Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. K8s CSR and cert-manager CR APIs are both supported. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).
Modified the Dockerfile to do 2-step signing. In the first step it
generates the enclave signing material file, where this file is
supposed to sign by the external signing tool
(enclave-config/sign-enclave.sh). The resulted signed file is passed to
sgx_sign to generate the final signed enclave.
The integration point for the external signing tools is the
sign-enclave.sh script defined under enclave-config. One has to
replace this with a suitable tool for signing while building the
docker image.
Modified the Dockerfile to do 2-step signing. In the first step it generates the enclave signing material file, where this file is supposed to sign by the external signing tool (
enclave-config/sign-enclave.sh). The resulted signed file is passed tosgx_signto generate the final signed enclave.The integration point for the external signing tools is the
sign-enclave.shscript defined underenclave-config. One has to replace this with a suitable tool for signing while building the docker image.