From 37ae66798b1b9fd01604180424ece157ebd6cd93 Mon Sep 17 00:00:00 2001 From: MikeCamel Date: Wed, 24 Jun 2020 14:39:02 +0100 Subject: [PATCH] Addressing points by @euno --- default-enarx-trust-process.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/default-enarx-trust-process.md b/default-enarx-trust-process.md index 15eeac9c..bd108391 100644 --- a/default-enarx-trust-process.md +++ b/default-enarx-trust-process.md @@ -121,7 +121,7 @@ The changes between state 0 and state 1 are the creation of a TEE instance and the loading of the Enarx runtime image into that instance. Note that the **Enarx host agent**, which is considered as a single component -in this document for the purposes of trust domain discusions, can be further +in this document for the purposes of trust domain discussions, can be further decomposed into the following components: - Keep manager - one per host (future trust models might allow more than one per host) @@ -136,7 +136,7 @@ decomposed into the following components: - creates a Main loop component - Main loop - one per Keep - - lifespan cotermnous with the Keep it services + - lifespan coterminous with the Keep it services - provides the syscall processing from outside the Keep The initialisation of the process is prompted by the **Orchestrator**, which @@ -324,7 +324,11 @@ image**. The **Enarx client agent** gained access to a session key as part of the state 1->2 transition. The **tenant workload image** must be encrypted -under this session key to be transmitted to the **Empty Keep**. +under this session key to be transmitted to the **Empty Keep**. (Note that +the session key is expected to be coterminous with the Keep in the default +trust model: **tenant workload images** are provided by the Orchestrator, +and while the same **tenant workload image** may be used for multiple +Keeps, each instance will be transmitted under a separate session key.) At some point in the process (undefined in this document), the **Enarx client agent** was provided with sufficient information to contact what is