►
From YouTube: CNCF SIG Security 2021-03-03
Description
CNCF SIG Security 2021-03-03
A
A
B
E
D
C
D
D
All
right
cool,
it
seems
like
we
have.
Let's
say
most
people
join.
So
let's
just
kick
this
off
so
as
usual,
and
this
meeting
is
being
recorded
and
cncf
guidelines
applied
to
this
all
right.
So
I'm
going
to
go
through
the
list
of
attendance,
see
whether
we
have
any
announcements.
D
B
Like
sure
sure
yeah
just
a
reminder
for
that
or
march
17
meeting
that
we're
gonna
have
jen
burns
since
the
the
last
one
was
cancelled.
Talking
about
tech
for
containers,
some
people
asked
me
to
remind
them
about
that.
A
few
meetings
earlier.
So
I'm
doing
that.
D
Awesome:
okay,
yeah,
looking
forward
to
that
that
was
on
the
attack
matrix
right.
D
Cool
all
right,
emily
has
legend
item,
so
good
updates.
D
D
All
right
and
diego,
I'm
assuming
you
updated.
This
is
in
the
agenda
item
right,
so
we
covered
we're
going
to
cover
that
later,
yeah,
okay,
ash.
Thank
you
for
volunteering
subscribe.
So
let's
get
started
before
that.
Any
other
new
folks,
new
introductions.
D
Cool
all
right,
so,
let's
get
started.
I
think
that
the
first,
the
first
issue
that
that
we
have
from
the
agenda
is
actually
above
the
cloud
native
security
map.
So
we
presented
a
few
weeks
ago
about
the
version.
G
D
D
D
So
this
is
really
what
we're
doing
is.
This
is
taking
the
concepts
of
the
white
paper.
We
are
mapping
it
onto
a
cognitive
security
map
which
really
focuses
on
the
the
more
practical,
practical
use
aspects
of
it.
So,
looking
at
things
like
the
different
projects
which
you
can
use
on
different
aspects
of
cognitive
security
as
well
as
you
know,
what
are
some
examples
of
things
that
you
could
do.
D
D
All
right
so
this
stands
for
the
previous
issue,
but
I
kind
of
wanna
really
go
down
into
details
of
this.
So
what
we're
doing
is
we're
trying
to
scope
this
down,
really
bring
down
several
aspects
of
the
original
vision,
which
is
like
removing
some
of
the
thematic
aspects.
First,
focusing
on
the
content-
and
we
hope
to
get
this
done
by
the
end
of
march,
at
least
to
have
a
ready
prototype
in
which
we
can
start
refining
a
little
bit
and
then
we're
hoping
to
kind
of
launch
this
coupon
eu.
D
So
this
is
where
we're
going
to
get
a
lot
of
additional
eyes
on
this,
and
hopefully
you
know
bring
this
the
next
chocolate
version
or
strawberry
or
whatever
so
kind
of
as
an
overview.
So
this,
together
with
ash
and
diego,
we
are
coordinating
this
effort,
so
this
is
kind
of
like
a
quick
markup
on
what
it
would
look
like
so
cognitive
security
map.
So
you
have
the
different
stages
of
the
life
cycle
and
the
cognitive
security
white
paper,
so
you
could
go
into
the
different
ones.
D
D
So
diego
and
azure
are
going
to
go
through
the
content
aspect
of
this.
So
right
now,
it's
all
just
five
people
content.
What
we
are
planning
to
do
is
to
you
know,
include
additional
details
of
okay.
Here
are
some
projects
they
can
use.
There
are
some
examples
that
that
you
can
carry
out
as
reference
for
for
implementation.
D
So
I,
if
you're
interested
and
we've
got
some
comments
written
here.
I
think
the
the
next
kind
of
big
point
to
look
at
is
really
this
cognitive
security
map,
google
document.
D
We
have
already
some
contributors
there,
putting
the
name
down,
so
we
are
looking
for
contributors
both
in
two
areas.
One
of
them
is
in
developing
kind
of
the
website
that
we
saw
earlier
so
if
you're
interested
in
that
do
put
put
down
your
name
in
the
issue
and
say
that
you're
interested
in
development-
and
we
are
also
looking
for
content
contributors.
D
H
Yeah
sure
so
yeah
you
want
to
keep
the
the
document
open
and
we'll
be
fine
and
I'll
have
to
share
yeah.
H
Yeah
so
as
brandon
was
saying,
we
would
love
more
contributors
to
in
this
effort
and
in
this
document
that
it's
linking
the
issue
and
just
please
ping
us
either
put
a
comment
in
the
issue
or
see
the
dog
that
we
are
specifying
in
a
channel
at
the
top
of
here
on
the
edge.
You
can
see
the
slack
channel
that
we
are
and
just
tell
us
that
you
want
to
help,
and
here
in
the
document
how
you
can
contribute.
H
F
Just
yeah,
one
more
thing
to
add
would
be
the
projects
in
the
list
can
be
open
source
projects,
preferably
cncf
and
other
non-cnc
open
source
projects
and
we're
also
accepting
some
like
commercial
projects
as
well
in
the
list
of
projects,
but
they'll
be
lower
priority
compared
to
the
open
source,
one
so
feel
free
to
add
your
name
to
the
contributing
the
subject
you
want
to
contribute
to
and
then
add
the
projects
in
the
examples
that
that
you
want
to
contribute
as
well,
so
yeah
so
happy
to
help
you
all
with
those
contributions
and
if
you
want
to
contribute
to
this
network
thanks.
B
A
B
Okay,
so
yeah
I'll
go
ahead
and
talk
about
that,
like
we
had
a
previous
meeting
me
pj
and
alex
about
the
retrospective
of
the
white
paper
at
the
survey
that
we
want
to
send
out
to
people
about
the
the
white
paper
and-
and
so
we
thought
at
least
we
discussed
this-
that
the
white
paper
is
more
okay,
sorry
yeah
feel
free
to
chime
in
so
the
white
paper
is
more
like
a
awareness
document
right
so
to
raise
awareness
for
cloud
native
and
everything.
B
It's
not
a
it's
not
a
tutorial.
It's
not
a
cookbook.
It's
not
it's!
Nothing
like
that
and
we
understand
that.
But
we
hope
that
people
will
understand
that
as
well,
but
but
like
if,
if
someone
wants
to
implement
a
specific
section
of
that
white
paper
right
that
that
the
best
practice
of
security,
specifically,
let's
say
for
runtime
protection
right
so
where?
Where
do?
Where?
Should
I
go
right?
So
what
where
they
should?
B
Should
they
look
for
right
and
we
thought
that
a
good
idea
would
be
to
have
this
this
map
as
a
more
technical
and
more
detailed
information
from
from
the
white
paper
instead
of
having
the
white
paper
with
like
a
lot
of
technical
information,
I'm
not
sure
if
that
makes
sense.
D
No,
I
think
I
think
that's
that's
well
said,
and
I
I
hope
that
this
this
document
will
kind
of
like
be
at
least
half
half
of
that
requirement
right.
I
think
that
we
are
still
not
going
to
be
at
the
point
of
like
the
cookbook
or
something,
but
definitely
it's
going
to
be
like
some
starting
guidelines
to
kind
of
get
things
started.
I
Don't
mind
me
kind
of
chiming
in,
I
think
cliff
notes
are
great
here
right
because
look
they're
already
in
the
inundated
with
you,
know,
guideline
books
and
best
practices
right
this
to
me,
cliff
notes
is
I
use
the
term
if
nobody's
familiar.
It's
just
like
basically
like
a
tldr.
This
is
like
a
tldr,
but
it
works
right
yeah.
D
All
right
cool
any
other
questions.
We
will
follow
up
as
diego
and
myself
we'll
follow
up
on
on
those
they
have
commented.
The
issues
to
kind
of
see
see
what
would
be
good
faces
to
to
kind
of
pick
up,
but
you
know
this
is
good.
This
is
going
to
be
a
fully
color
predicted
document.
So,
even
if
you
just
request
access
I'll
give
you
extra
start,
writing
stuff
feel
free
to
go
ahead.
No
one's
stopping.
A
So
brandon
just
a
question,
so
in
each
section
we
need
to
mention
different
projects
like,
for
example,
we
we
can
take
service
mesh
or
anything
right,
so
so
projects
can
be
mentioned.
But
what
you
want
under
examples
are
these
more
oriented
towards
different
use,
cases
that
that
could
be
solved
or
or
what
what
should
be
under
examples?
Is
it
use
case
or
is
it
I
mean?
Is
it
right
post
what
what
is
it.
D
So
so
the
idea
of
examples
really
the
the
motivation
behind
it
is
that
is
to
provide
like
a
better
illustration
of
if
someone
says
resupply
paper
and
it's
like
okay,
I
need
to
do
this
this
and
that
and
then
the
next
question
is
like
how
do
I
do
it?
So
the
examples
are
supposed
to
serve
as
a
way
to
say
that:
okay,
a
control
for
example,
for
image,
image
scanning
or
application
manifest
scanning
is,
you
know
you
should
not
run
application.
D
So
something
I
I
think
it
also
depends
on
the
specific
topic,
because
some
topics
are
a
bit
broader
than
others,
but
the
the
main
idea
is,
you
know
it
should
be
feel
free
to
really
go
down
into
a
specific
specific
example.
So
in
in
this
case,
for
application
manifest
scanning
you
can.
We
say
that
you
know
prohibit,
contain
images
that
use
the
latest
tags
you
know
prohibit
and
for
certain
registries
for
containers
and
things
like
that
so
kind
of
like
ideas
that
people
can
look
at
and
be
like.
J
D
D
Cool,
if
not,
there
are
other
examples
in
the
sdk,
and
I
have
already
put
some.
I
think
this
one
was
actually
written
by
car
reporters
written
by
someone
else
from
the
apec
apec
meeting
but
yeah.
This
is
a
ton
of
stuff,
that's
written
here,
so
you
know
free,
feel,
free
to
take
a
look
at
other
stuff
and
then
right,
based
on
that
cool.
D
If
not,
that
sums
up
this
section
and
any
last
questions
before
we
proceed
with
the
agenda.
C
Okay,
so
this
is
actually
kind
of
exciting,
because
it's
a
little
bit
more
actionable
for
the
community,
so
we
had
so
we
merged
in
the
new
security
review
process.
If
you
have
not
read
it,
please
go
read
it.
It's
very
awesome.
We're
extremely
excited
about
our
next
projects
coming
to
us
for
a
review
that
way
we
can
test
it
out.
D
So
I
guess
a
quick
question
I
I
guess
some
of
these
details
may
not
be
be
kind
of
formed
up
yet,
but
this
is
something
that
the
toc
is
gonna
say:
okay,
every
sandbox
project
will
be
attached
to
someone
for
certain
amount
of
time,
because
I
know
like
projects
can
be
insane
about
so
yeah.
C
So
this
is
not
at
this
time,
determined
to
be
like
you
are
fixed
to
the
hip
for
life.
This
is
more
just
that
initial
jumping
off
point
to
get
the
projects
to
think
more
about
security.
It's
also
to
provide
the
talk
with
evidence
of
this
new
security
review
process
and
how
it
could
potentially
be
applied
to
non-security
cncf
projects,
which
is
the
next
logical
progression
that
we'd
like
to
see
projects
move
in.
We
want.
We
want
the
sig
to
not
just
perform
security
reviews
on
security,
focused
projects
because
they're
already
thinking
about
it.
C
Give
me
one
second,
so
not
really
anything
in
particular,
but
we
figured
if
we
started
with
a
project
that
is
early
enough
on
in
their
maturity.
The
self
the
self-assessment
better
aligns
with
that,
whereas
projects
that
are
coming
to
us
for
incubation
have
are
slightly
further
on.
C
We
would
expect
a
self-assessment,
probably
to
have
already
been
performed,
and
then
they
would
be
receiving
a
joint
evaluation
with
the
sig
so
kind
of
trying
to
set
it
up
so
that
these
different
templates
and
documents
for
our
overarching
security
review
process
has
a
better
alignment
with
the
cncf
phases
for
early
adopters
and
early
majority,
as
well
as
the
the
very
early
innovation
projects.
B
Okay,
so
so
my
question
would
be-
and
I
think
frederick
mentioned,
that
in
the
chat
there
like
the
first
question
would
be
why
not
security
champions
right,
because
on
on
on
the
dev
tech,
ops
approach
and
everything,
and
we
have
that
concept
of
either
a
developer
or
application
security
person
that
is
involved
with
a
squad
or
a
development
team
to
help
them
and
to
champion
those
security
initiatives
right
so
maybe
creating
a
new
name
would
cause
maybe
confusion,
and
I
think
that
the
the
concept
is
very
similar
here,
and
I
really
like
that
that
that
that
we're
doing
that,
I
would
like
to
volunteer
as
well
so
yeah.
C
So
I
think
the
initial
thought
around
security
champion
is
more
somebody,
that's
integrated
with
the
project
which
we're
we're,
hoping
that
these
are
more
independent
than
an
actual
contributor
of
the
project.
It
could
be
a
security
champion,
I'm
not
fixated
on
an
any
particular
name.
We
want
to
approach
it
from
the
perspective
of
a
lot
of
security.
C
I
will
be
writing
an
issue
to
define
a
lot
of
this.
So
part
of
the
effort
is
to
not
only
look
at
what
this
individual
would
potentially
be
doing.
We
do
have
some
great
resources
from
the
container
d
team,
but
also
actually
picking
a
project,
seeing
if
they
have
the
appetite
for
this
level
of
engagement
and
then
following
through
with
probably
one
maybe
two
different
projects
to
determine.
One
is
this:
if
is
the
self-assessment
valuable
as
it
currently
exists,
and
two
did
the
project
get
value
out
of
the
engagement.
B
B
No
problem
so
so
yeah,
I
maybe
like
my
concern,
would
be
if
someone
starts
getting
involved
into
a
specific
project
right
and
and
and
then
they
can't
help
anymore.
They
start
volunteering.
They
stop
volunteering,
for
example
right
so
maybe
having
a
pool
of
security,
buddies
right
that
each
any
any
project
you
go
to
and
ask
for
help,
and
then
someone
takes
takes
on
that
issue
and
help
them
specifically
and
and
if
someone
is
not
responding,
then
another
person
can
take
that
that
would
be
a
better
approach.
From
from
my
perspective
is
advisor
too
generic.
C
Advisor
is
actually
what
they're
called
for
container
d,
so
that's
certainly
like,
but
certainly
an
option.
I
think,
having
a
pull
of
these
individuals
would
be
beneficial
as
like
a
centralized
point
to
contact.
But
I
genuinely
think
that
having
a
primary,
at
least
for
a
limited
engagement
would
be
very
beneficial,
because
you've
got
that
one
person
you
know
who
to
go
to
you
know
who
to
have
the
conversation
with.
C
B
Once
they
get
assigned
to
like
a
specific
project,
then
yeah
for
sure
that
would
be
the
the
point
of
contact
there
right.
But
but
I
think
that
at
least
we
should
have
a
slack
channel
off
of
security
advisors
right
and
they
can
exchange
information
there
where,
if
they
need
help
like,
for
example,
I'm
helping
this
specific
sandbox
project,
but
I'm
not
very
familiar
with
the
technology
or
what
they're
using.
Can
you
guys
give
me
some
pointers
there
and,
and
that
would
be
beneficial
as
well.
K
But
so
seriously,
as
I'm
sort
of
listening
and
thinking
about
how
I'm
not
too
familiar
with
the
sandbox
and
incubator
here,
but
thinking
about
apache
and
their
mentoring
for
incubating
over
there.
If
you
know
someone,
one
or
two
people
gets
assigned
to
a
project
if
it's
not
working
out
or
they
get
too
busy,
they
sort
of
go
back
to
the
to
the
the
mentoring
team
and
said:
hey.
Look,
I'm
too
busy,
I
tap
out
and
just
bring
someone
else
in,
so
that
that's
a
pretty
small
deal.
K
I
think
the
overall
idea
sounds
interesting.
I'm
curious
to
see
if
that
becomes
something
which
attracts
people
into
cncf
or
or
the
officer.
F
So
emily
from
the
six
perspective,
wouldn't
this
be
like
the
similar
process,
like
we
do
for
a
normal
security
assessment
right
we're
going
to
have
like
a
lead
security,
reviewer
we're
going
to
have
a
team
so
from
a
sick
perspective,
it
doesn't
need
from
our
perspective
it
doesn't
matter
if
it's
a
security
or
non-security
project.
On
the
other
end,
I
think
we
still
have
that
same
structure
so
that
we
have
some
accountability
and
obviously
there's
going
to
be
overview
by
the
co-chairs
and
the
etls.
C
Yeah,
so
this
is
I'm
in
an
ideal
world.
If
I
had
my
way,
this
would
be
like
the
dipping,
your
toe
in
the
water,
your
first
introduction
to
what
it
is,
what
it
means
to
be
cloud
native,
secure
for
non-security
focused
projects.
Now,
if
there
is
a
security
focus
project,
we
still
have
a
reasonable
expectation
for
them
to
have
some
security
specific
documentation
within
their
repository
and
that's
kind
of
what
the
self-assessment
does
is
that
it's
that
introductory
tell
us
about
your
project
from
a
security
perspective.
C
It's
the
same
joint
assessment,
joint
evaluation
that
we've
been
doing
with
some
more
detail
added
on
to
it.
Just
based
off
of
the
feedback
that
we've
received,
so
self-assessment
is
a
little
bit
more
lightweight,
it's
independent.
So
the
idea
is
not
to
analyze
the
project,
but
more
for
them
to
be
self-reflective
and
be
there
and
available
to
answer
any
questions
that
they
may
have
and
kind
of
have
that
guiding
conversation.
C
And
then
all
of
that
work
rolls
into
the
joint
evaluation
where
we
do
that
joint
kind
of
look
at
the
project
poke
around
at
it,
see
how
they're
thinking
about
security
and
how
they're
applying
it
and
where
they
fit
in
the
cloud
native
ecosystem
from
a
security
perspective
and
then
from
there.
Those
two
documents
when
they're
finalized
help
contribute
to
the
security
audit,
which
is
one
of
which
is
later
on
in
their
life
cycle.
C
So
it
sounds
like
there's
a
lot
of
discussion
about
it
and
would
be
beneficial
to
have
so
I
guess
I
will
go
ahead
and
create
the
ticket
and
we
can
start
having
a
little
bit
more
documented
discussion
on.
What
does
this
mean,
then?
What
are
we
going
to
call?
It?
Sarah
had
an
excellent
suggestion
to
use
a
very
specific
name
affixed
to
this.
That
way,
we
can
define
a
finite
term
during
that
evaluation.
D
Awesome
cool
thanks
emily
and
I
think
that
our
last
agenda
item
is
for
the
confidential
computing
project.
Ava.
Are
you
on?
I
just
joined?
Yes,
awesome
cool!
Oh
yes,
oh.
L
Okay,
literally
just
joined,
so
the
I
wanted
to
share
a
project
we
just
launched
coming
out
of
dslabs
microsoft
called
mysticos.
The
you
know.
The
one
line
twitter
pitch
is
bring
your
own
application,
binary
container
or
vm
and
run
it
in
an
enclave.
L
Some
limitations
apply
I'm
already
chatting
with
a
couple
folks
in
this
committee
and
in
the
cncf
about
using
this
potentially
in
projects
like
spiffy
or
nsm,
for
taking
advantage
of
the
unclaimed
native
functions
of
attestation,
setting
up
mutual
tls
and
sort
of
wanted
to
see
like
hey.
We
literally,
we
just
launched
it
like
a
week
ago.
If
folks
want
to
kick
the
tires
or
check
it
out
and
we're
we're
looking
at.
How
do
we
integrate
this
with
kubernetes
and
how
do
we
integrate
it
with
other
projects
in
this
space?
M
Project,
so
can
you
eva,
I
had
a
question.
This
is
bene
here.
So
how?
How
do
we
think
about
this?
Maybe
the
one
thing
that
came
to
my
mind
is
service
mesh
right.
You
talked
about
mutual
tls,
some
kind
of
a
confidential
container
or
a
runtime
environment
and
you're,
adding
on
some
kind
of
security
capabilities.
M
So
how
can
you
just
briefly
compare
and
contrast
the
two
and
how
we
should
probably
think
about
think
about
this,
just
trying
to
understand
the
enclave
a
little
bit
better,
so
the.
L
Are
you
asking
for
a
broader
context
of
what
is
an
enclave
or
a
trusted
execution,
environment
or
more?
How
does
it
fit
into
the
container
ecosystem.
M
L
Okay,
so
a
hardware,
aided
trust
of
execution
environment
basically
takes
advantage
of
some
properties
of
processors
that
are
kind
of
new
still
coming
out,
but
at
this
point
all
the
major
clouds
have
either
sgx
or
arm
trust
zone
or
amd
sev
as
a
capability.
L
A
lot
of
these
provide
similar
functionality
through
different
apis
like
it's
not
yet
standardized.
Each
cpu
vendor
has
something
different.
Each
of
the
cloud
providers
has
some
sort
of
an
attestation
service,
orthostation
model
that
is
layering
on
top
of
these
and
so
attestation,
in
this
scenario,
sort
of
the
proof
of
identity
of
the
machine
and
the
proof
of
identity
of
everything
under
it.
L
This
firmware
this
patch
level,
this
operating
system
patch
level
and
then
once
it's
running,
that
container
is
isolated
even
from
the
host,
so
the
root
of
the
host
dom0,
if
you're
in
zen,
cannot
access
it.
It's
hardware
separated
with
encrypted
memory
regions,
I'm
not
sure
you
know
they
all
do
it
a
little
differently
different
cpus,
but
the
goal
being
sort
of
a
blind,
hypervisor
or
blind
container.
L
In
this
case
and
we're
looking
at
some
of
the,
I
was
chatting
with
a
couple
folks
about
using
it
for
mutual
tls
in
service
mesh,
where
the
the
certificates
are
tied
to
the
actual
hardware
id.
So
you
have
just
an
extra
layer
of
proof
of
where
the
communication
is
happening,
that
something
hasn't
been
moved
off
the
cloud
or
out
of
your
region,
out
of
your
geographic
boundary,
bandwidth
area
still
early
spaces.
So
that's
sort
of
a
shotgun
of
ideas.
M
L
Great
question:
it's
going
to
vary
by
implementation.
I
think
we're
at
the
early
stages
right
now.
Some
similar
projects
launch
times
a
little
bit
slower
than
a
normal
container,
but
not
by
much.
It
might
not
be
great
for
a
function
as
a
service.
Yet
if
you're
expecting
you
know
sub
second
total
run
time
total
lifetime
for
your
container,
because
at
least
in
in
my
testing,
some
of
our
testing,
the
bring
up
time
is
measured
in
the.
L
Less
than
a
second,
but
it's
not
as
fast
as
a
regular
container
that'll
change,
depending
on
how
much
memory
you're
allocating.
So
if
you
were
allocating
a
very
large
amount
of
memory
to
one
of
these
enclaves
that
initialization
might
take
five
seconds
playing
a
number
out
of
a
half
still,
if
you're
going
to
run
it
for
an
hour
or
six
hours
the
length
of
your
of
your
ssl
certificate.
That's
still
fine.
L
There
is
a
separate
foundation
parallel
to
the
cncf,
also
under
the
dlf
called
the
confidential
computing
consortium,
and
a
lot
of
this
work
is
centered
in
that
body
and
this
particular
project
mysticos
is
right
now
not
homed.
In
any
foundation,
it's
just
developers
doing
some
work
as
far
as
the
discussion
of
surfacing
this
up
into
the
cloud-native
ecosystem.
I
think
that's
here,
at
least
for
now,
until
it
grows
it
outgrows
this
body
and
needs
its
own
channel.
N
But
hey
I!
This
is
his
hand.
I
mean
I
made
me
some
contacts
here,
so
I
have
a
question
regarding
the
mutual
json
part.
You
mission,
so
you
have
mentioned
the
hardware
id.
So
I'm
curious,
like
do
you
use
some
tpm
or
other
technology
to
make
sure
that
you?
How
did
you
present
get
the
hardware
id
and
put
that
into
the
trs
server.
L
So
a
tee
is
another
type
of
hardware
different
from
a
tpm.
It
provides
similar
functionality,
though,
so
you
can
think
of
it
in
the
sense
of
tpm,
provides
attestation
of
integrity
of
some
devices
in
the
system
as
well
as
some
key
it
might
have
stored.
Yeah,
I'm
just
wrong.
L
N
Okay,
so
are
you
saying
like
for
the
key
framework
you
we
do
not
need
to
care
about
like
it's
on
server
or
or
like
how
can
the
like
the
traditional
x?
L
D
A
quick
question
on
this
is
this
kind
of,
like
a,
I
know,
does
the
enochs
project,
which
kind
of
want
to
do
that?
This
is
like
the
work,
that's
together
with
them,
or
just
a
separate
project.
L
Yeah
a
good
question:
this
is
a
separate
project
with
different
goals.
So
there's
some
overlap.
Nrx
is
wazi,
wasm,
runtime,
abstraction,
plus
a
bunch
of
the
wrong
orchestration.
L
L
Mystics
nrx
is
the
red
hat
project
yeah,
I'm
like
that
dslabs
mysticos
right
now.
Sorry
about
that,
so
the
the
main
difference
is
nrx
is
focused
on
waziwazum,
plus
its
own
orchestration
and
key
release.
Layers
mysticos
is
focused
on
application
portability,
so
bring
your
own
runtime
sorry
bring
your
own
application,
whether
it's
a
binary
you
compiled
in
rust
or
go
or
a
docker
image
right
now
we
have
support
to
just
take
an
existing
docker
image.
L
That
is,
there
are
some
some
limitations
of
what
can
be
run
in
our
current
target
of
sgx,
but
take
your
docker
image
simply
migrate.
Its
format
add
a
at
a
signing
or
attestation
around
it
and
run
it
in
enclave.
No
problem.
We
have
a
proof
of
concept
with
kimu
right
now
to
take
a
kimu
vhd
file
format
and
just
mount
it
and
run
it
so
very
different
approach,
but
same
hardware,
layer.
D
This
is
something
that
I
I've
seen
recent
work
on.
There's
a
issue
in
canada
containers
now
that's
kind
of
discussing
confidential
computing.
Sorry,
I
was
just
to
keep
like
you
see
this
kind
of
like
being
orchestrated
as
a
type
of
workload
on
kubernetes,
or
something
like
that.
I.
L
Do
yeah
in
azure
today
we
have
a
g8
product
for
aks
support
for
sdx,
so
it's
a
type
of
node
or
property
of
nodes.
You
could
schedule
workloads
to
and
at
the
moment
that
would
just
be
an
sgx
device
available
in
your
in
your
node.
L
If
you
had
an
application
that
was
written
to
use
that
it
could
use
the
raw
device,
what
we're
talking
about
with
this
would
be
a
little
bit
different,
potentially
or
you
could
you
know
your
docker
container
that
you
schedule
on
a
cloud
might
itself
contain
an
enclave
runtime
like
mysticos
or
oculum
or
graphene.
L
D
Yeah
there's
this
new
revitalization
of
the
issue.
Now:
okay
yeah,
we
started
discussing
it
and
then
I
got
pinged
a
lot
on
anchor
the
image
and
stuff
as
well,
so
something
to
look
at
again.
L
L
So
some
of
the
sgx
runtimes,
like
graphene,
they
work
around
this
in
a
really
slow
and
painful
way.
That
also,
in
my
opinion,
reduces
security
because
it
calls
out
to
the
untrusted
host
whenever
you
fork
to
launch
a
new
process.
But
if
you're,
assuming
that
the
new
process
is
trusted
because
it
was
launched
from
in
the
enclave,
the
reality
is,
it
was
launched
from
outside
the
enclave.
L
I
Ava,
can
I
ask
like
a
simple
question
and
again:
why
wouldn't
you
just
fold
this
capability
into
one
of
the
runtimes
like
a
trio
or
container
d?
You
know
what
I
mean
like
have
some
type
of
switch.
That
says,
hey
take
advantage
of
tee
and
all
that
and
again
you
know,
you
know
how
I
am
with
cliff
notes.
I
just
I
try
to
simplify
things
right,
so
I
I.
L
Love
that
you've
thought
of
that
the
shorter
answer
is,
we
haven't
done
it
yet.
But
yes,
please.
I
I
remember
back
in
the
day
like
just
way
back
in
the
day,
docker
was
doing.
I
was
at
hpe.
Docker
was
like
hey.
Can
you
integrate?
You
know
hp
was
like,
can
you
integrate
with
tpm
right
to
be
able
to
like
have
it?
So
you
know
getting
that
stuff,
and
it
was
like
that
kind
of
helped
to
kind
of
articulate
some
of
that
capability,
but
that
also
helps
in
widespread
usage
of
the
tool
when
it's
integrated
in
all
the
ingrained
in
all
of
those
various
runtimes
right.
So.
L
So
the
ability
for
this
to
be
connected
as
a
container
d-
runtime
plugin,
yes,
absolutely
like
that-
is
incredibly
desirable
and
part
of
what
we're
working
towards.
But
you
know,
if
you
want
to
do
that,
go
for
it!
I'd
love
to
see
it.
K
The
tricky
part
there
is
that
that's
definitely
interesting,
but
how
do
you
do
it
for
a
different
cpr
architectures
right
amd's
is
different
than
intel's
different.
So.
D
Have
you
seen
kind
of
like
I
know
each
enclave
or
ece
has
its
own
like
attestation
framework
and
some
of
them
match
yeah.
It
is
differently.
So
that's
like
oh
yeah.
It's
a
little
bit
unsolved.
L
Problem
so
one
of
the
the
bigger
work
streams
in
the
ccc
that
I'm
co-leading
is
the
attestation
working
group
to
try
and
address
both
how
we,
how
someone
might
do
cross-cloud
attestation,
because
google,
amazon
and
microsoft's
cloud
attestation
services
are
different
and
how
you
might
do
cpu
across
cpu
architecture.
Attestation.
For
the
point
we
just
mentioned
unsolved
problem.
If
you
want
to
work
on
it,
come
join
our
sig.
D
Can
you
put
a
link
to
that
that
that's
like
there
like
how
hard
to
join?
I
think
there
were
a
couple
others
that
they
were
asking
as
well.
L
We
haven't
yet
created
the
like
a
mailing
list
or
a
slack
for
that
said.
Yet
things
will
slowly
get
started.
Sometimes
in
a
a
new
foundation,
the
official
vote
to
create
them
happens
next
thursday.
E
Can
you
post
where
the
the
sig
is,
where
you
guys
meet
and
whatnot
if
there's
an
online
doc
for
that.
E
L
We
are
forming
it
right
now.
I've
been
trying
to
corral
that
for
a
little
while,
you
can
certainly
join
the
ccc
discussion
lists
and
I'm
going
to
get
a
link
that
works
to
that
right.
Now,
okay,.
L
L
D
Awesome
thanks
and
and
I
guess,
when
the
winter
stick
details
up,
you
can,
if
you
could
put
it
in
the
security
channel
or
you
can
just
send
it
to
one
of
us
and
that
we
can
dump
it
in
there.
That'd
be
helpful.
D
Awesome
we
almost
all
the
time
so
any
questions
any
call
to
actions.
D
Awesome,
thank
you
ava.
This
was
really
helpful.
I
I
think
a
lot
of
people
are
keen,
so
hopefully
you
see
a
few
more
new
faces
soon.
All
right.
I
think
that
is
all
that
we
have
planned
for
today.
So
any
additional
topics.
Anyone
would
like
to
bring
up.