trustee

trustee copied to clipboard

AS & RVPS | Proposal for an attestation applied policy format

7

### Background During a long time, we use Rego policy to check against parsed claims derived from a TEE evidence. Because of Rego's flexibility we did not talk about the...

Xynnn007

At the moment we conflate user errors (policy fails to pass, requested policy does not exist) with internal errors (io errors). Signatures and code of those functions should be adapted,...

mkulke

Enable artifacts for s390x

10

This PR enables all artifacts (container images and binaries) for `s390x` alongside `x86_64`. The self-hosted runner to build them is already registered as `s390x-runner-01` to the organisation. The change was...

BbolroC

AS: accessing configuration from verifiers

3

I would like to use the AS configuration file to describe the parameters for my verifier. Something like: ```json { "//": "global AS config" "work_dir": "...", "//": "per-verifier stanzas" "verifiers":...

thomas-fossati

KBS: Add a `Delete` method to /resource/{repository}/{type}/{tag}

5

KBS API supports the following resource manipulation: ``` /resource/{repository}/{type}/{tag}: get: operationId: getResource summary: Get a secret resource from the Key Broker Service. ... post: operationId: registerSecretResource summary: Register a secret...

davidhadas

Verifier: Add IBM Secure Execution driver framework

20

Fixes: #342 This is kbs side code and related with PR: https://github.com/confidential-containers/guest-components/pull/492/ Depends on: - [x] https://github.com/virtee/kbs-types/issues/26 # The IBM SE Remote Attestation flow: - The verifier generate the encrypted...

huoqifeng

Staged images and release images have different names

1

Our staged images and our release images use different naming conventions. The following mapping describes them ``` staged-images/kbs:latest -> key-broker-service:built-in-as-v0.8.2 staged-images/kbs-grpc-as:latest -> key-broker-service:v0.8.2 staged-images/rvps:latest -> reference-value-provider-service:v0.8.2 staged-images/coco-as-grpc:latest -> attestation-service:v0.8.2 staged-images/coco-as-restful:latest...

fitzthum

AS | Use hex encoding rather than base64 in parsed claims

1

We are using hex in [tdx claims](https://github.com/confidential-containers/trustee/blob/main/attestation-service/verifier/src/tdx/claims.rs#L67, [sgx claims](https://github.com/confidential-containers/trustee/blob/main/attestation-service/verifier/src/sgx/claims.rs#L56), azure vTPM [claims](https://github.com/confidential-containers/trustee/blob/main/attestation-service/verifier/src/az_snp_vtpm/mod.rs#L76). Also base64 in [SNP](https://github.com/confidential-containers/trustee/blob/main/attestation-service/verifier/src/snp/mod.rs#L250). I suggest that we should use a common encoding, which would make the policy...

Xynnn007

Expose init_data to policy

2

Now that the init_data spec is merged, we should think about how we will evaluate the init data with Trustee. Currently we don't really expose the init_data to either the...

fitzthum

KBS: Be more tolerant to policy rego files

2

KBC fails to set policy in KBS and AS unless the rego file ends with an empty line. Either make the code more tolerant or make it clear in docuemtation....

davidhadas