Skip to content

Commit e89032d

Browse files
committed
Confidential computing: Rework procedure
* Rewording * Remove numberings and titles of steps * Show full URLs of the files to download
1 parent ede700c commit e89032d

1 file changed

Lines changed: 20 additions & 46 deletions

File tree

xml/cha_administration.xml

Lines changed: 20 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -815,76 +815,50 @@ LTSS registration succeeded</screen>
815815
</para>
816816
</sect3>
817817
</sect2>
818-
<sect2 xml:id="practical-guide-deploying-attestable-images">
819-
<title>Practical Guide: Deploying Attestable Images</title>
818+
<sect2 xml:id="deploying-attestable-images">
819+
<title>Deploying attestable images</title>
820820
<procedure>
821821
<step>
822822
<para>
823-
Fetch and Register the Image
823+
To start, you need an attestable image. &suse; provides a &sls; (&slsa;) image built
824+
with &kiwi; for &awsa; with the necessary configurations for Nitro TPM and Enclaves.
825+
You can download the image from the &obs; at
826+
<link xlink:href="https://download.opensuse.org/repositories/Virtualization:/Appliances:/Images:/Testing_x86:/leap/images_sles/kiwi-test-image-aws-isolated-compute.x86_64.raw.xz"/>.
824827
</para>
828+
</step>
829+
<step>
825830
<para>
826-
To start, you need an attestable image. For example, a &sls; (&slsa;) image built by
827-
&kiwi; for &awsa; with the necessary configurations for Nitro TPM and Enclaves. You can
828-
find such an image as follows:
829-
</para>
830-
<itemizedlist>
831-
<listitem>
832-
<formalpara>
833-
<title>Image:</title>
834-
<para>
835-
<link xlink:href="https://download.opensuse.org/repositories/Virtualization:/Appliances:/Images:/Testing_x86:/leap/images_sles/kiwi-test-image-aws-isolated-compute.x86_64.raw.xz">kiwi-test-image-aws-isolated-compute.x86_64.raw.xz</link>
836-
</para>
837-
</formalpara>
838-
</listitem>
839-
<listitem>
840-
<formalpara>
841-
<title>Upload</title>
842-
<para>
843-
Use tools like <command>ec2uploadimg</command> as utilized in
844-
<link xlink:href="https://build.opensuse.org/projects/Virtualization:Appliances:Images:Testing_x86:leap/packages/test-image-aws-isolated-compute/files/ec2-upload?expand=1"><filename>ec2-upload</filename></link> or an alternative custom upload script.
845-
</para>
846-
</formalpara>
847-
</listitem>
848-
</itemizedlist>
831+
Upload the attestable image to &ec2a; with <command>ec2uploadimg</command> or a custom
832+
upload script. <command>ec2uploadimg</command> is available from the &obs; at
833+
<link xlink:href="https://build.opensuse.org/projects/Virtualization:Appliances:Images:Testing_x86:leap/packages/test-image-aws-isolated-compute/files/ec2-upload"/>.
834+
</para>
849835
<important>
850836
<para>
851-
When uploading the AMI, you must enable TPM 2.0 support
852-
and set the EFI boot mode to UEFI.
837+
When uploading the AMI, you must enable TPM 2.0 support and set the EFI boot mode to UEFI.
853838
</para>
854839
</important>
855840
</step>
856841
<step>
857842
<para>
858-
PCR Measurements
843+
Before launching the instance, download the precomputed PCR measurements from
844+
<link xlink:href="https://download.opensuse.org/repositories/Virtualization:/Appliances:/Images:/Testing_x86:/leap/images_sles/pcr_measurements.json"/>.
859845
</para>
860846
<para>
861-
Before launching, download the precomputed PCR measurements:
862-
<link xlink:href="https://download.opensuse.org/repositories/Virtualization:/Appliances:/Images:/Testing_x86:/leap/images_sles/pcr_measurements.json">pcr_measurements.json</link>
863-
</para>
864-
<para>
865-
These values represent the expected NitroTPM PCR 4, 7, and 12 values based on
866-
the UKI. They serve as the baseline for verifying the integrity of your
867-
instance.
847+
These values represent the expected NitroTPM PCR 4, 7, and 12 values based on the UKI.
848+
They serve as the baseline for verifying the integrity of your instance.
868849
</para>
869850
</step>
870851
<step>
871852
<para>
872-
3. Launching the Instance
873-
</para>
874-
<para>
875-
Select an instance type that supports Nitro TPM and Enclaves (e.g.,
876-
<literal>m5.xlarge</literal>). In the <emphasis role="strong">Advanced Details</emphasis>
853+
Select an instance type that supports Nitro TPM and Enclaves such as
854+
<literal>m5.xlarge</literal>. In the <emphasis role="strong">Advanced Details</emphasis>
877855
section of the EC2 launch wizard, ensure that <emphasis role="strong">Enclave support</emphasis>
878856
is explicitly enabled.
879857
</para>
880858
</step>
881859
<step>
882860
<para>
883-
4. Verifying the TEE
884-
</para>
885-
<para>
886-
Once logged into the instance, you can generate an attestation
887-
document and check the PCRs:
861+
To verify the TEE, log in to the instance and generate an attestation document and check the PCRs:
888862
</para>
889863
<programlisting language="bash" linenumbering="unnumbered">
890864
# Generate attestation document

0 commit comments

Comments
 (0)