1buildah-mkcw(1) General Commands Manual buildah-mkcw(1)
2
6 buildah-mkcw - Convert a conventional container image into a confiden‐
7 tial workload image.
8
11 buildah mkcw [options] source destination
12
15 Converts the contents of a container image into a new container image
16 which is suitable for use in a trusted execution environment (TEE),
17 typically run using krun (i.e., crun built with the libkrun feature en‐
18 abled and invoked as krun). Instead of the conventional contents, the
19 root filesystem of the created image will contain an encrypted disk im‐
20 age and configuration information for krun.
21
24 A container image, stored locally or in a registry
25
28 A container image, stored locally or in a registry
29
32 --attestation-url, -u url The location of a key broker / attestation
33 server. If a value is specified, the new image's workload ID, along
34 with the passphrase used to encrypt the disk image, will be registered
35 with the server, and the server's location will be stored in the con‐
36 tainer image. At run-time, krun is expected to contact the server to
37 retrieve the passphrase using the workload ID, which is also stored in
38 the container image. If no value is specified, a passphrase value must
39 be specified.
40 --base-image, -b image An alternate image to use as the base for the
43 output image. By default, the scratch non-image is used.
44 --cpus, -c number The number of virtual CPUs which the image expects to
47 be run with at run-time. If not specified, a default value will be
48 supplied.
49 --firmware-library, -f file The location of the libkrunfw-sev shared
52 library. If not specified, buildah checks for its presence in a number
53 of hard-coded locations.
54 --memory, -m number The amount of memory which the image expects to be
57 run with at run-time, as a number of megabytes. If not specified, a
58 default value will be supplied.
59 --passphrase, -p text The passphrase to use to encrypt the disk image
62 which will be included in the container image. If no value is speci‐
63 fied, but an --attestation-url value is specified, a randomly-generated
64 passphrase will be used. The authors recommend setting an --attesta‐
65 tion-url but not a --passphrase.
66 --slop, -s {percentage%|sizeKB|sizeMB|sizeGB} Extra space to allocate
69 for the disk image compared to the size of the container image's con‐
70 tents, expressed either as a percentage (..%) or a size value (bytes,
71 or larger units if suffixes like KB or MB are present), or a sum of two
72 or more such specifications. If not specified, buildah guesses that
73 25% more space than the contents will be enough, but this option is
74 provided in case its guess is wrong. If the specified or computed size
75 is less than 10 megabytes, it will be increased to 10 megabytes.
76 --type, -t {SEV|SNP} The type of trusted execution environment (TEE)
79 which the image should be marked for use with. Accepted values are
80 "SEV" (AMD Secure Encrypted Virtualization - Encrypted State) and "SNP"
81 (AMD Secure Encrypted Virtualization - Secure Nested Paging). If not
82 specified, defaults to "SNP".
83 --workload-id, -w id A workload identifier which will be recorded in
86 the container image, to be used at run-time for retrieving the
87 passphrase which was used to encrypt the disk image. If not specified,
88 a semi-random value will be derived from the base image's image ID.
89
92 buildah(1)
93buildah July 2023 buildah-mkcw(1)