doc: Trust Model Introduction

[magowan]

Add a introduction to Trust Model. Include references and links to prior art

This PR is one part of Issue confidential-containers/confidential-containers#117

Follow on Pull Requests will include sections corresponding to orthogonal ways of considering cloud native approaches relevent to the trust model

Signed-off-by: James Magowan magowan@uk.ibm.com

[magowan]

Generally unobjectionable. Tbh I think we could skip over a lot of stuff here. I'm not sure that we need to define what a trust model is, for instance. If someone reading the document really doesn't know, they can just google it. I guess it can't hurt to provide some intro, but I think the most important part of this doc so far is the Out of Scope section. That's where we introduce concrete information specific to this project.

Yes I have scaled back the intro from early "draft", and agree the important stuff is initially the out-of-scope for this but the main pieces come with the detail in follow on PR's . I am inclined to not reduce the content further , as I don't think it hurts and there may be different subtle takes on a threat model so can;t hurt to try to clarify what we draw on for ours.

[bpradipt]

@magowan are you planning to include details about different threat actors for the CoCo scenario and also a (good-to-have) pictorial representation of the trust boundaries for the complete CoCo solution in separate PRs?

[dcmiddle]

I think this is generally good as is. With the other sections there's going to be sort of a lot to read to get to the punch line that

1. with pod isolation we draw a box around the guest
2. with container isolation we draw a box around the process.
3. actors in the control plane may be able to break into those boxes. (I haven't reviewed confidential-containers/documentation#24 yet)

What do you think about an informal section in the overview to give that intuition before getting into the formalities?

[magowan]

@magowan are you planning to include details about different threat actors for the CoCo scenario and also a (good-to-have) pictorial representation of the trust boundaries for the complete CoCo solution in separate PRs?

Yes, That is the goal , there is another PR up already regarding the Personas/Actors, but I will put other PRs together for other areas and then my intention is once we have a trust model, I can put up some threat Vectors set in the context of our trust model which can highlight how we solve them with CoCo.

[magowan]

I think this is generally good as is. With the other sections there's going to be sort of a lot to read to get to the punch line that

1. with pod isolation we draw a box around the guest

2. with container isolation we draw a box around the process.

3. actors in the control plane may be able to break into those boxes. (I haven't reviewed [Trust model personas confidential-containers/documentation#24](https://github.com/confidential-containers/documentation/pull/24) yet)

What do you think about an informal section in the overview to give that intuition before getting into the formalities?

I think you may be right, I guess I want to get the content in there , then we should revisit an overview or this section again to see if we can summarise some elements for "executive read" :-)

[magowan]

@jodh-intel Thanks for review. I think I have covered your review feedback. If you are happy with my response/changes then I think we are ready to merge. (But happy to take any other comments on board)