aaa

module

v0.0.0-...-d4b2600 Latest Latest Go to latest Published: Mar 29, 2023 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/container-investigations/aaa

Links

Open Source Insights

README ¶

Azure Attestation and Secret Provisioning service (AASP)

AASP is a GRPC service for provisioning secrets into confidential containers running inside a trusted execution environment (TEE). It also provides attestation related APIs through GRPC.

Types of secrets protected

A secret could be a symmetric/asymmetric key for decrypting/communicating sensitive data, or the sensitive data themselves. When the sensitive data size is large, it's recommended to encrypt the data with a randomly generated symmetric key, and protect the key with AASP.

Dependent services and Trusted Computing Base (TCB)

Currently AASP depends on Microsoft Azure Attestation service (MAA) and Azure Managed HSM (MHSM) for secret provisioning. As such, MAA and MHSM are included in the TCB for secret provisioning. If users prefer a smaller TCB or customized attestation service and/or Key Management System (KMS), they should rely on the attestation API of AASP solely.

Supported platforms

Currently AASP works on AMD processors with SEV-SNP enabled and a Linux kernel that is SEV-SNP enlightened.

Building and installation

Use buildall.sh to build the AASP tool and container.

Instructions

The example provides an end-to-end workflow on how to protect a secret with the tool and how to provision the secret in a container running alongside the AASP container in a Kubernetes pod that is VM-isolated based on Kata containers.

Credits

This project heavily relies on Confidential Sidecar Containers for their implementation of Secure Key Release (SKR)

Compatibility

AASP conforms to the keyprovider protocol of ocicrypt and Kata Attestation Agent

Licensing

This project is released under the MIT License.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

Code of conduct

This project has adopted the Microsoft Code of Conduct. All participants are expected to abide by these basic tenets to ensure that the community is a welcoming place for everyone.

Directories ¶

Path	Synopsis
cmd
aasp Package main implements a server for attestation agent service.	Package main implements a server for attestation agent service.
pkg
keyprovider

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL