Secure Virtualization for Hybrid Cloud at IBM T.J. Watson Research Center
-
IBM Research
- New York
- www.tobinfitzthum.com
- https://orcid.org/0009-0006-3655-2378
Pinned Loading
-
kata-containers/kata-containers
kata-containers/kata-containers PublicKata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workl…
-
The Mystery of the KBS Identity
The Mystery of the KBS Identity 1# The Mystery of the KBS Identity
23One simple question has confounded countless developers working on [Confidential Containers](https://github.com/confidential-containers); how do we know we are connecting to the correct KBS? For context, KBS is short for [Key Broker Service](https://github.com/confidential-containers/kbs), which is the trusted entity that conditionally grants access to client secrets. The term relying party could be used to describe the KBS. Inside the guest, there is a Key Broker Client (KBC) built into the [Attestation Agent](https://github.com/confidential-containers/attestation-agent) (AA). The KBC talks to the KBS to get container decryption keys among other things.
45The connection between the KBC and the KBS is secured with public key cryptography. The KBC generates a random keypair and sends the public key to the KBS when requesting confidential resources. Since the KBC has the lifespan of one VM, it makes sense for it to have an ephemeral keypair. The hash of the public key is included in the hardware evidence, which is also sent to the KBS. With this evidence, the KBS (with the help of an [Attestation Service](https://github.com/confidential-containers/attestation-service)) can verify that the public key it receives from the KBC was generated inside a real TEE with a certain initial TCB. This is precisely what the KBS needs to validate before releasing client secrets to the KBC.
-
-
confidential-containers/guest-components
confidential-containers/guest-components PublicConfidential Containers Guest Tools and Components
-
confidential-containers/confidential-containers
confidential-containers/confidential-containers PublicConfidential Containers Community
-
confidential-containers/trustee
confidential-containers/trustee PublicAttestation and Secret Delivery Components
Something went wrong, please refresh the page to try again.
If the problem persists, check the GitHub status page or contact support.
If the problem persists, check the GitHub status page or contact support.