The CCC common-terminology defined the confidential contianer as in the below. This means the container process is protected by CC, and other components like runc, container-shim don’t have to be protected by CC. And if a SEV-SNP CPU runs container in a VM, then in that VM there cannot have other untrusted components like another container, unless these two containers trusted each other.
confidential container: the entrypoint process of an Open Container Initiative (OCI)-compliant 2 container image launched by an OCI container runtime such that the process is executed inside a hardware-based TEE, and it is protected from other confidential containers and any hosting environment in the TEE.
The CCC common-terminology defined the confidential contianer as in the below. This means the container process is protected by CC, and other components like runc, container-shim don’t have to be protected by CC. And if a SEV-SNP CPU runs container in a VM, then in that VM there cannot have other untrusted components like another container, unless these two containers trusted each other. confidential container: the entrypoint process of an Open Container Initiative (OCI)-compliant 2 container image launched by an OCI container runtime such that the process is executed inside a hardware-based TEE, and it is protected from other confidential containers and any hosting environment in the TEE.