anjuna-gcp-cli disk

Builds a GCP Confidential VM disk from a Docker image and saves it to a file.

SYNOPSIS

anjuna-gcp-cli disk <create | upload | list | pcr> [OPTIONS]

DESCRIPTION

Creating a GCP Confidential VM requires a GCP compatible disk-image. The tool anjuna-gcp-cli disk creates and manages these disk-images and supports the following options for working with disk images:

  • create to locally build a RAW disk image

  • upload to compress and upload a disk image to GCP

  • list to list available disk images that were previously uploaded

  • pcr to calculate the expected PCR values for a disk image

CREATE

anjuna-gcp-cli disk create  [OPTIONS]

OPTIONS

--docker-uri
  Docker image to be used. If the image is not pulled then command will pull the
  image from docker repo (required)
--disk
  The name of the disk file to be created (default: disk.raw)
--size
  Size of the disk image (default:10G)
--config
  Path to the configuration file for the enclave, including APM integration
--signing-key
  Path to a private RSA key to use for signing the disk image
--kernel
  Kernel image to used for booting the disk (default:
  /opt/anjuna/gcp/blob/bzImage)
--initrd
  Initrd image to use for booting the disk (default:
  /opt/anjuna/gcp//blob/initramfs.img)

The Docker container can be specified by:

  • a Docker URI to any Docker registry you have access to (Docker Hub, Google Container Registry, Artifactory Docker Registry, etc.)

  • a local URI (for example hello-world:latest)

When using a Docker Registry, you must handle the authentication to that registry before invoking the anjuna-gcp-cli disk create command.

The only required parameter is --docker-uri. The other parameters are optional and have default values.

After executing the command, a RAW disk image is created. By default, the name of the file is disk.raw (if not specified by the --disk command-line parameter).

The disk image is not compressed, and the locally created file (disk.raw by default) will be the same size as specified by the --size command line parameter (10GB by default). The size can be specified in various units (MB/GB/TB).
The specified disk size dictates the amount of available storage when running the GCP Confidential VM. Make sure you specify a disk size that is consistent with your application needs.

The --signing-key argument will take the path to an RSA private key to sign the disk image. For the resulting disk image, the value of PCR16 will be based on this signing key. The Anjuna Policy Manager can be configured to release secrets based on PCR16.

NIST recommends using at least 2048 bits for RSA keys. The following command generates a 2048-bit RSA private key using openssl and stores it in the file signingkey.priv:

$ openssl genrsa -out signingkey.priv 2048

EXAMPLE

$ anjuna-gcp-cli disk create --docker-uri=nginx:latest
$ anjuna-gcp-cli disk create --size=5GB --docker-uri=docker.io/nginx:latest
$ anjuna-gcp-cli disk create --docker-uri=nginx:latest --signing-key signingkey.priv

UPLOAD

This command uploads a local RAW disk image to the user’s default project or to one specified on the command line. It is added to GCP in the default gcloud zone. The default project can be set up in an environment variable (GOOGLE_DEFAULT_PROJECT).

You must be logged in to a valid GCP account before using this command. Use the gcloud auth list command to confirm that you are logged into GCP, and/or gcloud init to initialize your gcloud session. 
anjuna-gcp-cli disk upload  [OPTIONS]

OPTIONS

--disk
  The disk image file to be uploaded (default: disk.raw)
--bucket
  Bucket name for the Google storage (default:anjuna-sev)
--image
  Image name for the resource created on Google storage (default:anjuna-sevtest)

EXAMPLE

$ anjuna-gcp-cli disk upload --disk=nginx-disk.raw --bucket=anjuna-gcp-bucket --image=anjuna-gcp-nginx

LIST

This command lists the images previously uploaded in the default gcloud zone.

You must be logged in to a valid GCP account before using this command. Use the gcloud auth list command to confirm that you are logged into GCP, and/or gcloud init to initialize your gcloud session. 
anjuna-gcp-cli disk list

EXAMPLE

$ anjuna-gcp-cli disk list

PCR

This command displays the Platform Configuration Register (PCRs) for a disk image. The PCRs are an essential data in an attestation report. It provides a cryptographic measurement of code and data used for booting the confidential container, as well as the signature if the image was signed.

When an Anjuna Confidential Container is started with the Anjuna CLI, the PCR values will be shown in the boot log. To verify that the expected software is running, you must confirm that the boot log’s PCR values are the same as the PCR values shown in anjuna-gcp-cli disk pcr. This can be automated using the Anjuna Policy Manager.

anjuna-gcp-cli disk pcr

EXAMPLE

$ anjuna-gcp-cli disk pcr

EXIT STATUS

The anjuna-gcp-cli disk commands return:

  • 0 on success

  • 1 on error