From a3ac6c40067a511f447ca06c7dd19a524a791561 Mon Sep 17 00:00:00 2001 From: Sebastian Date: Mon, 19 Dec 2022 14:02:57 +0100 Subject: [PATCH] Update README.md --- README.md | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 88b70b66b..5f165f2e2 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,6 @@ -# PortainerCC +# Portainer.cc - Building and Deploying Runtime Encrypted Workloads leveraging Confidential Compute + +![](https://github.com/enclaive/portainerCC/blob/develop/wip-screens.gif) ## Table of Contents @@ -12,34 +14,35 @@ ## About The Project -Especially in view of the ever increasing shift of applications to the cloud, the question is becoming more and more important whether the cloud environment used, over which the end user has only limited control, can be trusted. Confidential computing is one approach to solving this problem. Confidential computing makes it possible to encrypt data during processing in such a way that only the CPU has access to it. This makes it possible to protect data processed in the cloud against access by the cloud provider or other users of the cloud. +In view of the ever increasing shift of applications to the cloud, new mechanisms need to be developed to protect the workload. In the cloud, physical resources are no more isolated from the Internet. In a cloud native world comprising virtual machines, kubernetes clusters and serverless functions, physical resources are shared. Moreover, the resources are maintained by a third party known as the cloud provider. For decades it is well known that the application isolation provided by hypervisors and operating systems is weak. A vast amount of exploits have been demonstrated how to escapte the present security and trust model. -PortainerCC is based on [Portainer.io Community Edition](https://github.com/portainer/portainer) and extends Portainer with confidential computing capabilities to make it easy to run application-containers confidentially in the cloud. PortainerCC builds upon [Gramine OS](https://github.com/gramineproject/gramine) and [Marblerun](https://github.com/edgelesssys/marblerun) to run and remotely attest containerized Gramine-applications. +Confidential Computing, for short CC, is a new, promising technology addressing the problem. CC makes it for the very first time practically possible to encrypt data during runtime in such a way that only the CPU has access to it. This makes it possible to protect application code and data in the light of vertical and horizontal exploits. -## Features +Portainer.cc is a project extending the promiment community tool [Portainer.io](https://github.com/portainer/portainer) with confidential computing capabilities. to make it easy to run application-containers confidentially in the cloud. PortainerCC builds upon [Gramine OS](https://github.com/gramineproject/gramine) and [Marblerun](https://github.com/edgelesssys/marblerun) to run and remotely attest containerized Gramine-applications. -In its current state, PortainerCC offers these features: +## Features (v.0.1.0-beta) -- Creating and storing Intel SGX Signing Keys -- Building and deploying a Remote Attestation System based on [Edgeless Systems Marblerun](https://github.com/edgelesssys/marblerun) -- Deploying a MariaDB instance running on [Gramine](https://github.com/gramineproject/gramine) that gets remote attested and receives login credentials via Secret Provisioning +Portainer.cc offers these features: -![](https://github.com/enclaive/portainerCC/blob/develop/wip-screens.gif) +- Build and deploy any application in an Intel SGX enclave supporting Gramine libOS [Gramine](https://github.com/gramineproject/gramine) +- Key managmement for container authentication and file/volume encryption +- Authenticated container provisioning of secrets, environment variables, files and keys supporting [Marblerun](https://github.com/edgelesssys/marblerun) +- Example template to build, deploy and securely provision MariaDB ## Getting Started ### Prerequisites -For PortainerCC to work, you need to make sure that all environments you want to use are Intel SGX compatible and can use Intel SGX Datacenter Attestation Primitives for Remote Attestation and meet these requirements: +For Portainer.cc to work, you need to make sure that all environments you want to use are Intel SGX compatible and can use Intel SGX Datacenter Attestation Primitives for Remote Attestation and meet these requirements: - [Intel SGX and DCAP](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_SW_Installation_Guide_for_Linux.pdf) are installed - A [Provisioning Certificate Caching Service](https://docs.edgeless.systems/ego/reference/attest#set-up-the-pccs) is up and running -### Install PortainerCC +### Install Portainer.cc -To install PortainerCC, run the following command: +To install Portainer.cc, run the following command: ``` docker run -d -p 8000:8000 -p 9443:9443 --name portainercc --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data sgxdcaprastuff/portainercc