Include a section describing how to build KBS docker images [skip ci] (#3785)

### Description

The build process for KBS requires a few steps and it's error prone.
This PR adds a section of that deployment guide, which describes how to
build KBS docker images directly.

### Types of changes
<!--- Put an `x` in all the boxes that apply, and remove the not
applicable items -->
- [x] Non-breaking change (fix or new feature that would not break
existing functionality).
- [ ] Breaking change (fix or new feature that would cause existing
functionality to change).
- [ ] New tests added to cover the changes.
- [ ] Quick tests passed locally by running `./runtest.sh`.
- [ ] In-line docstrings updated.
- [x] Documentation updated.

Co-authored-by: Chester Chen <[email protected]>

Author: IsaacYangSLA

docs/resources/cc_arch_diagram.png

@@ -236,6 +236,17 @@ These measurements are rooted in hardware and cannot be forged by the host. Any
 
    You do not need to sign or measure the entire CVM disk image. Focusing on these critical boot-time components is sufficient to establish a robust and verifiable chain of trust.
 
+
+Interactions of NVFlare and Trustee KBS
+=======================================
+
+The following block diagram shows the interaction among NVFlare CVM, Attestation Agent (AA), Key Broker Service (KBS), Trustee, and Attestation Service (AS).
+
+.. image:: ../../resources/cc_arch_diagram.png
+    :height: 500px
+    :align: center
+
+
 Process of Build and Boot up CVM Image
 ======================================
 

docs/user_guide/confidential_computing/cc_architecture.rst

@@ -322,7 +322,8 @@ c. Enable KV engine:
 Phase 3: Deploy Trustee KBS (Key Broker Service)
 ================================================
 
-After Vault is ready, we deploy KBS as the core proxy connecting clients and Vault.
+After Vault is ready, we deploy KBS as the core proxy connecting clients and Vault.  Optionally, you can
+build a docker image and run it directly.  To build docker images, please follow the Appendix.
 
 Clone and checkout specific version of code
 -------------------------------------------
@@ -771,3 +772,55 @@ How to confirm successful operation:
 - Use echo "base64content" | base64 -d to decode and verify content correctness
 - In test environments, these warning messages are completely normal and expected
 
+Appendix
+========
+
+Build KBS docker images
+-----------------------
+
+
+You can build docker images for kbs based on the Dockerfile in the kbs/docker folder.
+However, that file in the current trustee repo at commit id a2570329cc33daf9ca16370a1948b5379bb17fbe
+either fails to build or produces docker images with missing dependencies.
+You can patch that file with the following diff.
+
+.. code-block:: diff
+
+   $ git diff
+   diff --git a/kbs/docker/Dockerfile b/kbs/docker/Dockerfile
+   index e529716..45b9271 100644
+   --- a/kbs/docker/Dockerfile
+   +++ b/kbs/docker/Dockerfile
+   @@ -39,17 +39,17 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s
+   WORKDIR /usr/src/trustee
+   COPY . .
+   
+   -RUN cd kbs && make AS_FEATURE=coco-as-builtin ALIYUN=${ALIYUN} ARCH=${ARCH} && \
+   +RUN cd kbs && make VAULT=true AS_FEATURE=coco-as-builtin ALIYUN=${ALIYUN} ARCH=${ARCH} background-check-kbs && \
+      make ARCH=${ARCH} install-kbs
+   
+   -FROM ubuntu:22.04
+   +FROM ubuntu:24.04
+   ARG ARCH=x86_64
+   
+   WORKDIR /tmp
+   
+   RUN apt-get update && \
+      apt-get install -y \
+   -    curl \
+   +    curl gpg \
+      gnupg-agent && \
+      if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
+      gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
+
+To build the kbs docker image, run the following inside trustee folder
+
+.. code-block:: bash
+
+   docker build -f kbs/docker/Dockerfile .
+
+You can run KBS inside a Docker container with ports exposed using the -p option. For example:
+
+.. code-block:: bash
+
+   docker run -p 8080:8080 <image_name>