8000 docs: update state of clouds by m1ghtym0 · Pull Request #1732 · edgelesssys/constellation · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

docs: update state of clouds #1732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 10, 2023
Merged

docs: update state of clouds #1732

merged 4 commits into from
May 10, 2023

Conversation

m1ghtym0
Copy link
Member
@m1ghtym0 m1ghtym0 commented May 4, 2023

Proposed change(s)

  • Update state of clouds
  • Will backport these changes after the review to 2.7

Checklist

  • Update docs
  • Add labels (e.g., for changelog category)
  • Link to Milestone

@m1ghtym0 m1ghtym0 requested a review from thomasten as a code owner May 4, 2023 09:04
@netlify
Copy link
netlify bot commented May 4, 2023
edited
Loading

Deploy Preview for constellation-docs ready!

Name Link
🔨 Latest commit 2eb3ba9
🔍 Latest deploy log https://app.netlify.com/sites/constellation-docs/deploys/64590dc804d48000087e8b3c
😎 Deploy Preview https://deploy-preview-1732--constellation-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

derpsteb
derpsteb reviewed May 4, 2023
View reviewed changes
docs/docs/overview/clouds.md Outdated

AWS currently doesn't offer CVMs. AWS proprietary Nitro Enclaves offer some related features but [are explicitly not designed to keep AWS itself out](https://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/). Besides, they aren't suitable for running entire Kubernetes nodes inside them. Therefore, Constellation uses regular EC2 instances on AWS [Nitro](https://aws.amazon.com/ec2/nitro/) without runtime encryption. Attestation is based on the [NitroTPM](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html), which is a vTPM managed by the Nitro hypervisor. Hence, the hypervisor is currently part of Constellation's TCB.
## Amazon Web Services (AWS)
Amazon EC2 [supports AMD SEV-SNP](https://aws.amazon.com/de/about-aws/whats-new/2023/04/amazon-ec2-amd-sev-snp/). Regarding (3), AWS provides direct access to remote-attestation statements. However, regarding (4), the CVMs still include closed-source firmware running in VM Privilege Level (VMPL) 0.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re CVMs still include closed-source firmware: I did not check yet if we can independently recreate the measurement we get from the sev-guest device. But, AWS says the initial firmware inside the CVM is based on OVMF. So it may not be closed-source. On the other hand, there is no information yet what exactly is put into the CVM.

thomasten
thomasten reviewed May 4, 2023
View reviewed changes
m1ghtym0 and others added 2 commits May 8, 2023 16:55
@m1ghtym0 @thomasten
Apply suggestions from code review
d9aac3b 
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
@m1ghtym0
apply suggestion
2eb3ba9
@m1ghtym0 m1ghtym0 merged commit fd83f34 into main May 10, 2023
@m1ghtym0 m1ghtym0 deleted the ref/clouds branch May 10, 2023 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derpsteb derpsteb derpsteb approved these changes

@thomasten thomasten thomasten approved these changes

@flxflx flxflx Awaiting requested review from flxflx

@thomasstrottner thomasstrottner Awaiting requested review from thomasstrottner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@m1ghtym0 @derpsteb @thomasten
0