Skip to content
View fitzthum's full-sized avatar
28 followers · 5 following

Achievements

Achievement: Pull Sharkx3Achievement: Pair ExtraordinaireAchievement: Quickdraw

Achievements

Achievement: Pull Sharkx3Achievement: Pair ExtraordinaireAchievement: Quickdraw

Organizations

@confidential-containers

Block or report fitzthum

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse

Pinned Loading

  1. kata-containers/kata-containers kata-containers/kata-containers Public

    Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workl…

    Rust 5.6k 1.1k

  2. The Mystery of the KBS Identity The Mystery of the KBS Identity
    1 
    # The Mystery of the KBS Identity
    2 
    
              
    
              
    
                3
                
    One simple question has confounded countless developers working on [Confidential Containers](https://github.com/confidential-containers); how do we know we are connecting to the correct KBS? For context, KBS is short for [Key Broker Service](https://github.com/confidential-containers/kbs), which is the trusted entity that conditionally grants access to client secrets. The term relying party could be used to describe the KBS. Inside the guest, there is a Key Broker Client (KBC) built into the [Attestation Agent](https://github.com/confidential-containers/attestation-agent) (AA). The KBC talks to the KBS to get container decryption keys among other things.
    
              
    
              
    
                4
                
    
              
    
              
    
                5
                
    The connection between the KBC and the KBS is secured with public key cryptography. The KBC generates a random keypair and sends the public key to the KBS when requesting confidential resources. Since the KBC has the lifespan of one VM, it makes sense for it to have an ephemeral keypair. The hash of the public key is included in the hardware evidence, which is also sent to the KBS. With this evidence, the KBS (with the help of an [Attestation Service](https://github.com/confidential-containers/attestation-service)) can verify that the public key it receives from the KBC was generated inside a real TEE with a certain initial TCB. This is precisely what the KBS needs to validate before releasing client secrets to the KBC.
    
              
    
          
    
    
    
  
    

    3. 

      
  3. 
  
    
    
    
      
    
        
    
            
          
              secure-migration/resume-from-efi-edk2
secure-migration/resume-from-efi-edk2          Public
        
    
      
    


      
    
        
      
    

      
    
          
  
  C


      
    
    
    
  
    

    4. 

      
  4. 
  
    
    
    
      
    
        
    
            
          
              confidential-containers/guest-components
confidential-containers/guest-components          Public
        
    
      
    


      
    
        Confidential Containers Guest Tools and Components
      
    

      
    
          
  
  Rust


          
            
    

            83
          
          
            
    

            95
          
      
    
    
    
  
    

    5. 

      
  5. 
  
    
    
    
      
    
        
    
            
          
              confidential-containers/confidential-containers
confidential-containers/confidential-containers          Public
        
    
      
    


      
    
        Confidential Containers Community
      
    

      
    
          
            
    

            206
          
          
            
    

            48
          
      
    
    
    
  
    

    6. 

      
  6. 
  
    
    
    
      
    
        
    
            
          
              confidential-containers/trustee
confidential-containers/trustee          Public
        
    
      
    


      
    
        Attestation and Secret Delivery Components
      
    

      
    
          
  
  Rust


          
            
    

            67
          
          
            
    

            88
          
      
    
    
    
  
    

    7.