Add a compatibility matrix #1259
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,122 @@ | ||
| # Compatibility Matrix | ||
|
|
||
| This document tracks compatibility between guest-components and [Trustee](https://github.com/confidential-containers/trustee) (the server-side components including KBS, Attestation Service, and RVPS). | ||
|
|
||
| ## KBS Protocol Version | ||
|
|
||
| Guest-components and Trustee communicate using the KBS (Key Broker Service) protocol. Both sides must use compatible protocol versions. | ||
|
|
||
| | Protocol Version | Status | Notes | | ||
| |------------------|------------|--------------------------------------------| | ||
| | v0.4.0 | Current | Used in CoCo v0.15.0+ | | ||
| | v0.3.0 | Deprecated | Legacy, not recommended | | ||
|
|
||
| ## Release Compatibility | ||
|
|
||
| The following table shows tested version combinations. Versions are coordinated through [CoCo umbrella releases](https://github.com/confidential-containers/confidential-containers/tree/main/releases). | ||
|
|
||
| | CoCo Release | guest-components | Trustee | KBS Protocol | Release Date | | ||
| |--------------|------------------|----------|--------------|--------------| | ||
| | v0.17.0 | v0.16.0 | v0.16.0 | v0.4.0 | Nov 2025 | | ||
| | v0.16.0 | v0.15.0 | v0.15.0 | v0.4.0 | Oct 2025 | | ||
| | v0.15.0 | v0.14.0 | v0.14.0 | v0.4.0 | Sep 2025 | | ||
| | v0.14.0 | v0.13.0 | v0.13.0 | v0.4.0 | May 2025 | | ||
| | v0.13.0 | v0.12.0 | v0.12.0 | v0.4.0 | Mar 2025 | | ||
|
|
||
| **Note:** Using mismatched versions may work but is not tested. For production deployments, use versions from the same CoCo release. | ||
|
Member
There was a problem hiding this comment. This will not work. There is version check logic https://github.com/confidential-containers/trustee/blob/main/kbs/src/attestation/backend.rs#L220-L227 to assert the versions are the same? |
||
|
|
||
| ## TEE Platform Support | ||
|
|
||
| ### Attestation Support Matrix | ||
|
|
||
| | TEE Platform | guest-components | Trustee | Architecture | Status | | ||
| |--------------------|------------------|----------|--------------|--------------| | ||
| | Intel TDX | v0.8.0+ | v0.8.0+ | x86_64 | Stable | | ||
| | Intel SGX | v0.7.0+ | v0.7.0+ | x86_64 | Stable | | ||
| | AMD SEV-SNP | v0.7.0+ | v0.7.0+ | x86_64 | Stable | | ||
| | AMD SEV(-ES) | v0.7.0+ | v0.7.0+ | x86_64 | Stable | | ||
|
Member
There was a problem hiding this comment. Not supported anymore, although I'm not sure if we've ripped the code out of GC yet.
Member
There was a problem hiding this comment. so add a table of retired TEEs? |
||
| | Azure TDX vTPM | v0.9.0+ | v0.9.0+ | x86_64 | Stable | | ||
| | Azure SNP vTPM | v0.9.0+ | v0.9.0+ | x86_64 | Stable | | ||
| | ARM CCA | v0.10.0+ | v0.10.0+ | aarch64 | Experimental | | ||
| | IBM Secure Exec | v0.10.0+ | v0.10.0+ | s390x | Stable | | ||
| | Hygon CSV | v0.12.0+ | v0.12.0+ | x86_64 | Experimental | | ||
|
Member
There was a problem hiding this comment. We also have |
||
| | NVIDIA GPU | v0.15.0+ | v0.15.0+ | x86_64 | Experimental | | ||
|
Member
There was a problem hiding this comment. NVIDIA should be stable now. Are we missing TPM here?
Member
Author
There was a problem hiding this comment. Yeah. |
||
|
|
||
| ### Feature Flags | ||
|
Member
There was a problem hiding this comment. This Feature Flags seems more for the guest-component's main documentation than for this compatibility document. I would drop it. |
||
|
|
||
| guest-components uses feature flags to enable TEE-specific code. The following table maps TEE platforms to the required build configuration: | ||
|
|
||
| | TEE Platform | `TEE_PLATFORM` | Attester Feature Flag | | ||
| |--------------------|----------------|-----------------------| | ||
| | Intel TDX | `tdx` | `tdx-attester` | | ||
| | Intel SGX | (manual) | `sgx-attester` | | ||
|
|
||
| | AMD SEV-SNP | `snp` | `snp-attester` | | ||
| | AMD SEV(-ES) + SNP | `amd` | `snp-attester` | | ||
| | Azure TDX vTPM | `az-tdx-vtpm` | `az-tdx-vtpm-attester`| | ||
| | Azure SNP vTPM | `az-snp-vtpm` | `az-snp-vtpm-attester`| | ||
| | Azure CVM vTPM | `az-cvm-vtpm` | Both Azure attesters | | ||
| | ARM CCA | `cca` | `cca-attester` | | ||
| | IBM Secure Exec | `se` | `se-attester` | | ||
|
|
||
| ## Component Dependencies | ||
|
Member
There was a problem hiding this comment. Likewise. That section is more like an internal implementation detail of guest-components. |
||
|
|
||
| Trustee embeds certain guest-components crates as dependencies: | ||
|
|
||
| | Trustee Component | guest-components Crate | Purpose | | ||
| |-----------------------|------------------------|----------------------------------| | ||
| | KBS | `kbs_protocol` | Protocol types and client | | ||
| | Attestation Service | `kms` | KMS provider implementations | | ||
|
|
||
| These dependencies are pinned to specific git revisions in Trustee's `Cargo.toml`. When upgrading, ensure the pinned revision is compatible with your guest-components version. | ||
|
|
||
| ## Breaking Changes | ||
|
|
||
| ### v0.15.0+ | ||
| - KBS configuration format updated | ||
| - Token validation changes | ||
|
|
||
| ### v0.10.0+ | ||
| - Added support for multiple concurrent attesters | ||
| - Changed attestation evidence format for some platforms | ||
|
|
||
| ### v0.8.0+ | ||
| - Initial stable KBS protocol v0.4.0 | ||
|
Member
There was a problem hiding this comment. This doesn't seem right. v0.4.0 would have been after multi-device attestation (v0.3.0) and init-data plaintext support (v0.4.0)
Contributor
There was a problem hiding this comment. protocol history details is in this issue confidential-containers/trustee#907 |
||
|
|
||
| ## Testing Compatibility | ||
|
|
||
| To verify compatibility between guest-components and Trustee: | ||
|
|
||
| 1. **Unit Tests**: Run component tests independently | ||
| ```shell | ||
| # In guest-components | ||
| cd attestation-agent/kbs_protocol | ||
| cargo test | ||
| ``` | ||
|
|
||
| 2. **Integration Tests**: Use the same CoCo release versions | ||
| ```shell | ||
| # Start Trustee KBS | ||
| docker run -p 8080:8080 ghcr.io/confidential-containers/staged-images/kbs:v0.16.0 | ||
|
|
||
| # Test with guest-components client | ||
| cd attestation-agent | ||
| cargo test --features kbs | ||
|
Member
There was a problem hiding this comment. Not sure if either of these tests will actually work. I think the unit test will be skipped if the version doesn't match. At least someone should try running this.
Member
There was a problem hiding this comment. I would drop that section from this doc as well. |
||
| ``` | ||
|
|
||
| 3. **End-to-End**: Deploy using CoCo operator with matched versions | ||
|
|
||
| ## Reporting Compatibility Issues | ||
|
|
||
| If you encounter compatibility issues: | ||
|
|
||
| 1. Verify you're using versions from the same CoCo release | ||
| 2. Check the [KBS protocol version](#kbs-protocol-version) matches | ||
| 3. Open an issue with: | ||
| - guest-components version/commit | ||
| - Trustee version/commit | ||
| - TEE platform | ||
| - Error messages | ||
|
|
||
| File issues at: | ||
| - guest-components: https://github.com/confidential-containers/guest-components/issues | ||
| - Trustee: https://github.com/confidential-containers/trustee/issues | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently we have no enforced schema for the evidence payload, so if some encoding changes (e.g. because of a bincode update/replacement in GC or in a dependency). a change on the payload would break Trustee interop. Until we have this, it's an aspirational goal, but we cannot really guarantee this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see #1267 we probably want to have something similar at least for the TEEs that have some envelope over binary data.