Remote attestation with PCRs and AMD SEV-SNP on GCP using RHCOS

.gitignore

@@ -7,3 +7,5 @@ coreos/*.qcow2
 secret
 tmp/
 trustee/keys
+*.tar
+*.tar.gz

README.md

@@ -27,9 +27,9 @@ Build the Fedora CoreOS or Centos Stream CoreOS image with the custom initrd:
 ```bash
 cd coreos
 # Centos Stream CoreOS image
-just os=scos build oci-archive osbuild-qemu
+just os=scos build oci-archive init build-qemu
 # Fedora CoreOS image
-just build oci-archive osbuild-qemu
+just build oci-archive init build-qemu
 ```
 
 ### Create local Trustee deployment

configs/trustee.bu

@@ -0,0 +1,67 @@
+variant: fcos
+version: 1.6.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+      - <KEY>
+
+systemd:
+  units:
+    - name: serial-getty@ttyS0.service
+      dropins:
+      - name: autologin-core.conf
+        contents: |
+          [Service]
+          # Override Execstart in main unit
+          ExecStart=
+          # Add new Execstart with `-` prefix to ignore failure`
+          ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM
+
+storage:
+  directories:
+  - path: /var/kbs/config
+    overwrite: true
+  - path: /var/srv/www
+    overwrite: true
+  files:
+    - path: /etc/profile.d/systemd-pager.sh
+      mode: 0644
+      contents:
+        inline: |
+          # Tell systemd to not use a pager when printing information
+          export SYSTEMD_PAGER=cat
+    - path: /usr/local/bin/populate_kbs.sh
+      mode: 0755
+      contents:
+        local: populate_kbs.sh
+    - path: /usr/local/bin/kbs-client
+      mode: 0755
+      contents:
+        local: kbs-client
+    - path: /etc/containers/systemd/key-generation.container
+      mode: 0644
+      contents:
+        local: containers/key-generation.container
+    - path: /var/kbs/config/kbs-config.toml
+      mode: 0644
+      contents:
+        local: kbs-config.toml
+    - path: /etc/containers/systemd/kbs.container
+      mode: 0644
+      contents:
+        local: containers/kbs.container
+    - path: /etc/containers/systemd/kbs-client.container
+      mode: 0644
+      contents:
+        local: containers/kbc.container
+    - path: /etc/containers/systemd/nginx.container
+      mode: 0644
+      contents:
+        local: containers/nginx.container
+    - path: /etc/containers/systemd/register-ak.container
+      mode: 0644
+      contents:
+        local: containers/register-ak.container
+
+

configs/trustee/containers/kbc.container

@@ -0,0 +1,13 @@
+[Unit]
+Description=Trustee KBS client container
+After=key-generation.container
+
+[Container]
+ContainerName=kbs-client
+Image=quay.io/trusted-execution-clusters/trustee-attester:TPM-additional-dev
+Network=host
+Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Exec=tail -f /dev/null
+
+[Install]
+WantedBy=default.target

configs/trustee/containers/kbs.container

@@ -0,0 +1,21 @@
+[Unit]
+Description=Trustee KBS container
+After=key-generation.container
+
+[Container]
+ContainerName=kbs
+Image=quay.io/trusted-execution-clusters/key-broker-service:fix-TPM-report-data-size
+Network=host
+Entrypoint=/usr/local/bin/kbs
+PublishPort=8080:8080
+Environment=RUST_LOG=debug
+Volume=/var/kbs/config/kbs-config.toml:/opt/confidential-containers/kbs/config/kbs-config.toml:z
+Volume=kbs-storage:/opt/confidential-containers/kbs/repository
+Volume=nebula-ca:/opt/confidential-containers/kbs/nebula-ca
+Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Volume=trusted-ak-keys:/etc/tpm/trusted_ak_keys
+Exec=--config-file \
+    /opt/confidential-containers/kbs/config/kbs-config.toml
+
+[Install]
+WantedBy=default.target

configs/trustee/containers/key-generation.container

@@ -0,0 +1,17 @@
+[Unit]
+Description=Trustee Key Generator
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=keyprovider
+Image=docker.io/alpine/openssl:latest
+Entrypoint=/bin/ash
+Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Exec=-c "if [ ! -s /opt/confidential-containers/kbs/user-keys/private.key ]; then \
+        /usr/bin/openssl genpkey -algorithm ed25519 > /opt/confidential-containers/kbs/user-keys/private.key && \
+        /usr/bin/openssl pkey -in /opt/confidential-containers/kbs/user-keys/private.key -pubout \
+            -out /opt/confidential-containers/kbs/user-keys/public.pub; else exit 0; fi;"
+
+[Install]
+WantedBy=default.target

configs/trustee/containers/nginx.container

@@ -0,0 +1,14 @@
+[Unit]
+Description=nginx HTTP server emulating registration server
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=nginx
+Image=quay.io/fedora/nginx-126:latest
+PublishPort=8000:8080
+Volume=/srv/www:/opt/app-root/src:z
+Exec=nginx -g "daemon off;"
+
+[Install]
+WantedBy=default.target

configs/trustee/containers/register-ak.container

@@ -0,0 +1,13 @@
+[Unit]
+Description=server that allow to register AK
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=register-ak
+Image=quay.io/trusted-execution-clusters/test-server-ak:latest
+PublishPort=5001:5001
+Volume=trusted-ak-keys:/data
+
+[Install]
+WantedBy=default.target

configs/trustee/kbs-client

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -euo pipefail
+# set -x
+
+KEY="${KEY:=/opt/confidential-containers/kbs/user-keys/private.key}"
+
+sudo podman exec -ti \
+  kbs-client \
+    kbs-client \
+      config \
+      --auth-private-key "${KEY}" \
+      "${@}"

configs/trustee/kbs-config.toml

@@ -0,0 +1,35 @@
+[http_server]
+sockets = ["0.0.0.0:8080"]
+insecure_http = true
+
+[admin]
+insecure_api = true
+auth_public_key = "./keys/public.pub"
+
+
+[attestation_token]
+insecure_key = true
+
+[attestation_service]
+type = "coco_as_builtin"
+work_dir = "/opt/confidential-containers/attestation-service"
+policy_engine = "opa"
+
+[attestation_service.attestation_token_broker]
+type = "Ear"
+duration_min = 5
+
+[attestation_service.rvps_config]
+type = "BuiltIn"
+
+[attestation_service.rvps_config.storage]
+type = "LocalFs"
+
+[attestation_service.verifier_config.tpm_verifier]
+trusted_ak_keys_dir = "/etc/tpm/trusted_ak_keys"
+max_trusted_ak_keys = 100
+
+[[plugins]]
+name = "resource"
+type = "LocalFs"
+dir_path = "/opt/confidential-containers/kbs/repository"

configs/trustee/populate_kbs.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+set -xe
+
+SECRET_PATH=${SECRET_PATH:=default/machine/root}
+KEY=${KEY:=/opt/confidential-containers/kbs/user-keys/private.key}
+
+
+## set reference values for TPM 
+for i in {7,4,14}; do
+    value=$(sudo tpm2_pcrread sha256:${i} | awk -F: '/0x/ {sub(/.*0x/, "", $2); gsub(/[^0-9A-Fa-f]/, "", $2); print tolower($2)}')
+	kbs-client set-sample-reference-value tpm_pcr${i} "${value}"
+done
+
+# Check reference values
+kbs-client get-reference-values
+
+
+# Create attestation policy
+## This policy allows access only if the system’s TPM or SNP 
+## hardware measurements match trusted reference values
+cat << 'EOF' > A_policy.rego
+package policy
+import rego.v1
+
+default hardware := 97
+default executables := 3 
+default configuration := 2 
+
+##### TPM
+
+hardware := 2 if {
+	input.tpm.pcr07 in data.reference.tpm_pcr7
+    input.tpm.pcr14 in data.reference.tpm_pcr14
+    input.tpm.pcr04 in data.reference.tpm_pcr4
+}
+
+hardware := 2 if {
+	input.snp.reported_tcb_snp == 27
+}
+
+
+##### Final decision
+result := {
+	"executables": executables,
+	"hardware": hardware,
+	"configuration": configuration
+}
+EOF
+
+sudo podman cp A_policy.rego kbs-client:/A_policy.rego
+kbs-client set-attestation-policy --policy-file /A_policy.rego --type rego --id default_cpu
+
+# Upload resource
+cat > secret << EOF
+{ "key_type": "oct", "key": "2b442dd5db4478367729ef8bbf2e7480" }
+EOF
+sudo podman cp secret kbs-client:/secret
+kbs-client set-resource --resource-file /secret --path ${SECRET_PATH}
+
+# Create resource policy
+## This policy allows access only if both CPUs report an "affirming" status 
+## and provide TPM and SNP attestation evidence.
+cat << 'EOF' > R_policy.rego
+package policy
+import rego.v1
+
+default allow = false
+
+allow if {
+    input["submods"]["cpu0"]["ear.status"] == "affirming"
+    input["submods"]["cpu1"]["ear.status"] == "affirming"
+	input["submods"]["cpu1"]["ear.veraison.annotated-evidence"]["tpm"]
+    input["submods"]["cpu0"]["ear.veraison.annotated-evidence"]["snp"]
+}
+EOF
+
+sudo podman cp R_policy.rego kbs-client:/R_policy.rego
+kbs-client set-resource-policy --policy-file /R_policy.rego

containerfiles/trustee-attester.container

@@ -13,7 +13,7 @@ RUN . /etc/os-release && \
 RUN dnf install -y git tss2-devel tpm2-tss-devel cargo openssl-devel perl
 
 RUN cd /usr/src/ && \
-    git clone https://github.com/confidential-containers/guest-components.git && \
+    git clone https://github.com/trusted-execution-clusters/guest-components.git && \
     cd guest-components && git checkout ${COMMIT}
 
 RUN cd /usr/src/guest-components && \

coreos/Containerfile

@@ -1,7 +1,14 @@
 ARG BASE
-FROM quay.io/trusted-execution-clusters/trustee-attester:fedora-b13fd8a as kbc
-FROM quay.io/trusted-execution-clusters/clevis-pin-trustee as clevis
-FROM ghcr.io/trusted-execution-clusters/ignition:20260112-85608d6 as ignition
+ARG TRUSTEE_ATTESTER=quay.io/trusted-execution-clusters/trustee-attester:fedora-b13fd8a
+ARG CLEVIS_PIN_TRUSTEE_IMAGE=quay.io/trusted-execution-clusters/clevis-pin-trustee
+ARG IGNITION=ghcr.io/trusted-execution-clusters/ignition:20260112-85608d6
+
+FROM $TRUSTEE_ATTESTER as kbc
+
+FROM $CLEVIS_PIN_TRUSTEE_IMAGE as clevis
+
+FROM $IGNITION as ignition
+
 FROM $BASE
 
 COPY ./usr /usr

coreos/justfile

@@ -21,6 +21,8 @@ image := if os == "scos" { scos_img } else { fcos_img }
 os_name := if os == "scos" { scos_os } else { fcos_os }
 label := if os == "scos" { scos_label } else { fcos_label }
 archive := os + ".ociarchive"
+platform := "qemu"
+
 
 config := if os == "scos" { scos_config } else { fcos_config }
 full_name := if os == "scos" { "centos-stream-coreos" } else { "fedora-coreos" }
@@ -80,3 +82,8 @@ azure:
     {{cosa_function}}
     cd cache
     cosa osbuild azure
+gcp:
+    #!/usr/bin/env bash
+    {{cosa_function}}
+    cd cache
+    cosa osbuild gcp