|
| 1 | +.. license-header |
| 2 | + SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved. |
| 3 | + SPDX-License-Identifier: Apache-2.0 |
| 4 | +
|
| 5 | + Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | + you may not use this file except in compliance with the License. |
| 7 | + You may obtain a copy of the License at |
| 8 | +
|
| 9 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | +
|
| 11 | + Unless required by applicable law or agreed to in writing, software |
| 12 | + distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | + See the License for the specific language governing permissions and |
| 15 | + limitations under the License. |
| 16 | +
|
| 17 | +.. headings # #, * *, =, -, ^, " |
| 18 | +
|
| 19 | +
|
| 20 | +.. _attestation: |
| 21 | + |
| 22 | +*********** |
| 23 | +Attestation |
| 24 | +*********** |
| 25 | + |
| 26 | +This page provides an overview of how to configure remote attestation for Confidential Container workloads. |
| 27 | +Attestation cryptographically verifies the guest Trusted Execution Environment (TEE) for the CPU and GPU before secrets are released to a workload. |
| 28 | + |
| 29 | +Attestation is required for any feature that depends on secrets, including: |
| 30 | + |
| 31 | +* Pulling encrypted container images |
| 32 | +* Accessing authenticated container registries |
| 33 | +* Using sealed secrets |
| 34 | +* Requesting secrets directly from workloads |
| 35 | + |
| 36 | +When a workload requires a secret, such as a key to decrypt a container image or model, guest components collect hardware evidence from the active CPU and GPU enclaves. |
| 37 | +The evidence is sent to a remote verifier, Trustee, which evaluates the evidence against configured policies and conditionally releases the secret. |
| 38 | + |
| 39 | +For background on how attestation fits into the Confidential Containers architecture, refer to the :doc:`NVIDIA Confidential Containers Reference Architecture overview <overview>`. |
| 40 | + |
| 41 | + |
| 42 | +Prerequisites |
| 43 | +============= |
| 44 | + |
| 45 | +* A Kubernetes cluster configured to deploy Confidential Containers workloads. |
| 46 | + Refer to the :doc:`deployment guide <confidential-containers-deploy>` for configuration steps. |
| 47 | +* A machine to host the Trustee instance. |
| 48 | + For production, deploy Trustee in a separate trusted environment. |
| 49 | + For development, Trustee can run in the same cluster. |
| 50 | + Trustee does not require Confidential Computing hardware or a GPU. |
| 51 | +* Network connectivity from the worker nodes in your Kubernetes cluster to the Trustee instance. |
| 52 | + |
| 53 | +Configuration Workflow |
| 54 | +====================== |
| 55 | + |
| 56 | +After you meet the prerequisites, complete the following steps to enable attestation: |
| 57 | + |
| 58 | +#. :ref:`Provision Trustee <provision-trustee>`, the remote verifier and key broker, in a trusted environment. |
| 59 | +#. :ref:`Configure your workloads <configure-workloads-trustee>` to point to the Trustee network endpoint. |
| 60 | +#. Optionally, :ref:`customize attestation workflows <customize-attestation>` for your use cases. |
| 61 | + |
| 62 | +After configuration, the Confidential Containers runtime automatically runs the attestation flow when a workload requires it. |
| 63 | + |
| 64 | +.. _provision-trustee: |
| 65 | + |
| 66 | +Provision Trustee |
| 67 | +================= |
| 68 | + |
| 69 | +Trustee is an open-source framework used in Confidential Containers to verify attestation evidence and conditionally release secrets. |
| 70 | +For a full overview of attestation with Trustee, refer to the upstream `Trustee documentation <https://confidentialcontainers.org/docs/attestation/>`_. |
| 71 | + |
| 72 | +To provision a Trustee instance, follow the upstream `Install Trustee in Docker <https://confidentialcontainers.org/docs/attestation/installation/docker/>`_ guide. |
| 73 | +This is the recommended install method. |
| 74 | + |
| 75 | +.. note:: |
| 76 | + |
| 77 | + Guests with many passthrough devices, such as NVIDIA PPCIE GPUs, can produce attestation tokens that exceed HTTP header size limits. |
| 78 | + |
| 79 | + To avoid this, set ``verbose_token`` to ``false`` in the Attestation Service configuration file and restart Trustee. |
| 80 | + Refer to the upstream `Attestation Service configuration <https://github.com/confidential-containers/trustee/blob/main/attestation-service/docs/config.md>`_ documentation for details. |
| 81 | + |
| 82 | +After you complete installation, Trustee is configured to use the NVIDIA Remote Attestation Service (NRAS) to evaluate GPU evidence by default. |
| 83 | + |
| 84 | +.. _configure-workloads-trustee: |
| 85 | + |
| 86 | +Configure Workloads for Attestation |
| 87 | +==================================== |
| 88 | + |
| 89 | +To enable attestation for your workloads, point them to the Trustee network endpoint, sometimes referred to as the Key Broker Service (KBS) endpoint, by adding the following annotation to your workload pod spec: |
| 90 | + |
| 91 | +.. code-block:: yaml |
| 92 | +
|
| 93 | + io.katacontainers.config.hypervisor.kernel_params: "agent.aa_kbc_params=cc_kbc::http://<kbs-ip>:<kbs-port>" |
| 94 | +
|
| 95 | +Replace ``<kbs-ip>`` and ``<kbs-port>`` with the IP address and port of your Trustee instance. |
| 96 | +The default KBS port is ``8080``. |
| 97 | + |
| 98 | +Refer to the upstream `Setup Confidential Containers <https://confidentialcontainers.org/docs/attestation/coco-setup/>`_ documentation for more information on configuring workloads for attestation. |
| 99 | + |
| 100 | +.. _customize-attestation: |
| 101 | + |
| 102 | +Customize Attestation Workflows |
| 103 | +=============================== |
| 104 | + |
| 105 | +After Trustee is provisioned and workloads are configured, you can customize attestation workflows to enforce your desired security policies. |
| 106 | +This can include configuring the following: |
| 107 | + |
| 108 | +* KBS Client Tool: Configure Trustee resources and secrets by using the Key Broker Service (KBS) Client Tool. |
| 109 | + Refer to the upstream documentation on `using the KBS Client Tool <https://confidentialcontainers.org/docs/attestation/client-tool/>`_. |
| 110 | +* Configure resources: Create resources, or secrets, that your workloads need. |
| 111 | + Refer to the upstream `Confidential Containers resources <https://confidentialcontainers.org/docs/attestation/resources/>`_ documentation for more information on the resources. |
| 112 | +* Configure policies: Confidential Containers uses different policy types to secure workload at different layers. |
| 113 | + Refer to the upstream `Confidential Containers policy <https://confidentialcontainers.org/docs/attestation/policies/>`_ documentation for more information on the policy types and configuring policies. |
| 114 | + |
| 115 | +Refer to the upstream `Confidential Containers Features <https://confidentialcontainers.org/docs/features>`_ documentation for a full list of attestation features and how to configure them. |
| 116 | + |
| 117 | +Troubleshooting |
| 118 | +=============== |
| 119 | + |
| 120 | +If attestation does not succeed after provisioning Trustee, enable debug logging by setting the ``RUST_LOG=debug`` environment variable in the Trustee environment. |
| 121 | +Use the Trustee log to diagnose the attestation process. |
| 122 | + |
| 123 | +Next Steps |
| 124 | +========== |
| 125 | + |
| 126 | +* Refer to the :doc:`deployment guide <confidential-containers-deploy>` for Confidential Containers setup instructions. |
| 127 | +* Refer to the upstream `Confidential Containers Features <https://confidentialcontainers.org/docs/features>`_ documentation for a complete list of attestation-dependent features. |
| 128 | +* Refer to the `NVIDIA Confidential Computing documentation <https://docs.nvidia.com/confidential-computing>`_ for additional information. |
0 commit comments