Confidential Computing technologies provide an isolated encryption runtime environment to protect data-in-use based on hardware Trusted Execution Environment (TEE). It requires a full chain integrity measurement on the launch-time or runtime environment to guarantee "consistent behavior in an expected way" of confidential computing environment for tenant's zero-trust use case.
CCNP aims to help users establish a chain of trust for cloud-native workloads by providing cloud-native level confidential computing primitives, including container measurements, event logs, and confidential computing (CC) reports.
Find out more in CCNP Design and Architecture and Container Measurement Design.
CCNP support to run on Intel® TDX guest. Thus, you will need TDX host and guest for CCNP deployment and usage. Please see below recommended configuration.
| CPU | Host OS | Host packages | Guest OS | Guest packages | Attestation packages | CCNP Tag |
|---|---|---|---|---|---|---|
| Intel 4th Gen (only TDX SKUs) and 5th Gen Xeon Scalable Processors | Ubuntu 23.10 | TDX early preview referring to here | Ubuntu 23.10 | Build a guest image for CCNP using CVM image rewriter | Setup remote attestation on host referring to here | v0.4.0 |
| Intel 4th Gen (only TDX SKUs) and 5th Gen Xeon Scalable Processors | Ubuntu 24.04 | TDX early preview referring to here | Ubuntu 24.04 | Build a guest image for CCNP using CVM image rewriter | Setup remote attestation on host referring to here and here | v0.5.0 |
CCNP will run as a DaemonSet in a Kubernetes cluster or as a container in a docker environment on a single confidential VM (CVM). Refer to CCNP deployment guide and choose a deployment model.
If you want to integrate CCNP SDK in the workload to get measurement and event logs, refer to py_sdk_example.py. It is an example of using CCNP Python SDK. There are also Golang SDK and Rust SDK. Please see more details in CCNP SDK.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, contact the maintainers of the project.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
See CONTRIBUTING.md for details on building, testing, and contributing to these libraries.
If you encounter any bugs or have suggestions, please file an issue in the Issues section of the project.
Note: This is pre-production software. As such, it may be substantially modified as updated versions are made available.
TCG PC Client Platform TPM Profile Specification
TCG PC Client Platform Firmware Profile Specification
Ruoyu Ying |
Hairongchen |
Lu Ken |
Ruomeng Hao |
Jiahao Huang |
Haokun Xing |
Wang, Hongbo |
Xiaocheng Dong |
LeiZhou |
Yanbo Xu |
Jialei Feng |
Jie Ren |
Wenhui Zhang |
Robert Dower |
Steve Zhang |