comments under this discussion)
Mikko: Confidential Containers KBS as a secrets provider
< shows presentation >
CoCo Attestation Stack contains:
AS is used to verify evidences (e.g. SGX quotes) and KBS is the one who talks to the Gramine app using a standard CoCo KBS protocol.
The KBS protocol has the following APIs:
auth,attest,unwrap_key,get_resource, ...Intel Amber project is a production AS example.
Enclave-CC project is the client of CoCo KBS (pulls secrets).
Mikko created an LD_PRELOADed lib that reuses KBS API client and the SGX attestation driver from the CoCo repos, and adds on top of it the Gramine-specific code.
Mikko created his own
libsecret_prov.sothat only has one API: setting the PF wrap key. So Mikko's lib has only a subset of "reference Gramine SecretProv" library, and thus the name is misleading.Because Mikko reuses CoCo Rust crates, his
libsecret_prov.sois currently pretty big, ~12MB in binary size.Alibaba is pushing for CoCo KBS in production, but it's in early stages -- to be seen how it will be used by companies.
Beta Was this translation helpful? Give feedback.
All reactions