Workload Confidentiality
Workload Confidentiality builds upon Platform Attestation to protect data in virtual machine and container images. At its core, this feature is about allowing an image owner to set policies that define the conditions under which their image will be allowed to run; if the policy conditions are met, the decryption key will be provided, and if the conditions are not met, the image will remain encrypted and inaccessible. This provides a level of enforcement beyond integration with orchestrators, and protects sensitive data when the image is at rest.
Workload Encryption relies on Platform Attestation to define the security attributes of hosts. When a protected image is launched, the Workload Agent on the host launching the VM or container image will detect the attempt (using either Libvirt hooks for VMs, or as a function of CRI-O in the case of containers) and use the Image ID to find the Image Flavor on the Workload Service. The Workload Service will retrieve the current trust report for the host launching the image, and use that report to make a key retrieval request to the key transfer URL retrieved from the image flavor. The key transfer URL refers to the URL to the image owner’s Key Broker Service, along with the ID of the key needed.
In a typical production deployment, a Cloud Service Provider would enable Intel® SecL-DC security controls by installing the Intel® SecL-DC applications (with the exception of the Key Broker and Workload Policy Manager), and configuring each workload host to be Trusted (as per the Platform Integrity Attestation use case).
The owner of the workload image(s) to be protected (for example, the end customer of the CSP) must install a Key Broker Service (which must be available for network communication from the Workload Service hosted on the CSP), the Workload Policy Manager, and their own Authentication and Authorization Service and Certificate Management Service (these will manage authentication and certificates for the KBS and WPM).
Any number of image owner customers with their own unique KBS/WPM/AAS/CMS deployments may protect images that can be run by a single CSP deployment.
The image owner will use the WPM to encrypt any image(s) to be protected; the WPM will automatically create a new image encryption key using the KBS, and will output the encrypted image and an Image Flavor. The image owner can then upload the encrypted image to the CSP’s image storage service, and then upload the Image Flavor to the CSP-hosted WLS.
When a compute host at the CSP attempts to launch a protected image, the WLA on the host will detect the launch request, and will issue a key transfer request to the WLS. The WLS will use the image ID to retrieve the Image Flavor, which contains the key retrieval URL for that image. This URL is hosted on the KBS of the image owner (which is why the KBS must be available to network requests from the WLS). The WLS will access the HVS to retrieve the current Platform Integrity Attestation report for the host, and will use this report to make a key transfer request to the KBS at the key transfer URL.
The KBS will receive the request, verify that the Platform Integrity Attestation report is signed using a known SAML signing key (verifying that the report comes from a known and trusted HVS), and will then verify that the report shows that the host is trusted.
If these requirements are met, the KBS will use the host’s Binding Key (the public half of an asymmetric keypair generated by the host’s TPM and included in the attestation report) as a Key Encryption Key to seal the Image Encryption Key to the TPM of the host that was attested.
When the host receives the response to the key request, it will unseal the Image Encryption Key using its TPM. Because the Key Encryption Key is unique to this host’s TPM, only the actual host that was attested will be able to gain access to the image.
With the Image Encryption Key, the host’s WLA will create the appropriate encrypted volume(s) for the image and begin the launch as normal.
The WLA does not retain the key on disk; if/when the host is rebooted or the WLA is restarted, restarting the workloads based on protected images will trigger new key requests based on new Platform Integrity Attestation reports. In this way, if a host is compromised in a method detectable by the Platform Integrity feature, protected images will be unable to launch on this server.
Virtual Machine Confidentiality
Prerequisites
To enable Virtual Machine Confidentiality, the following Intel® SecL-DC components must be installed and available:
-
Authentication and Authorization Service
-
Certificate Management Service
-
Key Broker Service
-
Host Verification Service
-
Workload Service
-
Trust Agent + Workload Agent (on each virtualization host)
-
Workload Policy Manager
See the Installation subsection on Recommended Service Layout for recommendations on how/where to install each service.
It is strongly recommended to use a VM orchestration solution (for example, OpenStack) with the Intel® SecL-DC Integration Hub to schedule encrypted workloads on compute hosts that have already been pre-checked for their Platform Integrity status. See the Platform Integrity Attestation subsection on Integration with OpenStack for an example.
You will need at least one QCOW2-format virtual machine image (for quick testing purposes, a very small minimal premade image like CirrOS is recommended; a good place to look for testing images is the OpenStack Image Guide found here: https://docs.openstack.org/image-guide/obtain-images.html).
One or more hypervisor compute nodes running QEMU/KVM is required.
Each of these nodes must have the Intel® SecL-DC Trust Agent and
Workload Agent installed, and they must be registered with the
Verification Service. Each of these servers should show as trusted
see the Platform Integrity Attestation section for details. You should
have Flavors that match the system configuration for these hosts, and
attestation reports should show all Flavor parts as trusted=true
Hosts that are not trusted (including servers where there is no trust
status, like hosts with no Trust Agent) will fail to launch any
encrypted workloads.
Workflow
Encrypting images
wpm create-image-flavor -l <user-friendly unique label> -i <path to image file> -e <output path and filename for encrypted image> -o <output path for JSON image flavor>`
After generating the encrypted image with the WPM, the encrypted image can be uploaded to the Image Storage service of choice (for example, OpenStack Glance). Note that the ID of the image in this Image Storage service must be retained and used for the next steps.
Uploading the Image Flavor
POST https://<Workload Service IP or Hostname>:5000/wls/flavors
Authorization: Bearer <token>
{<Image Flavor content from WPM output>}
Use the above API request to upload the Image Flavor to the WLS. The Image Flavor will tell other Intel® SecL-DC components the Key Transfer URL for this image.
Creating the Image Flavor to Image ID Association
The WLS needs to know the ID of the image as it exists in the image storage service used by the CSP (for example, OpenStack Glance). Use the below API request to create an association between the Image Flavor created in the previous step and the image ID.
POST https://<Workload Service IP or Hostname>:5000/wls/images
Authorization: Bearer <token>
{
"id": "<image ID on image storage>",
"flavor_ids": ["<Image Flavor ID>"]
}
Launching Encrypted VMs
Instances of the protected images can now be launched as normal. Encrypted images will only be accessible on hosts with a Platform Integrity Attestation report showing the host is trusted.
If the VM is launched on a host that is not trusted, the launch will fail, as the decryption key will not be provided.
Container Confidentiality
Container Confidentiality with Cri-o
Prerequisites
Container Confidentiality with Cri-o runtime requires cri-o with version >=1.21 and skopeo version >=1.3.0
-
Kubernetes must be configured to use Cri-o
-
Platform Integrity Attestation must be configured for the physical Kubernetes Worker Nodes.
-
This includes, at minimum, the CMS; AAS; HVS; KBS; WPM; and the Trust Agent must be installed on each Worker Node. See the Installation section for details installing these services.
-
Each Kubernetes Worker Node should be Trusted in the attestation reports generated by the HVS.
-
Only physical Worker Nodes are supported at this time.
Installing Workload Policy Manager
Workload Policy Manager Installation
Workflow
Image encryption
Configure the ocicrypt config file /etc/ocicrypt-wpm.json
as below
{
"key-providers": {
"isecl": {
"cmd": {
"path":"/usr/bin/wpm",
"args": ["get-ocicrypt-wrappedkey"]
}
}
}
}
Skopeo Commands for encrypting image
$OCICRYPT_KEYPROVIDER_CONFIG=/etc/ocicrypt-wpm.json skopeo copy --encryption-key provider:isecl:any source-image destination-image
Alternatively, encrypt the image and push it to a registry in a single step:
$ OCICRYPT_KEYPROVIDER_CONFIG=/etc/ocicrypt-wpm.json skopeo copy --encryption-key provider:isecl:any oci:custom-image:latest docker://registry.server.com:5000/custom-image:enc
Examples
Copy a container image from a registry to a local server:
$ skopeo copy docker://docker.io/library/nginx:latest oci:nginx_local
To encrypt an image (this will allow the image to run only on Trusted platforms):
$ OCICRYPT_KEYPROVIDER_CONFIG=/etc/ocicrypt-wpm.json skopeo copy --encryption-key provider:isecl:any oci:nginx_local oci:nginx_secl_enc
To copy a local image to a remote registry:
$ skopeo copy oci:nginx_secl_enc docker://registry.server.com:5000/nginx_secl_enc:latest
Prepare an Image
Convert the image to an OCI image using Skopeo:
$ skopeo copy docker-daemon:custom-image:latest oci:custom-image:latest
Encrypt the image
$ OCICRYPT_KEYPROVIDER_CONFIG=/etc/ocicrypt-wpm.json skopeo copy --encryption-key provider:isecl:any oci:custom-image:latest oci:custom-image:enc
Push the image to a registry:
$ skopeo copy oci:custom-image:enc docker://Registry.server.com:5000/custom-image:enc
Pulling and Encrypting a Container Image
Skopeo can be used to pull a container image from an external registry (a private Docker registry is used in the examples abocve). This image may be encrypted already, but if you wish to pull an image for encryption, it must be in plaintext format. Skopeo has a wrapper that can interact with the Workload Policy Manager. When trying to encrypt an image, Skopeo calls the WPM CLI fetch-key command. In the command, the KBS is called in order to create a new key. The return from the KBS includes the key retrieval URL, which is used when trying to decrypt. After the key is returned to the WPM, the WPM passes the key back to Skopeo. Skopeo uses the key to encrypt the image layer by layer as well as associate the encrypted image with the key's URL. Skopeo then uploads the encrypted image to a remote container registry.
Importing Verification Service Certificates
Importing Verification Service Certificates
Launching an Encrypted Container Image
Configure the ocicrypt config file ocicrypt-wlagent.json
as below in each WLA nodes.
shell script
{
"key-providers":{
"isecl": {
"grpc": "unix:///var/run/workload-agent/wlagent.sock"
}
}
}
Note
Its recommended to not to set http_proxy variables if proxy server is running behind, instead please use a registry mirror to pull any publicly available images
Containers of the protected images can now be launched as normal using Kubernetes pods and deployments. Encrypted images will only be accessible on hosts with a Platform Integrity Attestation report showing the host is trusted. If the Crio Container is launched on a host that is not trusted, the launch will fail, as the decryption key will not be provided.
Pull encrypted image using command line from the each WLA node crictl pull <Registry-IP>:5000/<image-name>:<tag>