Community Blog Remote Attestation EAA: The Final Link for Secure Deployment of Confidential Containers

Remote Attestation EAA: The Final Link for Secure Deployment of Confidential Containers

We'll discuss how the Enclave Attestation Architecture (EAA) can help overcome the challenges of secure deployment of confidential containers in cloud environment.

By Liang Zhou, a core member of cloud-native Confidential Computing SIG.


In a cloud-native deployment, confidential container technologies such as Inclavare Containers and Confidential Containers which based on HW-TEE (such as Intel SGX, Intel TDX, and AMD SEV) can provide confidential and integrity protection for sensitive data in use.

However, in a cloud environment, the following problems still exist:

  • How can we prove that the user's confidential container does indeed run in a real HW-TEE environment on the cloud?
  • How can we prove that the container's contents running in the cloud HW-TEE environment are as expected and have not been tampered during its deployment?
  • If an encrypted container in the cloud HW-TEE environment needs to be launched, how can we obtain the decryption key of the container image during the startup process?

Inclavare Containers is now one of the projects of the OpenAnolis Community cloud-native Confidential Computing SIG. The component Enclave Attestation Architecture (EAA) of Inclavare Containers was created to solve these complex problems. Its design goal is to provide a universal remote attestation architecture that supports different types of confidential containers and HW-TEE environments based on solving the above problems.

EAA Design

RATS Reference Architecture

The Confidential Computing Consortium defines the RATS reference architecture and recommends that all remote attestation services should follow it . The following is the RATS architecture:


EAA Architecture

Therefore, the architecture design of EAA also follows the RATS reference architecture:


Main Components and Functions

  • Attestation-Agent (Attester): The component that runs inside the HW-TEE. Its function is to obtain the Evidence (HW-TEE signed measurement information of the running programs).
  • Chip Manufacturer Specific Attestation Service (Endorser): A service that runs in a public network and is provided by the chip manufacturer. Its function is to verify the signature of the Evidence to determine that the measurement information is generated by the real HW-TEE.
  • Verdict & Reproducible Build Infrastructure (Reference Value Provider): A service that runs in a user-trusted environment. Its function is to generate a reference value of the running program's measurement in the HW-TEE to determine that the running program's content in the HW-TEE environment is as expected.
  • Verdictd (Relying Party + Relying Party Owner + Verifier Owner): A service that runs in user-trusted environment. Its responsibility is to call Chip Manufacturer Specific Attestation Service and Verdict & Reproducible Build Infrastructure to verify the received Evidence's signature and evaluate its content to complete the entire remote attetsation process.
  • KMS: Key management service that runs in a user-trusted environment or public network which focus on keys' mangement.

How EAA Works

1.  When remote attestation is required, the Attestation-Agent running in the cloud HW-TEE environment obtains the Evidence of the current HW-TEE running environment and sends it to the Verdictd service for relevant validation.

2.  When Verdictd receives the Evidence, it will invoke the Chip Manufacturer Specific Attestation Service to verify it's signature to ensure the HW-TEE's identity which generated the Evidence. The purpose is to prevent hackers from forging a TEE environment to cheat users' trust.

3.  After the signature of the Evidence is verified, Verdictd checks the specific measurement information. The purpose is to determine that the running program's content in the cloud HW-TEE environment is as expected and has not been tampered.

4.  If the above checks are successful, the remote attestation process has been finished. The user can ensure that the HW-TEE environment on the cloud is a real one and the program's content running in the HW-TEE environment meet the following requirements:

  • It is a program deployed by users themselves, and the program has not been tampered with by hackers.
  • It is a trusted program deployed by a third party as expected. For example, these programs have been code reviewed and determined to be free of vulnerabilities.

5.  A secure and trusted channel can be established between the Attestation Agent and Verdictd after the attestation process has been passed. Attestation-Agent can send requests to Verdictd to obtain senstitive data, such as the decryption key to encrypt the container images.


EAA is committed to achieving landing practice capability through contributions and cooperation with the open source community. As the first Key Broker Service (KBS) to support Intel TDX remote attestation, EAA is the first KBS service to support TDX HW-TEE E2E demo for Confidential Containers, and it finished the Confidential Containers V0 milestone E2E demo.


EAA fills the last application gap of HW-TEE based confidential containers in a cloud-native scene, and it provides the necessary foundation for secure deployment and startup of encrypted confidential containers in cloud environments.

At present, as a submodule of Inclavare Containers (CNCF projects), EAA supports Intel SGX and, Intel TDX HW-TEEs and it also supports Inclavare Containers and Confidential Containers projects. In the future, EAA will continue evolving to support new and different confidential container solutions and new HW-TEE environments, which will make EAA a truly universal remote attestation architecture in the confidential container field.

Related Resources

Inclavare Containers: https://github.com/alibaba/inclavare-containers
Confidential Containers: https://github.com/confidential-containers
SIG Address of OpenAnolis Community: https://openanolis.cn/sig/coco
Demo Video: https://www.youtube.com/watch?v=9Lgo9_JtUsc

0 1 1
Share on


84 posts | 5 followers

You may also like



84 posts | 5 followers

Related Products

  • Function Compute

    Alibaba Cloud Function Compute is a fully-managed event-driven compute service. It allows you to focus on writing and uploading code without the need to manage infrastructure such as servers.

    Learn More
  • ACK One

    Provides a control plane to allow users to manage Kubernetes clusters that run based on different infrastructure resources

    Learn More
  • Cloud-Native Applications Management Solution

    Accelerate and secure the development, deployment, and management of containerized applications cost-effectively.

    Learn More
  • Lindorm

    Lindorm is an elastic cloud-native database service that supports multiple data models. It is capable of processing various types of data and is compatible with multiple database engine, such as Apache HBase®, Apache Cassandra®, and OpenTSDB.

    Learn More