Tobin Feldman-Fitzthum
Tobin Feldman-Fitzthum
> If we need faster provisioning, we need to implement some kind of optimization such as preallocation of VMs. VM preallocation are possibly not suitable with confidential computing scenarios, and...
I agree that it's kind of weird that we have different codepaths for the kata tests and the operator/kata deploy, but when we talk about combining them, are we staying...
So it seems like we are building the components via the test script for the first release rather than using https://github.com/kata-containers/tests/pull/5048 and the `kata-cc` bundle. Is that correct @ryansavino @wainersm
So this removes skopeo/umoci from the guest image, but are we adding in `image-rs` somewhere? Currently there is code in [image_rpc.rs](https://github.com/kata-containers/kata-containers/blob/CCv0/src/agent/src/image_rpc.rs) that is expecting to use skopeo/umoci. Are we going...
> IIUC correctly image_rpc.rs conditionally run skopeo if it is present, otherwise fallback to image-rs. Ah yes, I was just looking at the `pull_image_from_registry` method, which relies on `skopeo` but...
> I'm not 100% sure how the interaction with the offline SEV KBC and the simple KBS works. I think it is remote attestation, but it gets the URI and...
Ok, we are in the process of switching to the online kbc for SEV, which relies on the `aa_kbc_params` to get the URI of the KBS. I'm realizing that we...
> Would'nt not measuring the KBS_URI allow an untrusted KBS to supply an arbitrary security policy that would allow a malicious container to be run, that could mimic the kata-agent...
> Does it mean that only encrypted images can be run with kata-cc? No, you can do a signed image but there should be a secret involved in your workload...
Well I am hesitant to get sucked into this, but the way I read the manual is that CPUID gives us the reduced physical bits of the host address space....