Skip to content

hairongchen/confidential-cloud-native-primitives

 
 

Repository files navigation

Container Integrity Measurement Agent (CIMA)

CI Check License CI Check Spelling CI Check Python CI Check Shell CI Check Rust CI Check Golang CI Check Container OpenSSF Best Practices

Introduction

Confidential Computing technologies provide an isolated encryption runtime environment to protect data-in-use based on hardware Trusted Execution Environment (TEE). It requires a full chain integrity measurement on the launch-time or runtime environment to guarantee "consistent behavior in an expected way" of confidential computing environment for tenant's zero-trust use case.

CIMA aims to help users establish a chain of trust for cloud-native workloads by providing container level evidence, including container measurements, event logs, and confidential computing (CC) reports.

Find out more in CIMA Design and Architecture and Container Measurement Design.

How to Install CIMA

Configuration

CIMA support to run on Intel® TDX guest. Thus, you will need TDX host and guest for CIMA deployment and usage. Please see below recommended configuration.

CPU Host OS Host packages Guest OS Guest packages Attestation packages CIMA Tag
Intel 4th Gen (only TDX SKUs) and 5th Gen Xeon Scalable Processors Ubuntu 23.10 TDX early preview referring to here Ubuntu 23.10 Build a guest image for CIMA using CVM image rewriter Setup remote attestation on host referring to here v0.4.0
Intel 4th Gen (only TDX SKUs) and 5th Gen Xeon Scalable Processors Ubuntu 24.04 TDX early preview referring to here Ubuntu 24.04 Build a guest image for CIMA using CVM image rewriter Setup remote attestation on host referring to here and here v0.5.0

CIMA Service Deployment in Confidential VM

CIMA will run as a DaemonSet in a Kubernetes cluster or as a container in a docker environment on a single confidential VM (CVM). Refer to CIMA deployment guide and choose a deployment model.

CIMA SDK Usage

If you want to integrate CIMA SDK in the workload to get measurement and event logs, refer to py_sdk_example.py. It is an example of using CIMA Python SDK. There are also Golang SDK and Rust SDK. Please see more details in CIMA SDK.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, contact the maintainers of the project.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

See CONTRIBUTING.md for details on building, testing, and contributing to these libraries.

Provide Feedback

If you encounter any bugs or have suggestions, please file an issue in the Issues section of the project.

Note: This is pre-production software. As such, it may be substantially modified as updated versions are made available.

Reference

CIMA Design and Architecture

Container Measurement Design

Trusted Computing

TCG PC Client Platform TPM Profile Specification

TCG PC Client Platform Firmware Profile Specification

Contributors

Ruoyu-y
Ruoyu Ying
hairongchen
Hairongchen
kenplusplus
Lu Ken
ruomengh
Ruomeng Hao
hjh189
Jiahao Huang
HaokunX-intel
Haokun Xing
hwang37
Wang, Hongbo
dongx1x
Xiaocheng Dong
LeiZhou-97
LeiZhou
Yanbo0101
Yanbo Xu
jialeif
Jialei Feng
jiere
Jie Ren
wenhuizhang
Wenhui Zhang
rdower
Robert Dower
zhlsunshine
Steve Zhang

About

Build Trusted Chain for Cloud Native in Confidential Computing Envrionment

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Rust 51.7%
  • Python 19.1%
  • Shell 18.2%
  • Go 7.5%
  • Dockerfile 2.5%
  • Smarty 0.7%
  • Makefile 0.3%