Which module initiates the RA request?

[ccxiaop]

kata-agent starts the aa process, but the get_evidence and get_token interfaces are not invoked in the aa process. Which module initiates the RA request?

[Xynnn007]

It is CDH. When a confidential resource is to be get from CDH via get_resource API, the CDH will call AA's API to get an attestation token. AA then connects to KBS to perform RCAR handshake and get a token. Then AA returns back the token to CDH. Then CDH uses this token to retrieve resource from KBS.

[Xynnn007]

Typical callers of get_resource is image-rs. Try to search this key word in image-rs' code. Image decryption keys, image policies, registry credential auth files are all resources.