Add a compatibility matrix #1259
Conversation
Having compatibility matrix for guest-components and trustee to make it easier for users/adopters Signed-off-by: Pradipta Banerjee <[email protected]>
fitzthum
left a comment
fitzthum
left a comment
There was a problem hiding this comment.
Something like this could make sense. I wonder if we will be able to keep it up-do-date and if this is the right place for it. Maybe in coco/coco or the release notes or the website would make more sense?
There are a number of errors in this doc as well I think.
| | TEE Platform | `TEE_PLATFORM` | Attester Feature Flag | | ||
| |--------------------|----------------|-----------------------| | ||
| | Intel TDX | `tdx` | `tdx-attester` | | ||
| | Intel SGX | (manual) | `sgx-attester` | |
| | ARM CCA | v0.10.0+ | v0.10.0+ | aarch64 | Experimental | | ||
| | IBM Secure Exec | v0.10.0+ | v0.10.0+ | s390x | Stable | | ||
| | Hygon CSV | v0.12.0+ | v0.12.0+ | x86_64 | Experimental | | ||
| | NVIDIA GPU | v0.15.0+ | v0.15.0+ | x86_64 | Experimental | |
There was a problem hiding this comment.
NVIDIA should be stable now.
Are we missing TPM here?
There was a problem hiding this comment.
Yeah.
Wondering do we need to add this level of details or just leave at GC and Trustee version ? Might become hard to maintain going forward. Wdyt ?
| | Intel TDX | v0.8.0+ | v0.8.0+ | x86_64 | Stable | | ||
| | Intel SGX | v0.7.0+ | v0.7.0+ | x86_64 | Stable | | ||
| | AMD SEV-SNP | v0.7.0+ | v0.7.0+ | x86_64 | Stable | | ||
| | AMD SEV(-ES) | v0.7.0+ | v0.7.0+ | x86_64 | Stable | |
There was a problem hiding this comment.
Not supported anymore, although I'm not sure if we've ripped the code out of GC yet.
There was a problem hiding this comment.
so add a table of retired TEEs?
| - Changed attestation evidence format for some platforms | ||
|
|
||
| ### v0.8.0+ | ||
| - Initial stable KBS protocol v0.4.0 |
There was a problem hiding this comment.
This doesn't seem right. v0.4.0 would have been after multi-device attestation (v0.3.0) and init-data plaintext support (v0.4.0)
There was a problem hiding this comment.
protocol history details is in this issue confidential-containers/trustee#907
|
|
||
| # Test with guest-components client | ||
| cd attestation-agent | ||
| cargo test --features kbs |
There was a problem hiding this comment.
Not sure if either of these tests will actually work. I think the unit test will be skipped if the version doesn't match. At least someone should try running this.
There was a problem hiding this comment.
I would drop that section from this doc as well.
| | v0.14.0 | v0.13.0 | v0.13.0 | v0.4.0 | May 2025 | | ||
| | v0.13.0 | v0.12.0 | v0.12.0 | v0.4.0 | Mar 2025 | | ||
|
|
||
| **Note:** Using mismatched versions may work but is not tested. For production deployments, use versions from the same CoCo release. |
There was a problem hiding this comment.
This will not work. There is version check logic https://github.com/confidential-containers/trustee/blob/main/kbs/src/attestation/backend.rs#L220-L227 to assert the versions are the same?
| | Azure SNP vTPM | v0.9.0+ | v0.9.0+ | x86_64 | Stable | | ||
| | ARM CCA | v0.10.0+ | v0.10.0+ | aarch64 | Experimental | | ||
| | IBM Secure Exec | v0.10.0+ | v0.10.0+ | s390x | Stable | | ||
| | Hygon CSV | v0.12.0+ | v0.12.0+ | x86_64 | Experimental | |
There was a problem hiding this comment.
We also have Hygon DCU from v0.15.0
|
|
||
| ## KBS Protocol Version | ||
|
|
||
| Guest-components and Trustee communicate using the KBS (Key Broker Service) protocol. Both sides must use compatible protocol versions. |
There was a problem hiding this comment.
Currently we have no enforced schema for the evidence payload, so if some encoding changes (e.g. because of a bincode update/replacement in GC or in a dependency). a change on the payload would break Trustee interop. Until we have this, it's an aspirational goal, but we cannot really guarantee this.
These would be my concerns and questions too. The release notes would force us to keep it regularly updated (or the release checklist could have an item to update this doc in its own file at least) |
| | Hygon CSV | v0.12.0+ | v0.12.0+ | x86_64 | Experimental | | ||
| | NVIDIA GPU | v0.15.0+ | v0.15.0+ | x86_64 | Experimental | | ||
|
|
||
| ### Feature Flags |
There was a problem hiding this comment.
This Feature Flags seems more for the guest-component's main documentation than for this compatibility document. I would drop it.
| | ARM CCA | `cca` | `cca-attester` | | ||
| | IBM Secure Exec | `se` | `se-attester` | | ||
|
|
||
| ## Component Dependencies |
There was a problem hiding this comment.
Likewise. That section is more like an internal implementation detail of guest-components.
IMO that document should be moved to https://github.com/confidential-containers/confidential-containers/ , have a link on release notes and a item in the release checklist to remember us of getting it up-to-date. |
Ah, I was about to forget: amazing document! thanks @bpradipt ! |
6 participants
I took help from AI agent to pull up the details. Keeping it in draft for the following reasons:
cc @confidential-containers/guest-components-maintainers @confidential-containers/trustee-maintainers