Provided by: buildah_1.33.7+ds1-1ubuntu0.24.04.3_amd64 bug

NAME
       buildah-mkcw - Convert a conventional container image into a confidential workload image.


SYNOPSIS
       buildah mkcw [options] source destination


DESCRIPTION
       Converts  the  contents  of  a  container image into a new container image which is suitable for use in a
       trusted execution environment (TEE), typically run using krun (i.e., crun built with the libkrun  feature
       enabled  and  invoked as krun).  Instead of the conventional contents, the root filesystem of the created
       image will contain an encrypted disk image and configuration information for krun.


source
       A container image, stored locally or in a registry


destination
       A container image, stored locally or in a registry


OPTIONS
       --attestation-url, -u url The location of a key broker / attestation server.  If a  value  is  specified,
       the new image's workload ID, along with the passphrase used to encrypt the disk image, will be registered
       with  the  server, and the server's location will be stored in the container image.  At run-time, krun is
       expected to contact the server to retrieve the passphrase using the workload ID, which is also stored  in
       the container image.  If no value is specified, a passphrase value must be specified.

       --base-image,  -b  image  An  alternate  image  to use as the base for the output image.  By default, the
       scratch non-image is used.

       --cpus, -c number The number of virtual CPUs which the image expects to be run with at run-time.  If  not
       specified, a default value will be supplied.

       --firmware-library,  -f file The location of the libkrunfw-sev shared library.  If not specified, buildah
       checks for its presence in a number of hard-coded locations.

       --memory, -m number The amount of memory which the image expects to be run with at run-time, as a  number
       of megabytes.  If not specified, a default value will be supplied.

       --passphrase,  -p  text  The  passphrase  to  use to encrypt the disk image which will be included in the
       container image.  If no value is specified, but an --attestation-url  value  is  specified,  a  randomly-
       generated  passphrase  will  be  used.   The  authors  recommend  setting  an --attestation-url but not a
       --passphrase.

       --slop, -s {percentage%|sizeKB|sizeMB|sizeGB} Extra space to allocate for the disk image compared to  the
       size of the container image's contents, expressed either as a percentage (..%) or a size value (bytes, or
       larger units if suffixes like KB or MB are present), or a sum of two or more such specifications.  If not
       specified,  buildah  guesses  that  25%  more  space than the contents will be enough, but this option is
       provided in case its guess is wrong.  If the specified or computed size is less  than  10  megabytes,  it
       will be increased to 10 megabytes.

       --type, -t {SEV|SNP} The type of trusted execution environment (TEE) which the image should be marked for
       use  with.   Accepted  values are "SEV" (AMD Secure Encrypted Virtualization - Encrypted State) and "SNP"
       (AMD Secure Encrypted Virtualization - Secure Nested Paging).  If not specified, defaults to "SNP".

       --workload-id, -w id A workload identifier which will be recorded in the container image, to be  used  at
       run-time  for  retrieving  the  passphrase which was used to encrypt the disk image.  If not specified, a
       semi-random value will be derived from the base image's image ID.


SEE ALSO
       buildah(1)

buildah                                             July 2023                                    buildah-mkcw(1)