Confidential Sidecar Containers
This repository contains the code needed to build the sidecar containers used for confidential containers.
The code in this repository should be located at $GOPATH/src/microsoft/confidential-sidecar-containers.
For more information on how the tools work and the sidecar's base64-encoded string attributes, check the tecnical documentation.
Secure key release (SKR) sidecar
The docker/skr/build.sh script builds all necessary Go tools for secure key release as standalone binaries and creates a Docker image that contains them so that it can be used as a sidecar container. The skr sidecar container is executed by calling the script skr.sh with a base64-encoded string as an attribute or as an environment variable.
The skr sidecar can be queried by application containers hosted in the same pod (or container group) for retrieving attestation reports and for releasing secrets from managed HSM key vaults.
The examples/skr shows an example of how the skr sidecar can be deployed and tested within a confidential container group on ACI.
Third-party code
We modified the AES unwrap key without padding method to implement the aes key unwrap with padding method.
Encrypted filesystem sidecar
The docker/encfs/build.sh script builds all necessary Go tools (for encrypted filesystems) and creates a Docker image that contains them so that it can be used as a sidecar container. The encrypted filesystem sidecar container is executed by calling the script encfs.sh with a base64-encoded string or as an environment variable.
The encrypted filesystem sidecar uses the SKR library to release key material from managed HSM key vaults required for mounting the encrypted filesystems required by the application.
The examples/encfs shows an example of how the encrypted filesystem sidecar can be deployed within a confidential container group on ACI.
Dependencies:
- Golang 1.16 or later
- Docker
- GCC 9.4.0 or later
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
Trademarks
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.
Avoid failing to build due to bin directory being present already.
Various mkdir -p bin and rm -rf bin such that if the build fails halfway through, for example if docker desktop is not running, then a subsequent attempt may succeed.
Updating skr.sh to pass in PORT and create log.txt under home dir
Signed-off-by: gaurav137 [email protected]
Root build from github.com/Microsoft/confidential-sidecar-containers.
Use checkout and build path rooted at github.com/Microsoft/confidential-sidecar-containers rather than github.com/microsoft/confidential-sidecars to match hcsshim. Note case change from m to M in Microsoft too.
Updated Dockerfile.skr to add execution permissions to test scripts
Added executable permissions for the test skr scripts in the Dockerfile used for bulding the skr container. This is to ensure that the scripts can be executed.
Signed-off-by: Stavros Volos [email protected]
importkey tool - running from Devops - pulling mhsm response body failed: http response status equal to 401 Unauthorized
Trying to run importkey from Devops pipeline, but we are unsuccessful. we are getting the following error.
pulling mhsm response body failed: http response status equal to 401 Unauthorized
when we use importkey from my laptop using same importkeyconfig.json file which is generated from Devops pipeline which include Bearer token is working without any errors.
Sample Devops Code:
pwd/go go install github.com/Microsoft/confidential-sidecar-containers/cmd/...@latest go install github.com/Microsoft/confidential-sidecar-containers/tools/importkey/...@latest decodedConfig=echo $(importconfig) | base64 -decho "${decodedConfig}" >importconfig.json sed -e 's/<Error Message: importkey -c importconfig.json -kh xxxxxxxxxx [68 149 211 98 46 41 150 106 86 248 193 87 10 45 154 74 97 52 65 201 52 19 91 88 196 184 239 209 67 82 21 2] pulling mhsm response body failed: http response status equal to 401 Unauthorized
adding verbose report endpoint, updating error messages, updating docs
adding actionable instructions to error messages, fixing markdown linting in docs.
This requirement came from the Confidential ACI public preview weekly meetings.
Customer containers should be able to access attestation info from somewhere inside the confidential container group. Because the SKR container is already accessing this hardware info, putting a verbose attestation report endpoint into the SKR container's web server is semi-trivial and will not occupy extra resources (as it would if it was split into an independent container).