Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Confidential Containers

Introduction

The TEE OS supports containerized CAs and TAs and high-level language applications. Figure 1 shows the overall architecture.

Figure 1 Architecture of confidential containers
  • Docker engine: Core software used to run and manage containers. It is automatically installed when installing Docker.
  • Container: An operating environment built based on user-defined images, including CAs and TAs.
  • REE patch: A component in the REE, which is deployed on the host (libteec.so is deployed in the container to provide APIs) to enable the TrustZone environment. tlogcat: deployed on a host or in a container to view logs printed in the TEE.
  • agentd: deployed in a container to dynamically load TAs in the container and support secure storage in the container.
  • tee_teleport: deployed on a host or in a container to deploy and run high-level language applications.
  • Hook: The hook mechanism supported by openEuler Docker in the REE enables resource allocation for confidential containers in the TEE.
  • TEE cgroup: CPU and memory resources are allocated using control groups (cgroups) to confidential containers in the TEE.

For details about how to use this feature, see Confidential Containers.

Restrictions

  • CAs and TAs can be deployed in containers.
  • High-level language applications can be deployed in containers.
  • The TEE OS supports a maximum of 255 containers. However, considering the resource limitations in the TEE OS, the maximum number of containers that can run TAs concurrently is 63. If the maximum number is exceeded, TAs in new containers cannot be loaded.
  • To use secure storage or HUK key derivation in a container, that container must be started using the hook mechanism.
  • If a container is not started using the hook mechanism, the memory and CPU resources in the TEE are not restricted for that container.
  • Use the Docker software package provided by openEuler because other Docker software packages may not support the hook mechanism.
  • Currently no method is provided to observe the CPU usage in the TEE.
  • By default only the root user can use cgroups in the TEE. You can add other authorized users to the trustlist.
Parent topic: Key Features