Skip to content
View fitzthum's full-sized avatar

Organizations

@confidential-containers

Block or report fitzthum

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Please don't include any personal information such as legal names or email addresses. Maximum 100 characters, markdown supported. This note will be visible to only you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse

Pinned Loading

  1. kata-containers/kata-containers kata-containers/kata-containers Public

    Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workl…

    Rust 5.7k 1.1k

  2. The Mystery of the KBS Identity The Mystery of the KBS Identity
    1
    # The Mystery of the KBS Identity
    2
    
                  
    3
    One simple question has confounded countless developers working on [Confidential Containers](https://github.com/confidential-containers); how do we know we are connecting to the correct KBS? For context, KBS is short for [Key Broker Service](https://github.com/confidential-containers/kbs), which is the trusted entity that conditionally grants access to client secrets. The term relying party could be used to describe the KBS. Inside the guest, there is a Key Broker Client (KBC) built into the [Attestation Agent](https://github.com/confidential-containers/attestation-agent) (AA). The KBC talks to the KBS to get container decryption keys among other things.
    4
    
                  
    5
    The connection between the KBC and the KBS is secured with public key cryptography. The KBC generates a random keypair and sends the public key to the KBS when requesting confidential resources. Since the KBC has the lifespan of one VM, it makes sense for it to have an ephemeral keypair. The hash of the public key is included in the hardware evidence, which is also sent to the KBS. With this evidence, the KBS (with the help of an [Attestation Service](https://github.com/confidential-containers/attestation-service)) can verify that the public key it receives from the KBC was generated inside a real TEE with a certain initial TCB. This is precisely what the KBS needs to validate before releasing client secrets to the KBC.
  3. secure-migration/resume-from-efi-edk2 secure-migration/resume-from-efi-edk2 Public

    C

  4. confidential-containers/guest-components confidential-containers/guest-components Public

    Confidential Containers Guest Tools and Components

    Rust 85 98

  5. confidential-containers/confidential-containers confidential-containers/confidential-containers Public

    Confidential Containers Community

    213 49

  6. confidential-containers/trustee confidential-containers/trustee Public

    Attestation and Secret Delivery Components

    Rust 73 90