Remote attestation with PCRs and AMD SEV-SNP on GCP using RHCOS

Signed-off-by: Roy Kaufman <[email protected]>

Author: iroykaufman

.gitignore

@@ -1,6 +1,7 @@
 cache/
 coreos.key*
-fcos-cvm.tar*
 *.ign
 *.ociarchive
 tmp/
+*.tar
+*.tar.gz

trustee-on-GCP/README.md

@@ -0,0 +1,58 @@
+# Remote attestation with PCRs and AMD SEV-SNP on GCP using RHCOS
+
+This guide provides step-by-step instructions for setting up remote attestation using PCRs and AMD SEV-SNP on Google Cloud Platform (GCP) with Red Hat CoreOS (RHCOS). It covers the deployment of a Trustee server and the creation of a custom RHCOS client image that communicates with the Trustee service to fetch encryption keys and decrypt the root image.
+
+
+## Prerequisites
+
+1. Copy the pull secret from [Red Hat OpenShift](https://console.redhat.com/openshift/create/local) to ```~/.config/containers/auth.json``` into auths:quay.io:auth:<pull_secret>
+2. Install [gcloud](https://cloud.google.com/sdk/docs/install)
+3. Configure a subnet on GCP for the server and client by running ```./scripts/network_setup.sh```.
+
+
+## Deploy the trustee server (KBS)
+
+1. Run ```./scripts/deploy-trustee.sh -k <SSH_KEY> -b ./trustee/trustee.bu```. This will start the KBS with the correct configuration (the name of this VM must match the hostname of the server, so it has to match `KBS_HOSTNAME` in `./scripts/rh-coreos/usr/libexec/aa-client`).
+2. Access the VM via SSH, then run ```sudo /usr/local/bin/populate_kbs.sh```. This will add the refrence value to Trustee.
+
+## Deploy the client
+
+1. Build a custom RHCOS image by running:
+    ```bash
+    ./scripts/build-rhcos-image.sh <IMAGE_NAME>
+    ```
+
+2. Upload the image to GCP by running:
+    ```bash
+    ./scripts/upload_image_gcp.sh <BUCKET_NAME> <IMAGE_NAME>
+    ```
+
+3. Deploy the client by running:
+    ```bash
+    ./scripts/deploy-client.sh -k <SSH_KEY> -b ./trustee/config/kbs-config.toml -n <VM_NAME> -i <IMAGE_NAME>
+    ```
+    This will create the VM, perform attestation and decrypt the disk.
+
+
+
+
+## Info about the kbs and kbs-client
+
+I use this version of [trustee](https://github.com/iroykaufman/trustee/tree/addtpm) and the [guest component](https://github.com/iroykaufman/guest-components/tree/TPM-as-additional-device).
+
+Trustee includes [pr#851](https://github.com/confidential-containers/trustee/pull/851) with the following changes:
+
+1. The guest component encrypts the public part of the AK in ASN.1 format, but trustee unmarshals it. The unmarshal part was replaced with an ASN.1 decrypt method.
+2. The TPM verifier does not check the nonce in the TPM because the `report_data` contains a digest of the `runtime_data` instead of the nonce. This is because the TPM is an additional device. This is a temporary solution.
+
+
+The changes in the guest component are included in this [PR#1093](https://github.com/confidential-containers/guest-components/pull/1093).
+
+## Attestation Policy
+
+The policy only checks hardware for both SEV-SNP and TPM.
+
+## Resource Policy
+
+Verify that both devices are affirming and exist.
+

trustee-on-GCP/rh-coreos/Containerfile

@@ -0,0 +1,18 @@
+FROM quay.io/rkaufman/kbs-tpm-snp:latest as kbc
+FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev:419.96.202505021444-0-coreos
+
+COPY usr /usr
+COPY --from=kbc /usr/local/bin/kbs-client /usr/bin/trustee-attester
+
+RUN set -xeuo pipefail && \
+    KERNEL_VERSION="$(basename $(ls -d /lib/modules/*))" && \
+    raw_args="$(lsinitrd /lib/modules/${KERNEL_VERSION}/initramfs.img | grep '^Arguments: ' | sed 's/^Arguments: //')" && \
+    stock_arguments=$(echo "$raw_args" | sed "s/'//g") && \
+    echo "Using kernel: $KERNEL_VERSION" && \
+    echo "Dracut arguments: $stock_arguments" && \
+    mkdir -p /tmp/dracut /var/roothome && \
+    dracut $stock_arguments && \
+    mv -v /boot/initramfs*.img "/lib/modules/${KERNEL_VERSION}/initramfs.img" && \
+    ostree container commit
+
+LABEL com.coreos.osname="rh-coreos"

trustee-on-GCP/rh-coreos/luks.bu

@@ -0,0 +1,44 @@
+variant: fcos
+version: 1.6.0
+
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+      - <KEY>
+
+storage:
+  luks:
+    - name: root
+      label: luks-root
+      device: /dev/disk/by-partlabel/root
+      clevis:
+        custom:
+          needs_network: false
+          pin: tpm2
+          config: '{"pcr_bank":"sha256","pcr_ids":"7"}'
+      wipe_volume: true
+  filesystems:
+    - device: /dev/mapper/root
+      format: xfs
+      wipe_filesystem: true
+      label: root
+  files:
+    - path: /etc/profile.d/systemd-pager.sh
+      mode: 0644
+      contents:
+        inline: |
+          # Tell systemd to not use a pager when printing information
+          export SYSTEMD_PAGER=cat
+
+systemd:
+  units:
+    - name: [email protected]
+      dropins:
+      - name: autologin-core.conf
+        contents: |
+          [Service]
+          # Override Execstart in main unit
+          ExecStart=
+          # Add new Execstart with `-` prefix to ignore failure`
+          ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM

trustee-on-GCP/rh-coreos/usr/lib/dracut/dracut.conf.d/50noxattr.conf

@@ -0,0 +1 @@
+export DRACUT_NO_XATTR=1

trustee-on-GCP/rh-coreos/usr/lib/dracut/dracut.conf.d/50trustee.conf

@@ -0,0 +1 @@
+force_drivers+=" sev-guest "

trustee-on-GCP/rh-coreos/usr/lib/dracut/modules.d/65aaclient/module-setup.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+check() {
+    # Always include the module for now
+    return 0
+}
+
+depends() {
+    echo crypt systemd network
+    return 0
+}
+
+install () {
+    inst $systemdsystemunitdir/aa-client.service
+    inst /usr/libexec/aa-client
+    inst /usr/bin/trustee-attester
+
+    inst curl
+    inst cryptsetup
+    inst tr
+    inst lsblk
+    inst mktemp
+    inst base64
+    inst /usr/lib/systemd/systemd-reply-password
+    inst tpm2_evictcontrol
+    inst tpm2_createprimary
+
+    systemctl -q --root "$initdir" add-wants initrd.target aa-client.service
+
+    # need to figure out why systemd-unit-file get x mode
+    chmod -x $systemdsystemunitdir/aa-client.service
+
+    # need network -- figure out how to do it without chaning the command line
+    echo "rd.neednet=1" >  "${initdir}/etc/cmdline.d/65aa-client.conf"
+}

trustee-on-GCP/rh-coreos/usr/lib/systemd/system/aa-client.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Confidential Containers Attestation Agent Client
+Before=cryptsetup.target
+Before=initrd-switch-root.target
+Before=ignition-complete.target
+Before[email protected]
+After=network-online.target
+After=dev-disk-by\x2dlabel-boot.device
+After=ignition-files.service
+Wants=network-online.target
+Requires=dev-disk-by\x2dlabel-boot.device
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/aa-client
+# Should not be needed
+# SyslogLevel=debug
+# MountFlags=slave

trustee-on-GCP/rh-coreos/usr/libexec/aa-client

@@ -0,0 +1,173 @@
+#!/bin/bash
+. /lib/dracut-lib.sh
+set -x
+
+# Configuration
+KBS_HOSTNAME="kbs"
+KBS_PORT="8080"
+KBS_URL="http://${KBS_HOSTNAME}:${KBS_PORT}"
+ROOT_DEVICE=/dev/$(dmsetup info --noheadings -c -o blkdevs_used "$(blkid -L root)")
+CRYPT_ROOT_NAME="luks-root"
+BOOT_DEVICE="/dev/disk/by-label/boot"
+BOOT_MOUNT="/mnt/boot_partition"
+MARKER_FILE="${BOOT_MOUNT}/.trustee_done"
+ROOT_UUID_FILE="${BOOT_MOUNT}/.root_uuid"
+CRYPTTAB_FILE="/sysroot/etc/crypttab"
+MAX_RETRY_ATTEMPTS=3
+RETRY_DELAY=5
+
+# temp configuration
+TEMP_DIR=$(mktemp -d /tmp/secure_attestation_XXXXXX)
+PASSPHRASE_FILE="${TEMP_DIR}/passphrase"
+OLD_PASS_FILE="${TEMP_DIR}/old_passphrase"
+
+# Make sure the safety of temp files
+umask 077
+# Clean function - make sure it is always executed
+cleanup() {
+    # Securely clean the sensitive data from memory
+    if [ -n "${passphrase}" ]; then
+        passphrase="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    fi
+
+    # umount the mountpoint
+    umount "${BOOT_MOUNT}" 2>/dev/null || true
+
+    # Delete the temp files or directories
+    rm -rf "${TEMP_DIR}"
+
+    info "*** ATTESTATION SERVICE COMPLETED ***"
+}
+trap cleanup EXIT
+
+fetch_passphrase() {
+    local attempts=$MAX_RETRY_ATTEMPTS
+    local count=0
+    local result=""
+    local status=0
+
+    while [ $count -lt $attempts ] && [ -z "$result" ]; do
+        info "Attempt $((count+1)): Fetching passphrase from ${KBS_URL}"
+
+        if ! result=$(/usr/bin/trustee-attester --url "${KBS_URL}" get-resource --path default/machine/root 2>/dev/null); then
+        status=$?
+        info "Attestation failed with status $status"
+            sleep $RETRY_DELAY
+        elif [ -n "$result" ]; then
+            info "Successfully retrieved passphrase"
+            break
+        else
+            info "Empty response received"
+            sleep $RETRY_DELAY
+        fi
+
+        count=$((count+1))
+    done
+
+    if [ -z "$result" ]; then
+        info "Failed to retrieve passphrase after $attempts attempts"
+        return 1
+    fi
+
+    echo "$result"
+    return 0
+}
+
+replace_luks_key() {
+    local device=$1
+    local new_key=$2
+
+    info "Getting current LUKS key"
+    . clevis-luks-common-functions
+    local pt=$(clevis_luks_unlock_device "${device}")
+    echo -n "${pt}" > "${OLD_PASS_FILE}"
+    chmod 600 "${OLD_PASS_FILE}"
+    pt="xxxxxxxxxx"  # Erase the passphrase from memory
+
+    if ! /usr/sbin/cryptsetup --verbose open --test-passphrase "${device}" --key-file="${OLD_PASS_FILE}"; then
+        info "Failed to verify old key"
+        return 1
+    fi
+
+    info "Replacing LUKS key"
+    /usr/sbin/cryptsetup luksAddKey "${device}" --key-file="${OLD_PASS_FILE}" "${new_key}" || return 1
+    /usr/sbin/cryptsetup luksKillSlot "${device}" 1 --key-file="${new_key}" || return 1
+
+    info "Do verification of new LUKS key"
+    if ! /usr/sbin/cryptsetup --verbose open --test-passphrase "${device}" --key-file="${new_key}"; then
+        info "Failed to verify new key"
+        return 1
+    fi
+
+    info "Removing LUKS token"
+    /usr/sbin/cryptsetup token remove "${device}" --token-id 0
+
+    info "Create marker file"
+    touch "${MARKER_FILE}"
+    info "LUKS key replacement completed successfully"
+}
+
+# Main execution
+info "*** ATTESTATION SERVICE FOR DISK ENCRYPTION ***"
+
+# Create AK for TPM
+info "Creating Attestation Key (AK) in TPM"
+tpm2_createprimary -C e -G rsa2048:rsassa:null -g sha256 \
+    -a "fixedtpm|fixedparent|sensitivedataorigin|userwithauth|sign"\
+    -c ak.ctx
+
+tpm2_evictcontrol -C o -c ak.ctx 0x81010002
+
+
+
+# Check if root is already decrypted
+if [ -e "/dev/mapper/${CRYPT_ROOT_NAME}" ]; then
+    info "Root device already decrypted"
+    exit 0
+fi
+
+# Fetch passphrase
+passphrase_base64=$(fetch_passphrase)
+[ -z "$passphrase_base64" ] && { info "No passphrase received"; exit 1; }
+
+passphrase=$(echo "$passphrase_base64" | base64 -d | tr -cd '[:print:]')
+echo -n "$passphrase" > "${PASSPHRASE_FILE}"
+chmod 600 "${PASSPHRASE_FILE}"
+
+# Mount boot partition
+mkdir -p "${BOOT_MOUNT}"
+if ! mount -o rw "${BOOT_DEVICE}" "${BOOT_MOUNT}" 2>/dev/null; then
+    info "Warning: Could not mount boot partition - assuming first boot"
+    BOOT_MOUNTED=false
+else
+    BOOT_MOUNTED=true
+fi
+
+if $BOOT_MOUNTED && [ -f "${MARKER_FILE}" ]; then
+    info "Normal boot: Decrypting root filesystem"
+    info "ATTESTATION SERVICE: Decrypting root filesystem with fetched key"
+    ROOT_UUID=$(cat "${ROOT_UUID_FILE}")
+    ROOT_DEVICE="/dev/disk/by-uuid/${ROOT_UUID}"
+    info "Normal boot: Root device resolved as ${ROOT_DEVICE}"
+    if /usr/sbin/cryptsetup --verbose open ${ROOT_DEVICE} ${CRYPT_ROOT_NAME} --key-file=${PASSPHRASE_FILE}; then
+        info "ATTESTATION SERVICE: Successfully decrypted root filesystem"
+    else
+        info "ATTESTATION SERVICE: Failed to decrypt root filesystem"
+        exit 1
+    fi
+else
+    info "First boot: Replacing LUKS key"
+    info "First boot: Root device resolved as ${ROOT_DEVICE}"
+    replace_luks_key "${ROOT_DEVICE}" "${PASSPHRASE_FILE}" || exit 1
+    ROOT_UUID=$(blkid -s UUID -o value "${ROOT_DEVICE}")
+    echo "$ROOT_UUID" > "${ROOT_UUID_FILE}"
+
+    # Prevent the system from calling [email protected]
+    # to decrypt LUKS devices during other-boots.
+    if [ -f "${CRYPTTAB_FILE}" ]; then
+        info "Clearing crypttab file"
+        echo > "${CRYPTTAB_FILE}" || info "Warning: Could not clear crypttab file"
+    else
+        info "Warning: Crypttab file not found at ${CRYPTTAB_FILE}"
+    fi
+fi

trustee-on-GCP/scripts/build-rhcos-image.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+
+
+IMG_NAME=$1
+ociarchive=${IMG_NAME}.tar
+
+set -xe
+
+sudo setenforce 0
+
+TMPDIR=$(mktemp -d)
+git clone --depth 1 https://github.com/coreos/custom-coreos-disk-images ${TMPDIR}
+
+# Build the container image
+sudo podman build -t ${IMG_NAME} -f rh-coreos/Containerfile  rh-coreos
+
+sudo skopeo copy containers-storage:localhost/${IMG_NAME}:latest oci-archive:${ociarchive}
+sudo -E ${TMPDIR}/custom-coreos-disk-images.sh --platform gcp \
+	--ociarchive ${ociarchive} \
+	--osname rhcos
+rm -rf "$TMPDIR"