docs: update "features and limitations" regarding BM and TDX

dev-docs/release.md

@@ -4,33 +4,35 @@
 
 1. Ensure all needed PRs were merged.
 
-2. Export the release you want to make:
+2. Update [Planned features and limitations](../docs/docs/features-limitations.md).
+
+3. Export the release you want to make:
 
     ```sh
     export REL_VER=v0.1.0
     echo "Releasing $REL_VER"
     ```
 
-3. Create a new temporary branch for the release:
+4. Create a new temporary branch for the release:
 
     ```sh
     git switch -c "tmp/$REL_VER"
     git push
     ```
 
-4. Trigger the release workflow
+5. Trigger the release workflow
 
     ```sh
     gh workflow run release.yml --ref $(git rev-parse --abbrev-ref HEAD) -f kind=minor -f version="$REL_VER"
     ```
 
-5. Review the release notes, test the binary artifact.
+6. Review the release notes, test the binary artifact.
 
-6. Review and merge the auto generated update PR for main.
+7. Review and merge the auto generated update PR for main.
 
-7. Publish the GitHub release.
+8. Publish the GitHub release.
 
-8. Check that the release publish action succeeds.
+9. Check that the release publish action succeeds.
 
 ## Patch
 

docs/docs/basics/confidential-containers.md

@@ -16,7 +16,7 @@ In CoCo's case, the runtime is Kata Containers with added confidential computing
 [Kata Containers](https://katacontainers.io/) is an OCI runtime that runs pods in VMs.
 The pod VM spawns an agent process that accepts management commands from the Kata runtime running on the host.
 There are two options for creating pod VMs: local to the Kubernetes node, or remote VMs created with cloud provider APIs.
-Using local VMs requires either bare metal servers or VMs with support for nested virtualization.
+Using local VMs requires either bare-metal servers or VMs with support for nested virtualization.
 Local VMs communicate with the host over a virtual socket.
 For remote VMs, host-to-agent communication is tunnelled through the cloud provider's network.
 

docs/docs/deployment.md

@@ -7,11 +7,11 @@ confidential and deploying it together with Contrast.
 <TabItem value="aks-clh-snp" label="AKS" default>
 A running CoCo-enabled cluster is required for these steps, see the [setup guide](./getting-started/cluster-setup.md) on how to set up a cluster on AKS.
 </TabItem>
-<TabItem value="k3s-qemu-snp" label="Bare Metal (SNP)">
-A running CoCo-enabled cluster is required for these steps, see the [setup guide](./getting-started/bare-metal.md) on how to set up a bare metal cluster.
+<TabItem value="k3s-qemu-snp" label="Bare metal (SEV-SNP)">
+A running CoCo-enabled cluster is required for these steps, see the [setup guide](./getting-started/bare-metal.md) on how to set up a bare-metal cluster.
 </TabItem>
-<TabItem value="k3s-qemu-tdx" label="Bare Metal (TDX)">
-A running CoCo-enabled cluster is required for these steps, see the [setup guide](./getting-started/bare-metal.md) on how to set up a bare metal cluster.
+<TabItem value="k3s-qemu-tdx" label="Bare metal (TDX)">
+A running CoCo-enabled cluster is required for these steps, see the [setup guide](./getting-started/bare-metal.md) on how to set up a bare-metal cluster.
 </TabItem>
 </Tabs>
 
@@ -29,12 +29,12 @@ It can be shared between Contrast deployments.
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/runtime-aks-clh-snp.yml
 ```
 </TabItem>
-<TabItem value="k3s-qemu-snp" label="Bare Metal (SNP)">
+<TabItem value="k3s-qemu-snp" label="Bare metal (SEV-SNP)">
 ```sh
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/runtime-k3s-qemu-snp.yml
 ```
 </TabItem>
-<TabItem value="k3s-qemu-tdx" label="Bare Metal (TDX)">
+<TabItem value="k3s-qemu-tdx" label="Bare metal (TDX)">
 ```sh
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/runtime-k3s-qemu-tdx.yml
 ```
@@ -52,12 +52,12 @@ LoadBalancer service, into your cluster.
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/coordinator-aks-clh-snp.yml
 ```
 </TabItem>
-<TabItem value="k3s-qemu-snp" label="Bare Metal (SNP)">
+<TabItem value="k3s-qemu-snp" label="Bare metal (SEV-SNP)">
 ```sh
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/coordinator-k3s-qemu-snp.yml
 ```
 </TabItem>
-<TabItem value="k3s-qemu-tdx" label="Bare Metal (TDX)">
+<TabItem value="k3s-qemu-tdx" label="Bare metal (TDX)">
 ```sh
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/coordinator-k3s-qemu-tdx.yml
 ```
@@ -207,22 +207,22 @@ A `manifest.json` with the reference values of your deployment will be created.
 contrast generate --reference-values aks-clh-snp resources/
 ```
 </TabItem>
-<TabItem value="k3s-qemu-snp" label="Bare Metal (SNP)">
+<TabItem value="k3s-qemu-snp" label="Bare metal (SEV-SNP)">
 ```sh
 contrast generate --reference-values k3s-qemu-snp resources/
 ```
 :::note[Missing TCB values]
-On bare metal SEV-SNP, `contrast generate` is unable to fill in the `MinimumTCB` values as they can vary between platforms.
+On bare-metal SEV-SNP, `contrast generate` is unable to fill in the `MinimumTCB` values as they can vary between platforms.
 They will have to be filled in manually.
 If you don't know the correct values use `{"BootloaderVersion":255,"TEEVersion":255,"SNPVersion":255,"MicrocodeVersion":255}` and observe the real values in the error messages in the following steps. This should only be done in a secure environment. Note that the values will differ between CPU models.
 :::
 </TabItem>
-<TabItem value="k3s-qemu-tdx" label="Bare Metal (TDX)">
+<TabItem value="k3s-qemu-tdx" label="Bare metal (TDX)">
 ```sh
 contrast generate --reference-values k3s-qemu-tdx resources/
 ```
 :::note[Missing TCB values]
-On bare metal TDX, `contrast generate` is unable to fill in the `MinimumTeeTcbSvn` and `MrSeam` TCB values as they can vary between platforms.
+On bare-metal TDX, `contrast generate` is unable to fill in the `MinimumTeeTcbSvn` and `MrSeam` TCB values as they can vary between platforms.
 They will have to be filled in manually.
 If you don't know the correct values use `ffffffffffffffffffffffffffffffff` and `000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000` respectively and observe the real values in the error messages in the following steps. This should only be done in a secure environment.
 :::
@@ -249,12 +249,12 @@ You can disable the Initializer injection completely by specifying the
 contrast generate --reference-values aks-clh-snp --skip-initializer resources/
 ```
 </TabItem>
-<TabItem value="k3s-qemu-snp" label="Bare Metal (SNP)">
+<TabItem value="k3s-qemu-snp" label="Bare metal (SEV-SNP)">
 ```sh
 contrast generate --reference-values k3s-qemu-snp --skip-initializer resources/
 ```
 </TabItem>
-<TabItem value="k3s-qemu-tdx" label="Bare Metal (TDX)">
+<TabItem value="k3s-qemu-tdx" label="Bare metal (TDX)">
 ```sh
 contrast generate --reference-values k3s-qemu-tdx --skip-initializer resources/
 ```

docs/docs/examples/emojivoto.md

@@ -50,12 +50,12 @@ It can be shared between Contrast deployments.
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/runtime-aks-clh-snp.yml
 ```
 </TabItem>
-<TabItem value="k3s-qemu-snp" label="Bare Metal (SEV-SNP)">
+<TabItem value="k3s-qemu-snp" label="Bare metal (SEV-SNP)">
 ```sh
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/runtime-k3s-qemu-snp.yml
 ```
 </TabItem>
-<TabItem value="k3s-qemu-tdx" label="Bare Metal (TDX)">
+<TabItem value="k3s-qemu-tdx" label="Bare metal (TDX)">
 ```sh
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/runtime-k3s-qemu-tdx.yml
 ```
@@ -73,12 +73,12 @@ LoadBalancer service, into your cluster:
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/coordinator-aks-clh-snp.yml
 ```
 </TabItem>
-<TabItem value="k3s-qemu-snp" label="Bare Metal (SEV-SNP)">
+<TabItem value="k3s-qemu-snp" label="Bare metal (SEV-SNP)">
 ```sh
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/coordinator-k3s-qemu-snp.yml
 ```
 </TabItem>
-<TabItem value="k3s-qemu-tdx" label="Bare Metal (TDX)">
+<TabItem value="k3s-qemu-tdx" label="Bare metal (TDX)">
 ```sh
 kubectl apply -f https://github.com/edgelesssys/contrast/releases/latest/download/coordinator-k3s-qemu-tdx.yml
 ```
@@ -97,22 +97,22 @@ of your deployment will be created:
 contrast generate --reference-values aks-clh-snp deployment/
 ```
 </TabItem>
-<TabItem value="k3s-qemu-snp" label="Bare Metal (SEV-SNP)">
+<TabItem value="k3s-qemu-snp" label="Bare metal (SEV-SNP)">
 ```sh
 contrast generate --reference-values k3s-qemu-snp deployment/
 ```
 :::note[Missing TCB values]
-On bare metal SEV-SNP, `contrast generate` is unable to fill in the `MinimumTCB` values as they can vary between platforms.
+On bare-metal SEV-SNP, `contrast generate` is unable to fill in the `MinimumTCB` values as they can vary between platforms.
 They will have to be filled in manually.
 If you don't know the correct values use `{"BootloaderVersion":255,"TEEVersion":255,"SNPVersion":255,"MicrocodeVersion":255}` and observe the real values in the error messages in the following steps. This should only be done in a secure environment. Note that the values will differ between CPU models.
 :::
 </TabItem>
-<TabItem value="k3s-qemu-tdx" label="Bare Metal (TDX)">
+<TabItem value="k3s-qemu-tdx" label="Bare metal (TDX)">
 ```sh
 contrast generate --reference-values k3s-qemu-tdx deployment/
 ```
 :::note[Missing TCB values]
-On bare metal TDX, `contrast generate` is unable to fill in the `MinimumTeeTcbSvn` and `MrSeam` TCB values as they can vary between platforms.
+On bare-metal TDX, `contrast generate` is unable to fill in the `MinimumTeeTcbSvn` and `MrSeam` TCB values as they can vary between platforms.
 They will have to be filled in manually.
 If you don't know the correct values use `ffffffffffffffffffffffffffffffff` and `000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000` respectively and observe the real values in the error messages in the following steps. This should only be done in a secure environment.
 :::

docs/docs/features-limitations.md

@@ -5,7 +5,7 @@ This section lists planned features and current limitations of Contrast.
 ## Availability
 
 - **Platform support**: At present, Contrast is exclusively available on Azure AKS, supported by the [Confidential Container preview for AKS](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-containers-on-aks-preview). Expansion to other cloud platforms is planned, pending the availability of necessary infrastructure enhancements.
-- **Bare metal support**: Support for running Contrast on bare metal Kubernetes will be available soon for AMD SEV and Intel TDX.
+- **Bare-metal support**: Support for running [Contrast on bare-metal Kubernetes](getting-started/bare-metal.md) is available for AMD SEV-SNP and Intel TDX.
 
 ## Kubernetes features
 
@@ -33,7 +33,3 @@ The policy limitations, in particular the missing guarantee that our service mes
 The Contrast Coordinator is a singleton and can't be scaled to more than one instance.
 When this instance's pod is restarted, for example for node maintenance, it needs to be recovered manually.
 In a future release, we plan to support distributed Coordinator instances that can recover automatically.
-
-## Attestation
-
-Attestation for TDX isn't completely implemented yet and shouldn't yet be relied upon for security. This will be fixed in a future release.

docs/docs/getting-started/bare-metal.md

@@ -1,4 +1,4 @@
-# Prepare a bare metal instance
+# Prepare a bare-metal instance
 
 ## Hardware and firmware setup
 

docs/versioned_docs/version-0.5/basics/confidential-containers.md

@@ -16,7 +16,7 @@ In CoCo's case, the runtime is Kata Containers with added confidential computing
 [Kata Containers](https://katacontainers.io/) is an OCI runtime that runs pods in VMs.
 The guest VM spawns an agent process that accepts management commands from the Kata runtime running on the host.
 There are two options for creating pod VMs: local to the Kubernetes node, or remote VMs created with cloud provider APIs.
-Using local VMs requires either bare metal servers or VMs with support for nested virtualization.
+Using local VMs requires either bare-metal servers or VMs with support for nested virtualization.
 Local VMs communicate with the host over a virtual socket.
 For remote VMs, host-to-agent communication is tunnelled through the cloud provider's network.
 

docs/versioned_docs/version-0.6/basics/confidential-containers.md

@@ -16,7 +16,7 @@ In CoCo's case, the runtime is Kata Containers with added confidential computing
 [Kata Containers](https://katacontainers.io/) is an OCI runtime that runs pods in VMs.
 The pod VM spawns an agent process that accepts management commands from the Kata runtime running on the host.
 There are two options for creating pod VMs: local to the Kubernetes node, or remote VMs created with cloud provider APIs.
-Using local VMs requires either bare metal servers or VMs with support for nested virtualization.
+Using local VMs requires either bare-metal servers or VMs with support for nested virtualization.
 Local VMs communicate with the host over a virtual socket.
 For remote VMs, host-to-agent communication is tunnelled through the cloud provider's network.
 

docs/versioned_docs/version-0.7/basics/confidential-containers.md

@@ -16,7 +16,7 @@ In CoCo's case, the runtime is Kata Containers with added confidential computing
 [Kata Containers](https://katacontainers.io/) is an OCI runtime that runs pods in VMs.
 The pod VM spawns an agent process that accepts management commands from the Kata runtime running on the host.
 There are two options for creating pod VMs: local to the Kubernetes node, or remote VMs created with cloud provider APIs.
-Using local VMs requires either bare metal servers or VMs with support for nested virtualization.
+Using local VMs requires either bare-metal servers or VMs with support for nested virtualization.
 Local VMs communicate with the host over a virtual socket.
 For remote VMs, host-to-agent communication is tunnelled through the cloud provider's network.
 

docs/versioned_docs/version-0.8/basics/confidential-containers.md

@@ -16,7 +16,7 @@ In CoCo's case, the runtime is Kata Containers with added confidential computing
 [Kata Containers](https://katacontainers.io/) is an OCI runtime that runs pods in VMs.
 The pod VM spawns an agent process that accepts management commands from the Kata runtime running on the host.
 There are two options for creating pod VMs: local to the Kubernetes node, or remote VMs created with cloud provider APIs.
-Using local VMs requires either bare metal servers or VMs with support for nested virtualization.
+Using local VMs requires either bare-metal servers or VMs with support for nested virtualization.
 Local VMs communicate with the host over a virtual socket.
 For remote VMs, host-to-agent communication is tunnelled through the cloud provider's network.
 

docs/versioned_docs/version-0.9/basics/confidential-containers.md

@@ -16,7 +16,7 @@ In CoCo's case, the runtime is Kata Containers with added confidential computing
 [Kata Containers](https://katacontainers.io/) is an OCI runtime that runs pods in VMs.
 The pod VM spawns an agent process that accepts management commands from the Kata runtime running on the host.
 There are two options for creating pod VMs: local to the Kubernetes node, or remote VMs created with cloud provider APIs.
-Using local VMs requires either bare metal servers or VMs with support for nested virtualization.
+Using local VMs requires either bare-metal servers or VMs with support for nested virtualization.
 Local VMs communicate with the host over a virtual socket.
 For remote VMs, host-to-agent communication is tunnelled through the cloud provider's network.
 

docs/versioned_docs/version-1.0/basics/confidential-containers.md

@@ -16,7 +16,7 @@ In CoCo's case, the runtime is Kata Containers with added confidential computing
 [Kata Containers](https://katacontainers.io/) is an OCI runtime that runs pods in VMs.
 The pod VM spawns an agent process that accepts management commands from the Kata runtime running on the host.
 There are two options for creating pod VMs: local to the Kubernetes node, or remote VMs created with cloud provider APIs.
-Using local VMs requires either bare metal servers or VMs with support for nested virtualization.
+Using local VMs requires either bare-metal servers or VMs with support for nested virtualization.
 Local VMs communicate with the host over a virtual socket.
 For remote VMs, host-to-agent communication is tunnelled through the cloud provider's network.
 

docs/versioned_docs/version-1.1/basics/confidential-containers.md

@@ -16,7 +16,7 @@ In CoCo's case, the runtime is Kata Containers with added confidential computing
 [Kata Containers](https://katacontainers.io/) is an OCI runtime that runs pods in VMs.
 The pod VM spawns an agent process that accepts management commands from the Kata runtime running on the host.
 There are two options for creating pod VMs: local to the Kubernetes node, or remote VMs created with cloud provider APIs.
-Using local VMs requires either bare metal servers or VMs with support for nested virtualization.
+Using local VMs requires either bare-metal servers or VMs with support for nested virtualization.
 Local VMs communicate with the host over a virtual socket.
 For remote VMs, host-to-agent communication is tunnelled through the cloud provider's network.