Confidential Computing technologies provide an isolated encryption runtime environment to protect data-in-use based on hardware Trusted Execution Environment (TEE). It requires a full chain integrity measurement on the launch-time or runtime environment to guarantee "consistent behavior in an expected way" of confidential computing environment for tenant's zero-trust use case.
CIMA aims to help users establish a chain of trust for cloud-native workloads by providing container level evidence, including container measurements, event logs, and confidential computing (CC) reports.
Find out more in CIMA Design and Architecture and Container Measurement Design.
CIMA support to run on Intel® TDX guest. Thus, you will need TDX host and guest for CIMA deployment and usage. Please see below recommended configuration.
| CPU | Host OS | Host packages | Guest OS | Guest packages | Attestation packages | CIMA Tag |
|---|---|---|---|---|---|---|
| Intel 4th Gen (only TDX SKUs) and 5th Gen Xeon Scalable Processors | Ubuntu 23.10 | TDX early preview referring to here | Ubuntu 23.10 | Build a guest image for CIMA using CVM image rewriter | Setup remote attestation on host referring to here | v0.4.0 |
| Intel 4th Gen (only TDX SKUs) and 5th Gen Xeon Scalable Processors | Ubuntu 24.04 | TDX early preview referring to here | Ubuntu 24.04 | Build a guest image for CIMA using CVM image rewriter | Setup remote attestation on host referring to here and here | v0.5.0 |
CIMA will run as a DaemonSet in a Kubernetes cluster or as a container in a docker environment on a single confidential VM (CVM). Refer to CIMA deployment guide and choose a deployment model.
If you want to integrate CIMA SDK in the workload to get measurement and event logs, refer to py_sdk_example.py. It is an example of using CIMA Python SDK. There are also Golang SDK and Rust SDK. Please see more details in CIMA SDK.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, contact the maintainers of the project.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
See CONTRIBUTING.md for details on building, testing, and contributing to these libraries.
If you encounter any bugs or have suggestions, please file an issue in the Issues section of the project.
Note: This is pre-production software. As such, it may be substantially modified as updated versions are made available.
TCG PC Client Platform TPM Profile Specification
TCG PC Client Platform Firmware Profile Specification
Ruoyu Ying |
Hairongchen |
Lu Ken |
Ruomeng Hao |
Jiahao Huang |
Haokun Xing |
Wang, Hongbo |
Xiaocheng Dong |
LeiZhou |
Yanbo Xu |
Jialei Feng |
Jie Ren |
Wenhui Zhang |
Robert Dower |
Steve Zhang |