Graphene Attestation Inside AKS

[veenasai2]

Signed-off-by: Veena Saini [email protected]

Description of the changes

This PR provides a reference implementation to show how graphene attestation (DCAP) samples works inside AKS cluster. We have created two docker images for ra-tls-secret-prov server and ra-tls-secret-prov client. Both images are deployed as part of AKS confidential compute cluster and both quote generation and quote verification are successful inside AKS cluster.

For ra-tls-secret-prov client we have Tools/gsc/images/aks-client-deployment.yaml and for server Tools/gsc/images/aks-server-deployment.yaml file.

For more details, we have created a readme file.

How to test this PR?

Please follow Tools/gsc/images/graphene_attestation_inside_aks_readme.rst.

---

This change is 

[dimakuv]

Reviewable status: 0 of 4 files reviewed, 1 unresolved discussion, not enough approvals from maintainers (3 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @veenasai2)

a discussion (no related file):
This feels like a contribution to https://github.com/oscarlab/graphene-contrib. From what I understand, this contribution takes the graphene/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov example and runs it in the Azure Kubernetes Service (AKS) cloud.

@veenasai2 Do you think this PR can be moved to graphene-contrib? Or is there any particular reason to keep it in the core Graphene repository?

---

[aneessahib]

@dimakuv we put it here since all the past AKS stuff also came here. Also there's one more image that has been added which can be used for other cloud deployments (aks-ra-tls-secret-prov-server.dockerfile). probably better to put it here itself. makes sense?

[dimakuv]

Reviewed 4 of 4 files at r1.
Reviewable status: all files reviewed, 14 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @veenasai2)

a discussion (no related file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

This feels like a contribution to https://github.com/oscarlab/graphene-contrib. From what I understand, this contribution takes the graphene/Tools/gsc/test/ubuntu18.04-ra-tls-secret-prov example and runs it in the Azure Kubernetes Service (AKS) cloud.

@veenasai2 Do you think this PR can be moved to graphene-contrib? Or is there any particular reason to keep it in the core Graphene repository?

@veenasai2 For future: please always reply using Reviewable, not GitHub itself. Otherwise your comment just "hangs" in the wrong place when opening Reviewable.

Anyway, we agreed to review and merge this PR now, because this will get split into a new gsc repository soon. So it's better to merge this code into GSC now and then move everything in one go (instead of moving gsc now and moving this PR as well).

---

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 5 at r1 (raw file):

# STEP 1: Prepare Server certificate
#         1.1 Create server certificate signed by your trusted root CA. Ensure Common Name
#	      field in the server certificate corresponds to <AKS-DNS-NAME> used in STEP 5.

Please replace all tabs with spaces.

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 9 at r1 (raw file):

#	      graphene/Examples/ra-tls-secret-prov/certs directory with existing naming convention.
#         1.3 Provide password for your server key to mbedtls_pk_parse_keyfile(,,pwd) API call,
#	      available at graphene/Pal/src/host/Linux-SGX/tools/ra-tls/tools/secret_prov_verify.c.

You're talking about this line: https://github.com/oscarlab/graphene/blob/e921589b871fe31a536dc19b37106b0cf9008938/Pal/src/host/Linux-SGX/tools/ra-tls/secret_prov_verify.c#L184

But this is wrong. A user must modify Graphene source code and rebuild it just to use AKS? We cannot advise users doing this, we need to fix it ourselves.

So, why is this "password for your server key" is required at all? Can one create certificates + key in AKS without this password protection?

If not, then we need to change our Graphene source code such that mbedtls_pk_parse_keyfile() may optionally get the password from an environment variable or something. In general, I find this whole password protection very surprising.

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 27 at r1 (raw file):

#         Reference deployment file: graphene/Tools/gsc/images/aks-server-deployment.yaml
#
# NOTE:  Server can be deployed at non-confidential compute node as well. However, in that

in that case

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 38 at r1 (raw file):

    libcurl3-gnutls \
    gnupg2 \
    libcurl4-openssl-dev

Could you sort alphabetically these dependencies?

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 43 at r1 (raw file):

RUN wget https://github.com/microsoft/Azure-DCAP-Client/releases/download/1.8/az-dcap-client_1.8_amd64_18.04.deb \
    && chmod u+x az-dcap-client_1.8_amd64_18.04.deb \

Why do you need this? I thought there is no need in "execute" permission.

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 93 at r1 (raw file):

ENV PATH = "${PATH}:/graphene/Examples/ra-tls-secret-prov"

ENTRYPOINT ["/graphene/Examples/ra-tls-secret-prov/secret_prov_server_dcap","&"]

Why do you want to run it in background mode (&)? Why not just normal foreground monde?

---

Tools/gsc/images/aks-server-deployment.yaml, line 35 at r1 (raw file):

  - port: 4433
  selector:
    app: ra-tls-secret-prov-server

So the server doesn't need access to aesmd service?

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 1 at r1 (raw file):

This guide demonstrates how Graphene DCAP attestation quote can be verified inside AKS cluster.

Could you explain a bit more? Why do we want to do such deployment?

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 1 at r1 (raw file):

This guide demonstrates how Graphene DCAP attestation quote can be verified inside AKS cluster.

This whole file is unreadable after RST rendering: https://github.com/veenasai2/graphene/blob/veenasai/graphene-attestation-inside-AKS/Tools/gsc/images/graphene_attestation_inside_aks_readme.rst

Please fix. Or switch to Markdown (MD) syntax if RST is too complicated.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 6 at r1 (raw file):

Create client and server images for graphene attestation samples
================================================================
This demonstration is created for graphene/Examples/ra-tls-secret-prov sample.

Please add double-backticks around the sample name.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 17 at r1 (raw file):

# STEP 1: Prepare client to connect with remote ra-tls-secret-prov server hosted inside AKS cluster
#         1.1 Provide server dns name <AKS-DNS-NAME> to secret_provision_start() API call,
#             available at graphene/Examples/ra-tls-secret-prov/src/secret_prov_client.c.

I don't like that the user must modify the example manually. I would prefer to change our Secret Prov Client example such that it takes these values from an environment variable.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 36 at r1 (raw file):

Deploy both client and server images inside AKS confidential compute cluster
============================================================================
**Prerequisites:** AKS confidential compute cluster with sgxquotehelper plugin and public ip address.

Please remove this comment because you describe it anyhow below.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 39 at r1 (raw file):

AKS confidential compute cluster can be created using the following link:
https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-get-started .

Please remove the dot ( .) at the end, looks weird.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 41 at r1 (raw file):

https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-get-started .

Graphene performs out-proc mode DCAP quote generation. Out-proc mode quote generation requires aesmd

It is typically called out-of-proc ("out of process"), not out-proc. Please fix everywhere.

[veenasai2]

Reviewable status: 3 of 4 files reviewed, 14 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @dimakuv and @veenasai2)

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 5 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

Please replace all tabs with spaces.

sure. Thanks.

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 9 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

You're talking about this line: https://github.com/oscarlab/graphene/blob/e921589b871fe31a536dc19b37106b0cf9008938/Pal/src/host/Linux-SGX/tools/ra-tls/secret_prov_verify.c#L184

But this is wrong. A user must modify Graphene source code and rebuild it just to use AKS? We cannot advise users doing this, we need to fix it ourselves.

So, why is this "password for your server key" is required at all? Can one create certificates + key in AKS without this password protection?

If not, then we need to change our Graphene source code such that mbedtls_pk_parse_keyfile() may optionally get the password from an environment variable or something. In general, I find this whole password protection very surprising.

Keys for the server can be generated with pass phrase or without pass phrase. So, we can keep the code as is. I removed the step 1.3.

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 27 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

in that case

done, thanks.

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 38 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

Could you sort alphabetically these dependencies?

done, thanks.

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 43 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

Why do you need this? I thought there is no need in "execute" permission.

Removed execute permission. Thanks.

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 93 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

Why do you want to run it in background mode (&)? Why not just normal foreground monde?

I was following the existing convention described at https://github.com/oscarlab/graphene/blob/master/Examples/ra-tls-secret-prov/README.md#L90. But, of course we can use the foreground mode too. Thanks.

[veenasai2]

Reviewable status: 3 of 4 files reviewed, 14 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @dimakuv)

a discussion (no related file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

@veenasai2 For future: please always reply using Reviewable, not GitHub itself. Otherwise your comment just "hangs" in the wrong place when opening Reviewable.

Anyway, we agreed to review and merge this PR now, because this will get split into a new gsc repository soon. So it's better to merge this code into GSC now and then move everything in one go (instead of moving gsc now and moving this PR as well).

Ok, thanks.

---

---

Tools/gsc/images/aks-server-deployment.yaml, line 35 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

So the server doesn't need access to aesmd service?

The out-of-proc mode quote generation APIs are relying upon aesmd service for quote generation. Quote verification (at server side) does not require access to aesmd.

Both quote generation and quote verification libraries communicates with Quote Provider Library (QPL). Azure implemented their own version of QPL (aka az-dcap-client). Az-dcap-client will talk to a caching server for fetching the platfrom collateral.

QuoteGen API -> Aesmd Funs() -> QPL (here az-dcap-client) --> Caching Server --> Intel PCS.

QuoteVer API -> QPL (here az-dcap-client) --> Caching Server --> Intel PCS

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 1 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

This whole file is unreadable after RST rendering: https://github.com/veenasai2/graphene/blob/veenasai/graphene-attestation-inside-AKS/Tools/gsc/images/graphene_attestation_inside_aks_readme.rst

Please fix. Or switch to Markdown (MD) syntax if RST is too complicated.

Sure, thanks.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 1 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

Could you explain a bit more? Why do we want to do such deployment?

Sure, thanks.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 6 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

Please add double-backticks around the sample name.

Sure, thanks

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 17 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

I don't like that the user must modify the example manually. I would prefer to change our Secret Prov Client example such that it takes these values from an environment variable.

Currently we have hardcoded server dns name inside secret_prov_client.c, I was following the same format. For secret_prov_min_client and secret_prov_pf_client we are providing the dns name using loader.env.SECRET_PROVISION_SERVERS inside manifest file.

I can provide the dns name either at build time using one env variable or can put as part of manifest file just like the other two client implementations. Which one would you like to suggest?

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 36 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

Please remove this comment because you describe it anyhow below.

Sure, thanks.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 39 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

Please remove the dot ( .) at the end, looks weird.

Sure , thanks

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 41 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

It is typically called out-of-proc ("out of process"), not out-proc. Please fix everywhere.

sure, thanks

[dimakuv]

Reviewed 1 of 1 files at r2.
Reviewable status: all files reviewed, 7 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @dimakuv and @veenasai2)

---

Tools/gsc/images/aks-server-deployment.yaml, line 35 at r1 (raw file):

Previously, veenasai2 wrote…

The out-of-proc mode quote generation APIs are relying upon aesmd service for quote generation. Quote verification (at server side) does not require access to aesmd.

Both quote generation and quote verification libraries communicates with Quote Provider Library (QPL). Azure implemented their own version of QPL (aka az-dcap-client). Az-dcap-client will talk to a caching server for fetching the platfrom collateral.

QuoteGen API -> Aesmd Funs() -> QPL (here az-dcap-client) --> Caching Server --> Intel PCS.

QuoteVer API -> QPL (here az-dcap-client) --> Caching Server --> Intel PCS

Thanks for the great explanation!

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 17 at r1 (raw file):

Previously, veenasai2 wrote…

Currently we have hardcoded server dns name inside secret_prov_client.c, I was following the same format. For secret_prov_min_client and secret_prov_pf_client we are providing the dns name using loader.env.SECRET_PROVISION_SERVERS inside manifest file.

I can provide the dns name either at build time using one env variable or can put as part of manifest file just like the other two client implementations. Which one would you like to suggest?

I suggest to do like the other two client implementations.

[veenasai2]

Reviewable status: all files reviewed, 7 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @dimakuv)

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 17 at r1 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

I suggest to do like the other two client implementations.

Sure, thanks.

[aneessahib]

Reviewable status: all files reviewed, 7 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @dimakuv)

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 1 at r1 (raw file):

Previously, veenasai2 wrote…

Sure, thanks.

This PR provides an end to end example to help CSPs integrate graphene’s RA TLS attestation and secret provisioning feature with a confidential compute cluster managed by the Azure Kubernetes Service. The PR provides the necessary reference wrappers that will enable graphene to use the AKS components such as the AESMD and quote provider libraries. A microservice deployment is also provided for the RA-TLS verifier module that can be readily deployed to the AKS cluster.

[aneessahib]

Reviewable status: 4 of 6 files reviewed, 10 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @dimakuv and @veenasai2)

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 1 at r1 (raw file):

Previously, aneessahib wrote…

This PR provides an end to end example to help CSPs integrate graphene’s RA TLS attestation and secret provisioning feature with a confidential compute cluster managed by the Azure Kubernetes Service. The PR provides the necessary reference wrappers that will enable graphene to use the AKS components such as the AESMD and quote provider libraries. A microservice deployment is also provided for the RA-TLS verifier module that can be readily deployed to the AKS cluster.

More changes -

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 56 at r3 (raw file):

Azure-internal caching service https://global.acccache.azure.net/sgx/certificates/.
The aks-server-deployment.yaml is utilizing az-dcap-client library instead of
libsgx-dcap-default-qpl.

In the ra-tls-secret-prov example, the client will generate out-of-proc mode sgx quote that will be embedded inside RA-TLS certificate. On receiving the quote, the server will internally verify it using libsgx-dcap-quote-verify library via az-dcap-client library. Here, aks-server-deployment.yaml will deploy a ra-tls-secret-prov server container inside AKS cluster.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 65 at r3 (raw file):

Once the server container is in running state,
$ kubectl apply -f aks-client-deployment.yaml

At this stage, a successful RA-TLS verification would be completed, and the secrets have been provisioned from the server to the client container

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 67 at r3 (raw file):

Ensure the quote generation and verification is successful inside AKS cluster
=============================================================================

Ensure both quote generation and verification are successful inside AKS cluster -> Steps to verify successful quote generation and quote verification using logs

[veenasai2]

Reviewable status: 3 of 8 files reviewed, 10 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @aneessahib and @dimakuv)

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 1 at r1 (raw file):

Previously, aneessahib wrote…

More changes -

Sure, thanks.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 56 at r3 (raw file):

Previously, aneessahib wrote…

In the ra-tls-secret-prov example, the client will generate out-of-proc mode sgx quote that will be embedded inside RA-TLS certificate. On receiving the quote, the server will internally verify it using libsgx-dcap-quote-verify library via az-dcap-client library. Here, aks-server-deployment.yaml will deploy a ra-tls-secret-prov server container inside AKS cluster.

done, thanks.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 65 at r3 (raw file):

Previously, aneessahib wrote…

At this stage, a successful RA-TLS verification would be completed, and the secrets have been provisioned from the server to the client container

done, thanks.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.rst, line 67 at r3 (raw file):

Previously, aneessahib wrote…

Ensure both quote generation and verification are successful inside AKS cluster -> Steps to verify successful quote generation and quote verification using logs

done, thanks.

[aneessahib]

Reviewable status: 3 of 8 files reviewed, 11 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @aneessahib, @dimakuv, and @veenasai2)

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.md, line 3 at r4 (raw file):

# Graphene Attestation Inside AKS cluster

This guide demonstrates how Graphene DCAP attestation quote can be verified inside AKS cluster.

can be generated and verified from within an AKS cluster.

[veenasai2]

Reviewable status: 3 of 8 files reviewed, 11 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @aneessahib and @dimakuv)

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.md, line 3 at r4 (raw file):

Previously, aneessahib wrote…

can be generated and verified from within an AKS cluster.

Done, thanks.

[aneessahib]

@veenasai2 lets enhance this example to reflect a prod scenario where a simple main program is started after a successful attestation. The attestation code first runs in this case, and loads the application code after the RA-TLS and platform attestation has passed.

[veenasai2]

ok, sure. Thanks.

Reviewable status: 3 of 8 files reviewed, 11 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @aneessahib and @dimakuv)

[aneessahib]

Reviewable status: 3 of 8 files reviewed, 12 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @aneessahib, @dimakuv, and @veenasai2)

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.md, line 4 at r5 (raw file):

This guide demonstrates how Graphene DCAP attestation quote can be generated and verified from
within an AKS cluster. Here, we provide an end to end example to help CSPs integrate graphene’s

expand CSP to Cloud Solution Providers

[aneessahib]

Reviewable status: 3 of 8 files reviewed, 13 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @aneessahib, @dimakuv, and @veenasai2)

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 9 at r5 (raw file):

#             graphene/Examples/ra-tls-secret-prov/certs directory with existing naming convention.
#
# STEP 2: Make sure RA-TLS DCAP libraries are built in Graphene via:

Just say RA-TLS libraries. Do mention this example is demonstrates dcap attestation flow in the beginning

[dimakuv]

Reviewable status: 3 of 8 files reviewed, 17 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @aneessahib, @dimakuv, and @veenasai2)

a discussion (no related file):
@mkow We were asked to have this PR in GSC as part of the Gramine release. Could we expedite this PR?

---

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 61 at r5 (raw file):

    && mkdir -p /graphene/Pal/src/host/Linux-SGX/tools/common \
    && mkdir -p /graphene/Pal/src/host/Linux-SGX/tools/ra-tls \
    && mkdir -p /graphene/Examples/ra-tls-secret-prov

This kind of stuff shouldn't be needed any more because we recently merged the PR in Gramine that adds all these RA-TLS / Secret Prov libraries. So no need to copy all these directories and files.

This comment concerns everything in this PR -- please remove all the redundant copies of files.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.md, line 1 at r5 (raw file):

# Graphene Attestation Inside AKS cluster

All Graphene should be renamed to Gramine in documentation

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.md, line 22 at r5 (raw file):

- Steps to create ra-tls-secret-prov-client gsc image for AKS:

```sh

This looks ugly. Please just use the nested lists in Markdown instead of this code-like listing.

[veenasai2]

Reviewable status: 3 of 8 files reviewed, 17 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @aneessahib, @dimakuv, and @veenasai2)

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 9 at r5 (raw file):

Previously, aneessahib wrote…

Just say RA-TLS libraries. Do mention this example is demonstrates dcap attestation flow in the beginning

Sure, thanks.

---

Tools/gsc/images/aks-ra-tls-secret-prov-server.dockerfile, line 61 at r5 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

This kind of stuff shouldn't be needed any more because we recently merged the PR in Gramine that adds all these RA-TLS / Secret Prov libraries. So no need to copy all these directories and files.

This comment concerns everything in this PR -- please remove all the redundant copies of files.

sure, thanks.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.md, line 1 at r5 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

All Graphene should be renamed to Gramine in documentation

https://github.com/gramineproject/gsc/pull/11/files. Here, I put Gramine only. Looks like this reviewable is still referring to old files.

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.md, line 4 at r5 (raw file):

Previously, aneessahib wrote…

expand CSP to Cloud Solution Providers

Done, thanks

---

Tools/gsc/images/graphene_attestation_inside_aks_readme.md, line 22 at r5 (raw file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

This looks ugly. Please just use the nested lists in Markdown instead of this code-like listing.

sure, thanks.

[veenasai2]

Reviewable status: 3 of 8 files reviewed, 17 unresolved discussions, not enough approvals from maintainers (2 more required), not enough approvals from different teams (2 more required, approved so far: ) (waiting on @aneessahib, @dimakuv, and @mkow)

a discussion (no related file):

Previously, dimakuv (Dmitrii Kuvaiskii) wrote…

@mkow We were asked to have this PR in GSC as part of the Gramine release. Could we expedite this PR?

The new PR is at gsc repo with the reviewable link: https://reviewable.io/reviews/gramineproject/gsc/11 and PR link: gramineproject/gsc#11 . The updated files are present at the new link. Thanks.

---

[dimakuv]

This PR was transferred to gramineproject/gsc#11. Closing here.