Skip to content
This repository has been archived by the owner on Jul 20, 2023. It is now read-only.

Commit

Permalink
quickstart: How to use a different KBC with enclave-cc
Browse files Browse the repository at this point in the history
Let's add a small piece of documentation about what the users should do
in case they want to try enclave-cc with a different KBC.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
  • Loading branch information
fidencio committed Jan 20, 2023
1 parent 8a8ff5a commit f688f82
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions quickstart.md
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,25 @@ NAME HANDLER AGE
enclave-cc enclave-cc 9m55s
```

### Configuring enclave-cc custom resource to use a different KBC

**Note** The KBC configuration changes to the enclave-cc custom resource yaml
must be made **before** deploying it.

Enclave CC supports Verdictd and in order to use it, users will have to
properly configure a decrypt_config.conf, in order to set the `KBC` (`sample_kbc`
or `eaa_kbc`) `IP`,`PORT`, and the `SECURITY_VALIDATE` (`false` or `true`)
```
{
"key_provider": "provider:attestation-agent:KBC::IP:PORT",
"security_validate": SECURITY_VALIDATE
}
```

Once that's set according to the users needs, the user will then have to run:
`cat decrypt_config.conf | base64 -w 0` in order to get the data encoded and
set it accordingly [here](https://github.com/confidential-containers/operator/blob/6f241fbc056f0a5d9e1bd2c10b2cedc0782b99ff/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml#L124).

# Running a workload

## Creating a sample CoCo workload
Expand Down

0 comments on commit f688f82

Please sign in to comment.