Remote attestation with PCRs and AMD SEV-SNP on GCP using RHCOS#39
Remote attestation with PCRs and AMD SEV-SNP on GCP using RHCOS#39iroykaufman wants to merge 2 commits into
Conversation
|
@iroykaufman can you please use the clevis pin instead of the old script running the attestation agent? It should also be easier for you. We should align to the latest way to perform attestation |
iroykaufman
force-pushed
the
trustee-on-GCP
branch
2 times, most recently
from
0c280f3 to
e2e5133
Compare
| label := if os == "scos" { scos_label } else { fcos_label } | ||
| archive := os + ".ociarchive" | ||
| platform := "qemu" | ||
| kbc_image := "quay.io/afrosi_rh/kbs-client-image:latest" |
There was a problem hiding this comment.
can we use our own built trustee agent?https://quay.io/repository/confidential-clusters/trustee-attester
There was a problem hiding this comment.
This version support TPM as an additional device?
There was a problem hiding this comment.
Yes, it is built from the latest guest component, but you need to register the trusted AK in trustee.
There was a problem hiding this comment.
I checked again in the upstream and it's look like the TPM can only be primary device. This is where I look https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attester/src/lib.rs .
I created this PR#1093 to add this option
There was a problem hiding this comment.
Sorry, I might have misunderstood the previous comment. Isn't the tpm the attester used on GCP?
There was a problem hiding this comment.
Not only, also SEV-SNP is use for attestation. I add the option for a vm with TPM and another TEE to set the TPM as an additional device for attestation.
There was a problem hiding this comment.
Ah I see. We didn't detect this because the local dev environment isn't a real CVM. Would you mind to fork the guest component in our org and add your patch there? In this way, we know which version is working and build the images out of it. Once, the PR is merged we can delete the repository.
We should try to have common images where we do our testing otherwise, it becomes very messy
/cc @Jakob-Naucke
There was a problem hiding this comment.
I don't have permissions to add a fork.
There was a problem hiding this comment.
I added you, you should have an invitation
iroykaufman
force-pushed
the
trustee-on-GCP
branch
3 times, most recently
from
c84a30a to
ca6e9e4
Compare
iroykaufman
force-pushed
the
trustee-on-GCP
branch
2 times, most recently
from
986fc71 to
02ee44c
Compare
iroykaufman
force-pushed
the
trustee-on-GCP
branch
from
02ee44c to
afbb892
Compare
| @@ -0,0 +1,21 @@ | |||
| variant: fcos | |||
There was a problem hiding this comment.
Why do we have this file twice? We already have it present in https://github.com/trusted-execution-clusters/investigations/blob/main/configs/remote-ign/pin-trustee.bu
| @@ -0,0 +1,41 @@ | |||
| variant: fcos | |||
There was a problem hiding this comment.
This is a duplication of https://github.com/trusted-execution-clusters/investigations/blob/main/configs/ak.bu
| FROM quay.io/rkaufman/trustee-attester:TPM-additional-dev as kbc | ||
| FROM quay.io/trusted-execution-clusters/clevis-pin-trustee as clevis |
There was a problem hiding this comment.
why replacing the variables?
There was a problem hiding this comment.
This is also outdated, I replace all of them to be taken from quay.io/trusted-execution-clusters so it will match the upstream.
| @@ -0,0 +1,32 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
What is script used for if you have also the script populate_kbs_gcp?
| # Create attestation policy | ||
| ## This policy allows access only if the system’s TPM or SNP | ||
| ## hardware measurements match trusted reference values | ||
| cat << 'EOF' > A_policy.rego |
There was a problem hiding this comment.
It is a bit confusing because you have olso the configs/containers/policy.rego. Which on are you using for the demo?
There was a problem hiding this comment.
I'm using A_policy.rego. configs/containers/policy.rego was there from the previous setup for bare-metal VM
|
@iroykaufman can you please clean-up the commits structure? There are several commits that changes what the previous commit does, it makes it a bit hard to review and the git commit history isn't that clean. Also you have 2 scripts for populate the kbs, which one is the correct one? |
iroykaufman
force-pushed
the
trustee-on-GCP
branch
5 times, most recently
from
4e3ca3c to
41425d6
Compare
iroykaufman
force-pushed
the
trustee-on-GCP
branch
from
41425d6 to
bea2627
Compare
|
@iroykaufman we are getting close, just a few last questions and comments |
iroykaufman
force-pushed
the
trustee-on-GCP
branch
from
bea2627 to
844b8ec
Compare
iroykaufman
force-pushed
the
trustee-on-GCP
branch
5 times, most recently
from
330c480 to
8a489ea
Compare
uril
left a comment
uril
left a comment
There was a problem hiding this comment.
Looks good; I added some comments.
Signed-off-by: Roy Kaufman <rkaufman@redhat.com>
using AK registration Signed-off-by: Roy Kaufman <rkaufman@redhat.com>
iroykaufman
force-pushed
the
trustee-on-GCP
branch
from
8a489ea to
1b62184
Compare
4 participants
See README.md for details.