Building your applications with Hyper Protect Secure Build
By using Hyper Protect Secure Build, you can build a trusted container image within a secure enclave that is provided by IBM Hyper Protect Virtual Servers. The enclave is highly isolated, where developers can access the container only by using a specific API and the administrator cannot access the contents of the container. Therefore, the image that is built can be highly trusted. Specifically, the build server cryptographically signs the image, and a manifest (which is a collection of materials that are used during the build, for audits). Since the enclave protects the signing keys within the enclave, the signatures can be used to verify whether the image and manifest are from the build server, and not elsewhere.
The following diagram illustrates a high level structure of Hyper Protect Secure Build server (HPSB), which is provisioned by an administrator on KVM LPARs.
A developer can interact with the server by using the Secure Build CLI and the encrypted workload
section provided by IBM. A developer prepares the source code of an application by using Dockerfile, in a source code repository such
as GitHub. The Hyper Protect Secure Build server pulls the source code, builds a container image by using the Dockerfile, signs the image, and pushes the image to a container registry, such as Docker Hub or IBM Cloud Container Registry (ICR).
During the build process, the server also creates a manifest file and signs it.
Optionally, the developer can push the manifest to IBM Cloud Object Storage, or download the manifest onto a local file system. The build server can also export and import its state as a single file (state image), which includes the signing keys of the image and the manifest, with build parameters. When the state image is exported, the state image is encrypted and neither the developer or IBM can decrypt the Hyper Protect Secure Build state image image outside the enclave. It can be decrypted only within the enclave. The encrypted state image can be pushed to IBM Cloud Object Storage, or the developer can download it onto a local file system.
Figure 1. Hyper Protect Secure Build