constellation: update document and add patch

README.md

@@ -15,9 +15,9 @@
 
 In above diagram:
 
-- **CCNP** is used to calculate the measurement for node, namespace,
+- **CIMA (Container Integrity Measurement Agent)** is used to calculate the measurement for node, namespace,
 POD and cluster level.
-- **CC Trusted API** provides unified API to tenant to access measurement, event log
+- **Evidence API** provides unified API to tenant to access measurement, event log
 and quote (report).
 
 ## 2. Confidential Cluster
@@ -32,7 +32,7 @@ and quote (report).
 | Full Disk Encryption | [Yes](https://cloud.google.com/compute/docs/disks/customer-managed-encryption) | [Yes](https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview) |
 | Key | customer-managed encryption keys (CMEK) | PMK (platform-managed key) and CMK (customer-managed key) |
 | Attestation | [Google Managed vTPM](https://cloud.google.com/confidential-computing/confidential-vm/docs/attestation) | [Microsoft Azure Attestation](https://azure.microsoft.com/en-us/products/azure-attestation/)/[Intel® Trust Authority](https://www.intel.com/content/www/us/en/security/trust-authority.html) |
-| Tutorial | [Here](https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes#enabling_in_a_new_cluster) | [here](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview)
+| Tutorial | [Here](https://cloud.google.com/kubernetes-engine/docs/how-to/confidential-gke-nodes#enabling_in_a_new_cluster) | [Here](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview)
 
 ## 3. Deployment
 
@@ -41,7 +41,7 @@ There are 3 options creating a confidential cluster.
 - Create a few confidential VMs (CVMs) and deploy Kubernetes within them. The CVMs can be on local hosts if you have supported hardware. The CVMs can also be applied from CSP.
 The document [csp_cvm.md](./deployment/csp_cvm.md) shows how to apply for a TD on Google Cloud or Azure and start a Kubernetes cluster in the single confidential node.
 - Create [Confidential GKE node](https://cloud.google.com/blog/products/identity-security/announcing-general-availability-of-confidential-gke-nodes) on Google cloud.
-- Create a Constellation based confidential cluster on top of a TDX machine. Follow the steps [here](./deployment/constellation.md) to deploy the cluster.
+- Create a Constellation based confidential cluster on top of a TDX machine. Follow the steps [here](./deployment/Constellation/constellation.md) to deploy the cluster.
 
 
-Find details in [deployment guide](./deployment/Constellation/constellation.md).
+Find details in [deployment guide](./deployment/).

deployment/Constellation/constellation.md

@@ -28,15 +28,42 @@ To leverage bare metal TDX machine to build up Constellation cluster, user need
 
 ### Step 1: Clone Constellation repo and apply patches.
 
+Apply the patch to enable qemu-tdx within TDX bare-metal host using qemu.
+
+The patch focusing on enabling the qemu-tdx option within Constellation.
+
+The support for TDX attestation is done through the [go-tdx-qpl](https://github.com/Ruoyu-y/go-tdx-qpl) library which is a fork of Edgeless Sys's [go-tdx-qpl](https://github.com/edgelesssys/go-tdx-qpl) library. Most of the changes focusing the support of TDX 1.5 attestation and verifications. Since Constellation needs to specify the version and hash of dependencies within the code, these changes are directly applied within the patch.
+
 ```bash
 # clone the constellation repo and apply patches.
 git clone https://github.com/edgelesssys/constellation.git
 git checkout fe65a6da76d03f0bed841ae36f33ff22d2567700
 git checkout -b constellation-qemu-tdx
-git apply constellation_qemu_tdx.patch
+git apply ./constellation_qemu_tdx.patch
 ```
 
 ### (Optional) Step 2: Setup proxy if required
+If user are building and running the confidential cluster under proxy, some files need to be modified to bypass the proxy issues.
+
+Here listed the files that need to be modified:
+```
+# Add proxy setting to the files as environment variables
+# e.g. add lines 'export http_proxy=<your_proxy>' to export http_proxy, https_proxy and no_proxy in the script
+image/base/mkosi.skeleton/etc/profile.d/constellation.sh
+
+# Add extra 'env' section in the configuration
+# e.g. env = {"HTTP_PROXY": <your_proxy>, "HTTPS_PROXY": <your_proxy>, "NO_PROXY": <your_proxy>}
+image/system/BUILD.bazel
+
+# Add proxy as environment variables under the service section
+# e.g. Environment="HTTP_PROXY=<your_proxy>". Add http_proxy, https_proxy and no_proxy
+image/base/mkosi.skeleton/usr/lib/systemd/system/containerd.service.d/local.conf
+image/base/mkosi.skeleton/usr/lib/systemd/system/kubelet.service
+
+# Add proxy during execution
+# e.g. ExecStart=/bin/bash -c "echo http_proxy=<your_proxy> >> /run/constellation.env". Echo http_proxy, https_proxy and no_proxy in the file.
+image/sysroot-tree/usr/lib/systemd/system/configure-constel-csp.service
+```
 
 ### Step 3: Build Constellation image for QEMU-TDX option
 Build a Constellation image that works for QEMU-TDX option.
@@ -81,6 +108,8 @@ User need to modify the configuration before starting up the cluster. Modificati
 3. check the value of `metadataAPIServer` and make sure it equals to the value you just pushed in the CLI generation step.
 4. change the measurements of TDX like what shows in the picture
 
+<img src="../../docs/constellation_config_setting.png" alt="measurement setting in constellation-conf.yaml" width="700" height="200">
+
 User could then use the simple command to start up the Constellation confidential cluster.
 ```bash
 # add '--debug' flag to check the debug information