Case Study: Measured Boot and Remote Attestation in Confidential Containers

In this talk we want to present how the Confidential Containers project is using Measured Boot, vTPMs and Rego policies to provide ephemeral, integrity-protected sandboxes for containers in a Trusted Execution Environment. We'll describe the lifecycle of a such a confidential cloud-native workflow, specifically the remote attestation workflows and the components that are involved. Our experience with the tools that we love (UKIs, mkosi!) and the tools that we can't go around (libtss) will be covered, along with lessons learned and remaining challenges.