Workload owner tasks

Edit online

As the owner of the secure workload, your tasks comprise preparing your workload and a bootable disk image that you can send to the cloud provider. The steps are described as manual steps, but can be integrated into a build pipeline.

Important: These tasks must be performed in a trusted environment. A sandbox or clean room that only you as the workload owner has access to are good options.
kdump consideration: If you configure kdump for the KVM guest, consider that sufficient memory must be reserved for the kdump kernel. If the memory is too small it cannot decrypt the root volume and is not functional. Configure the memory that is reserved for the crash kernel with the crashkernel command-line parameter.

Overview of steps

At a minimum, the following steps are required.

  1. Encrypt the root file system.
  2. Encrypt data volumes.
  3. Modify the init RAM file system to mount the encrypted root file system .
  4. Modify the root file system to mount the encrypted data volumes.
  5. Generate a kernel parameter line.
  6. Harden the workload..
  7. Use the genprotimg command to generate a secure-execution protected image from the kernel, the kernel parameter line, and the initial RAM file system.
You can harden the workload before encrypting the root file system, then the root file system with the hardening changes must be encrypted.

These steps and additional tasks are described in the subsequent sections.