diff --git a/README.md b/README.md
index 46df29ac..de30dd77 100755
--- a/README.md
+++ b/README.md
@@ -11,11 +11,10 @@
## 1. Introduction
-Confidential Computing technology like Intel TDX provides isolated encryption runtime
+Confidential Computing technology like Intel® TDX provides isolated encryption runtime
environment to protect data-in-use based on hardware Trusted Execution Environment (TEE).
It requires a full chain integrity measurement on the launch-time or runtime environment
-to guarantee "consistently behavior in expected way" (defined by
-[Trusted Computing](https://en.wikipedia.org/wiki/Trusted_Computing)) of confidential
+to guarantee "consistent behavior in an expected way" of confidential
computing environment for tenant's zero-trust use case.
This project is designed to provide cloud native measurement for the full measurement
@@ -23,27 +22,19 @@ chain from TEE TCB -> Firmware TCB -> Guest OS TCB -> Cloud Native TCB as follow
-_NOTE: Different with traditional trusted computing on non-confidential environment,
+_NOTE: Different from traditional trusted computing on non-confidential environment,
the measurement chain is not only started with Guest's `SRTM` (Static Root Of Measurement)
-but also need include the TEE TCB, because the CC VM environment is created by TEE
+but it also needs to include the TEE TCB, because the CC VM environment is created by TEE
via `DRTM` (Dynamic Root of Measurement) like Intel TXT on the host._
-From the perspective of tenant's workload, `CCNP` will expose the [CC Trusted API](https://github.com/cc-api/cc-trusted-api)
-as the unified interfaces across diverse trusted foundations like `RTMR+TDMR+CCEL`
-and `PCR+TPM2`. The definitions and structures follows standard specifications like
-[TCG PC Client Platform TPM Profile Specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/),
-[TCG PC Client Platform Firmware Profile Specification](https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/)
+From the perspective of a tenant's workload, `CCNP` will expose the [CC Trusted API](https://github.com/cc-api/cc-trusted-api)
+as the unified interfaces across diverse trusted foundations like `RTMR+MRTD+CCEL`
+and `PCR+TPM2`.
-This project should also be able deployed on [diverse cloud native PaaS frameworks](https://www.redhat.com/en/blog/confidential-computing-use-cases) like confidential cluster, container, `kubevirt` etc.
-An example of landing architecture on confidential cluster is as follows, please
-refer [detail deployment steps](/deployment/README.md)
-
-
-
-Finally, the full trusted chain will be measured into CC report as follows using
-TDX as example:
+Finally, the full trusted chain will be measured into a CC report as follows using
+TDX as an example:
@@ -51,67 +42,59 @@ _NOTE:_
- The measurement of TEE, Guest's boot, OS is per CC VM, but cluster/container measurement
might be per cluster/namespace/container for cloud native architecture.
-- Please refer structure [`TDREPORT`](https://github.com/tianocore/edk2/blob/master/MdePkg/Include/IndustryStandard/Tdx.h)
+- Please refer to structure [`TDREPORT`](https://github.com/tianocore/edk2/blob/master/MdePkg/Include/IndustryStandard/Tdx.h)
+- The CCNP project collects container level primitives by implementing unified APIs defined in [CC Trusted API](https://github.com/cc-api/cc-trusted-api). The project will be moved to [CC Trusted API](https://github.com/cc-api/cc-trusted-api) in the near future.
-## 2. Design
+## 2. Installation
-`CCNP` includes several micro-services as BaaS(Backend as a Service) to provides
-cloud native measurement, then exposes `CC trusted API` via cloud native SDK:
+### 2.1 Configuration
-- Services are designed to hide the complexity of different TEE platforms and provides
-common interfaces and scalability for cloud-native environment to address the fetching
-the fetching of quote, measurement and event log.
+CCNP collects primitives of confidential cloud native environments running in confidential VMs, such as Intel® TDX guest. You can setup an Intel® TDX enlightened host and then boot a TD guest on it. The feasible configurations are as below.
-- SDK is provided to simplify the use of the service interface for development,
-it covers communication to the service and parses the results from the services.
-With such SDK, users can perform related actions with one simple API call.
+The Platform certificate caching service (PCCS) is used to retrieve and cache PCK certificates locally to your cluster from Intel's Platform Certificate Service. This is necessary to attest the authenticity of a TD guest before a workload is started in it. The Quote Generate Service (QGS) runs on the host in a specialized enclave to generate and use TD quotes. For convenient setup these can run inside a Docker container. Learn more at https://download.01.org/intel-sgx/sgx-dcap/1.17/linux/docs/Intel_TDX_DCAP_Quoting_Library_API.pdf.
-- A `CCNP` device plugin is provided as the dependency for services such as Quote
-Server and Measurement Server. It will help with device mount and folder injection
-within the service.
+The PCCS and QGS are used to get Quote for a TD guest. They need to be installed on TDX host.
-SDK PyPI package can be found [here](https://pypi.org/project/ccnp/). Please check our [documentation](https://intel.github.io/confidential-cloud-native-primitives/) for more details.
+| CPU | Host OS | Host packages | Guest OS | Guest packages | DCAP packages |
+|---|---|---|---|---|---|
+| Intel® Emerald Rapids | Ubuntu 22.04| Build packages referring to [here](https://github.com/intel/tdx-tools/tree/tdx-1.5/build/ubuntu-22.04) | Ubuntu 22.04 | Build packages referring to [here](https://github.com/intel/tdx-tools/tree/tdx-1.5/build/ubuntu-22.04) | [here](https://download.01.org/intel-sgx/sgx-dcap/1.19/linux/distro/ubuntu22.04-server/)
+| Intel® Emerald Rapids | Ubuntu 23.10 | Setup TDX host referring to [here](https://github.com/canonical/tdx) | Ubuntu 22.04 | Build packages referring to [here](https://github.com/intel/tdx-tools/tree/tdx-1.5/build/ubuntu-22.04)| Setup containerized [PCCS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/pccs) and [QGS](https://github.com/intel/confidential-cloud-native-primitives/tree/main/container/qgs) on the host |
-
+_NOTE: the following installation will be performed in a confidential VM. Make sure you have confidential VM booted before moving forward._
-*Note: For Intel TDX, it bases on Linux TDX Software Stack at [tdx-tools](https://github.com/intel/tdx-tools), the corresponding white
-paper is at [Whitepaper: Linux* Stacks for Intel® Trust Domain Extension 1.0](https://www.intel.com/content/www/us/en/content-details/779108/whitepaper-linux-stacks-for-intel-trust-domain-extension-1-0.html).*
+### 2.2 Deploy CCNP Services
+It supports to deploy CCNP services as DaemonSets in Kubernetes cluster or docker containers on a single confidential VM. Please refer to below guides for different deployment environments.
-## 3. Installation
+- [CCNP deployment guide - K8S](deployment/README.md): on confidential VM node of Kubernetes cluster.
-Here provides the description on the installation steps for the services and the
-SDK.
+- [CCNP deployment guide - Docker](deployment/README.md): on confidential VM using docker compose.
-[CCNP deployment guide](deployment/README.md) introduces how to deploy CCNP services,
-which also includes an example of running CCNP example pod to get cloud native primitives
-using CCNP SDK.
+This project should also be able deployed on [diverse cloud native PaaS frameworks](https://www.redhat.com/en/blog/confidential-computing-use-cases) like confidential cluster, `kubevirt` etc in future.
+An example of landing architecture on confidential cluster is as follows.
-You can also use the following guides as alternatives of installing each service
-separately.
+
-- Quote Server: [Installation guide](service/quote-server/README.md)
-- Measurement Server: [Installation guide](service/measurement-server/README.md)
-- Event Log Server: [Installation guide](service/eventlog-server/README.md)
+### 2.3 Install SDK
-For SDK, user can simply install from PyPI using command:
+CCNP SDK can be used by a workload for cloud native primitives collecting. It needs to be installed within the workload container image and called whenever the primitives are required. The SDK can be installed from PyPI using the command:
```
pip install ccnp
```
-Or to install from source code with the following command:
+Alternatively, the CCNP can be installed from source code with the following command. Make sure to clone the repository into your confidential VM and then run the following command:
```
cd sdk/python3
pip install -e .
```
-For the ccnp device plugin, user can find the installation guide under the 'Installation'
-section [here](device-plugin/ccnp-device-plugin/README.md)
+### 2.4 Install CCNP Device Plugin
+Follow the CCNP device plugin [Installation Guide](device-plugin/ccnp-device-plugin/README.md)
-## 4. Contributing
+## 3. Contributing
This project welcomes contributions and suggestions. Most contributions require
you to agree to a Contributor License Agreement (CLA) declaring that you have the
@@ -126,7 +109,7 @@ once across all repos using our CLA.
See [CONTRIBUTING.md](CONTRIBUTING.md) for details on building, testing, and contributing
to these libraries.
-## 5. Provide Feedback
+## 4. Provide Feedback
If you encounter any bugs or have suggestions, please file an issue in the Issues
section of the project.
@@ -134,6 +117,14 @@ section of the project.
_Note: This is pre-production software and, as such, it may be substantially modified as updated versions are made available._
+## 5. Reference
+
+[Trusted Computing](https://en.wikipedia.org/wiki/Trusted_Computing)
+
+[TCG PC Client Platform TPM Profile Specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/)
+
+[TCG PC Client Platform Firmware Profile Specification](https://trustedcomputinggroup.org/resource/pc-client-specific-platform-firmware-profile-specification/)
+
## 6. Contributors
@@ -180,7 +171,7 @@ _Note: This is pre-production software and, as such, it may be substantially mod
- Null
+ Haokun Xing