Remote attestation with PCRs and AMD SEV-SNP on GCP using RHCOS

iroykaufman · iroykaufman · commit 3cb3cff03971 · 2025-11-27T15:57:38.000+02:00
Signed-off-by: Roy Kaufman &lt;rkaufman@redhat.com&gt;
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,5 @@ coreos/*.qcow2
 secret
 tmp/
 trustee/keys
+*.tar
+*.tar.gz
diff --git a/README.md b/README.md
@@ -27,9 +27,9 @@ Build the Fedora CoreOS or Centos Stream CoreOS image with the custom initrd:
 ```bash
 cd coreos
 # Centos Stream CoreOS image
-just os=scos build oci-archive osbuild-qemu
+just os=scos build oci-archive osbuild
 # Fedora CoreOS image
-just build oci-archive osbuild-qemu
+just build oci-archive osbuild
 ```
 
 ### Create local Trustee deployment
diff --git a/configs/trustee-gcp.bu b/configs/trustee-gcp.bu
@@ -0,0 +1,59 @@
+variant: fcos
+version: 1.6.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+      - <KEY>
+
+systemd:
+  units:
+    - name: serial-getty@ttyS0.service
+      dropins:
+      - name: autologin-core.conf
+        contents: |
+          [Service]
+          # Override Execstart in main unit
+          ExecStart=
+          # Add new Execstart with `-` prefix to ignore failure`
+          ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM
+
+storage:
+  directories:
+  - path: /var/kbs/config
+    overwrite: true
+  - path: /var/srv/www
+    overwrite: true
+  files:
+    - path: /etc/profile.d/systemd-pager.sh
+      mode: 0644
+      contents:
+        inline: |
+          # Tell systemd to not use a pager when printing information
+          export SYSTEMD_PAGER=cat
+    - path: /usr/local/bin/populate_kbs.sh
+      mode: 0755
+      contents:
+        local: populate_kbs.sh
+    - path: /etc/containers/systemd/key-generation.container
+      mode: 0644
+      contents:
+        local: containers/key-generation.container
+    - path: /var/kbs/config/kbs-config.toml
+      mode: 0644
+      contents:
+        local: kbs-config.toml
+    - path: /etc/containers/systemd/kbs.container
+      mode: 0644
+      contents:
+        local: containers/kbs.container
+    - path: /etc/containers/systemd/kbs-client.container
+      mode: 0644
+      contents:
+        local: containers/kbc.container
+    - path: /etc/containers/systemd/nginx.container
+      mode: 0644
+      contents:
+        local: containers/nginx.container
+
+
diff --git a/configs/trustee-gcp/containers/kbc.container b/configs/trustee-gcp/containers/kbc.container
@@ -0,0 +1,13 @@
+[Unit]
+Description=Trustee KBS client container
+After=key-generation.container
+
+[Container]
+ContainerName=kbs-client
+Image=quay.io/rkaufman/kbs-tpm-snp:v1
+Network=host
+Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Exec=tail -f /dev/null
+
+[Install]
+WantedBy=default.target
diff --git a/configs/trustee-gcp/containers/kbs.container b/configs/trustee-gcp/containers/kbs.container
@@ -0,0 +1,20 @@
+[Unit]
+Description=Trustee KBS container
+After=key-generation.container
+
+[Container]
+ContainerName=kbs
+Image=quay.io/rkaufman/kbs-tpm-snp:v1
+Network=host
+Entrypoint=/usr/local/bin/kbs
+PublishPort=8080:8080
+Environment=RUST_LOG=debug
+Volume=/var/kbs/config/kbs-config.toml:/opt/confidential-containers/kbs/config/kbs-config.toml:z
+Volume=kbs-storage:/opt/confidential-containers/kbs/repository
+Volume=nebula-ca:/opt/confidential-containers/kbs/nebula-ca
+Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Exec=--config-file \
+    /opt/confidential-containers/kbs/config/kbs-config.toml
+
+[Install]
+WantedBy=default.target
diff --git a/configs/trustee-gcp/containers/key-generation.container b/configs/trustee-gcp/containers/key-generation.container
@@ -0,0 +1,17 @@
+[Unit]
+Description=Trustee Key Generator
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=keyprovider
+Image=docker.io/alpine/openssl:latest
+Entrypoint=/bin/ash
+Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Exec=-c "if [ ! -s /opt/confidential-containers/kbs/user-keys/private.key ]; then \
+        /usr/bin/openssl genpkey -algorithm ed25519 > /opt/confidential-containers/kbs/user-keys/private.key && \
+        /usr/bin/openssl pkey -in /opt/confidential-containers/kbs/user-keys/private.key -pubout \
+            -out /opt/confidential-containers/kbs/user-keys/public.pub; else exit 0; fi;"
+
+[Install]
+WantedBy=default.target
diff --git a/configs/trustee-gcp/containers/nginx.container b/configs/trustee-gcp/containers/nginx.container
@@ -0,0 +1,14 @@
+[Unit]
+Description=nginx HTTP server emulating registration server
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=nginx
+Image=quay.io/fedora/nginx-126:latest
+PublishPort=8000:8080
+Volume=/srv/www:/opt/app-root/src:z
+Exec=nginx -g "daemon off;"
+
+[Install]
+WantedBy=default.target
diff --git a/configs/trustee-gcp/kbs-config.toml b/configs/trustee-gcp/kbs-config.toml
@@ -0,0 +1,32 @@
+[http_server]
+sockets = ["0.0.0.0:8080"]
+insecure_http = true
+
+[admin]
+insecure_api = true
+auth_public_key = "./keys/public.pub"
+
+
+[attestation_token]
+insecure_key = true
+
+[attestation_service]
+type = "coco_as_builtin"
+work_dir = "/opt/confidential-containers/attestation-service"
+policy_engine = "opa"
+
+[attestation_service.attestation_token_broker]
+type = "Ear"
+duration_min = 5
+
+[attestation_service.rvps_config]
+type = "BuiltIn"
+
+[attestation_service.rvps_config.storage]
+type = "LocalFs"
+
+
+[[plugins]]
+name = "resource"
+type = "LocalFs"
+dir_path = "/opt/confidential-containers/kbs/repository"
diff --git a/configs/trustee-gcp/populate_kbs.sh b/configs/trustee-gcp/populate_kbs.sh
@@ -0,0 +1,98 @@
+#!/bin/bash
+
+set -xe
+
+SECRET_PATH=${SECRET_PATH:=default/machine/root}
+KEY=${KEY:=/opt/confidential-containers/kbs/user-keys/private.key}
+
+
+## set reference values for TPM 
+for i in {7,14}; do
+    value=$(sudo tpm2_pcrread sha256:${i} | awk -F: '/0x/ {sub(/.*0x/, "", $2); gsub(/[^0-9A-Fa-f]/, "", $2); print tolower($2)}')
+	podman exec -ti kbs-client \
+		 kbs-client  config \
+			--auth-private-key ${KEY} \
+			set-sample-reference-value tpm_pcr${i} "${value}"
+done
+
+# Check reference values
+podman exec -ti kbs-client \
+	kbs-client  config \
+		--auth-private-key ${KEY} \
+		get-reference-values
+
+
+# Create attestation policy
+## This policy allows access only if the system’s TPM or SNP 
+## hardware measurements match trusted reference values
+cat << 'EOF' > A_policy.rego
+package policy
+import rego.v1
+
+default hardware := 97
+default executables := 3 
+default configuration := 2 
+
+##### TPM
+
+hardware := 2 if {
+	input.tpm.pcr07 in data.reference.tpm_pcr7
+    input.tpm.pcr14 in data.reference.tpm_pcr14
+}
+
+hardware := 2 if {
+	input.snp.reported_tcb_snp == 27
+}
+
+
+##### Final decision
+result := {
+	"executables": executables,
+	"hardware": hardware,
+	"configuration": configuration
+}
+EOF
+
+podman cp A_policy.rego kbs-client:/A_policy.rego
+podman exec -ti kbs-client \
+	kbs-client  config \
+		--auth-private-key ${KEY} \
+		set-attestation-policy \
+		--policy-file /A_policy.rego \
+		--type rego --id default_cpu
+
+# Upload resource
+cat > secret << EOF
+{ "key_type": "oct", "key": "2b442dd5db4478367729ef8bbf2e7480" }
+EOF
+podman cp secret kbs-client:/secret
+podman exec -ti kbs-client \
+	kbs-client  config \
+		--auth-private-key ${KEY} \
+		set-resource --resource-file /secret \
+		--path ${SECRET_PATH}
+
+
+# Create resource policy
+## This policy allows access only if both CPUs report an "affirming" status 
+## and provide TPM and SNP attestation evidence.
+cat << 'EOF' > R_policy.rego
+package policy
+import rego.v1
+
+default allow = false
+
+allow if {
+    input["submods"]["cpu0"]["ear.status"] == "affirming"
+    input["submods"]["cpu1"]["ear.status"] == "affirming"
+	input["submods"]["cpu1"]["ear.veraison.annotated-evidence"]["tpm"]
+    input["submods"]["cpu0"]["ear.veraison.annotated-evidence"]["snp"]
+}
+EOF
+
+podman cp R_policy.rego kbs-client:/R_policy.rego
+podman exec -ti kbs-client \
+	kbs-client  config \
+		--auth-private-key ${KEY} \
+		set-resource-policy \
+		--policy-file /R_policy.rego \
diff --git a/coreos/Containerfile b/coreos/Containerfile
@@ -2,6 +2,14 @@ ARG BASE
 FROM quay.io/trusted-execution-clusters/trustee-attester:2025-11-12 as kbc
 FROM quay.io/trusted-execution-clusters/clevis-pin-trustee as clevis
 FROM quay.io/trusted-execution-clusters/ignition:attestation as ignition
+
+ARG KBS_CLIENT_IMAGE=quay.io/confidential-clusters/trustee-attester:2025-10-21
+ARG CLEVIS_PIN_TRUSTEE_IMAGE=quay.io/confidential-clusters/clevis-pin-trustee
+
+FROM $KBS_CLIENT_IMAGE as kbc
+FROM $CLEVIS_PIN_TRUSTEE_IMAGE as clevis
+FROM quay.io/confidential-clusters/ignition:attestation as ignition
+
 FROM $BASE
 
 COPY ./usr /usr
diff --git a/coreos/justfile b/coreos/justfile
@@ -17,22 +17,32 @@ image := if os == "scos" { scos_img } else { fcos_img }
 os_name := if os == "scos" { scos_os } else { fcos_os }
 label := if os == "scos" { scos_label } else { fcos_label }
 archive := os + ".ociarchive"
+platform := "qemu"
+kbc_image := "quay.io/afrosi_rh/kbs-client-image:latest"
+clevis_pin_trustee_image := "quay.io/confidential-clusters/clevis-pin-trustee"
 
 build:
-    sudo podman build --no-cache --build-arg BASE={{base}} --build-arg COM_COREOS_OSNAME={{label}} -t {{image}} -f Containerfile .
+    sudo podman build --no-cache --build-arg BASE={{base}} --build-arg COM_COREOS_OSNAME={{label}} --build-arg KBS_CLIENT_IMAGE={{kbc_image}} --build-arg CLEVIS_PIN_TRUSTEE_IMAGE={{clevis_pin_trustee_image}} -t {{image}} -f Containerfile .
 
 oci-archive:
     sudo skopeo copy containers-storage:{{image}} oci-archive:{{archive}}
 
-osbuild-qemu:
+osbuild:
     #!/bin/bash
     set -xeuo pipefail
 
+    SELINUX_STATUS=$(getenforce)
+
+    if [ "$SELINUX_STATUS" = "Enforcing" ]; then
+        echo "WARNING: SELinux is in Enforcing mode. Temporarily disabling for osbuild operation..."
+    fi
+
     TMPDIR=$(mktemp -d)
     git clone --depth 1 https://github.com/coreos/custom-coreos-disk-images ${TMPDIR}
 
-    sudo -E ${TMPDIR}/custom-coreos-disk-images.sh --platform qemu \
+    sudo -E ${TMPDIR}/custom-coreos-disk-images.sh --platform {{platform}} \
         --ociarchive {{archive}} \
         --osname {{os_name}}
     rm -rf "$TMPDIR"
-    sudo chown $USER:$USER {{os}}-qemu.x86_64.qcow2
+    sudo chown $USER:$USER {{os}}-{{platform}}.x86_64.*
+
diff --git a/scripts/GCP/README.md b/scripts/GCP/README.md
@@ -0,0 +1,63 @@
+# Remote attestation with PCRs and AMD SEV-SNP on GCP using RHCOS
+
+This guide provides step-by-step instructions for setting up remote attestation using PCRs and AMD SEV-SNP on Google Cloud Platform (GCP) with Red Hat CoreOS (RHCOS). It covers the deployment of a Trustee server and the creation of a custom RHCOS client image that communicates with the Trustee service to fetch encryption keys and decrypt the root image.
+
+
+## Prerequisites
+
+1. Copy the pull secret from [Red Hat OpenShift](https://console.redhat.com/openshift/create/local) to `~/.config/containers/auth.json` under `auths:quay.io:auth:<pull_secret>`
+2. Install [gcloud](https://cloud.google.com/sdk/docs/install)
+3. Configure a subnet on GCP for the server and client by running `./scripts/network_setup.sh`
+
+
+## Deploy the Trustee Server (KBS)
+
+1. To deploy the Trustee server, run:
+```bash
+./scripts/GCP/deploy-trustee.sh -k <SSH_KEY> -b ./configs/trustee-gcp.bu -i <IMAGE_NAME>
+```
+2. After the server is up, populate the KBS with the reference value and add the remote ignition file:
+```bash
+./scripts/populate-trustee-kbs.sh <SSH_KEY> <SERVER_IP> <HOSTNAME>
+``` 
+(The default hostname is `kbs`)
+
+
+## Deploy the Client
+
+1. Build a custom RHCOS image by running:
+    ```bash
+    cd coreos
+    just clevis_pin_trustee_image=quay.io/rkaufman/clevis-pin-trustee:latest os=scos base=quay.io/okd/scos-content:4.20.0-okd-scos.6-stream-coreos \
+    kbc_image=quay.io/rkaufman/kbs-tpm-snp:v1 platform=gcp build oci-archive osbuild
+    ```
+
+2. Upload the image to GCP by running:
+    ```bash
+    ./scripts/GCP/upload_image_gcp.sh <BUCKET_NAME> <IMAGE_NAME>
+    ```
+
+3. Deploy the client by running:
+    ```bash
+    ./scripts/GCP/deploy-vm.sh -k <SSH_KEY> -b ./configs/luks.bu -n <VM_NAME> -i <IMAGE_NAME> -h <HOSTNAME>
+    ```
+    This will create the VM, perform attestation, and decrypt the disk using clevis-pin.
+
+
+## Information About KBS, KBS-Client, and Clevis-Pin
+
+These are modified versions of [trustee](https://github.com/iroykaufman/trustee/tree/addtpm) and the [guest component](https://github.com/iroykaufman/guest-components/tree/TPM-as-additional-device) to support the TPM as an additional device.
+
+The changes in the guest component are also included in [PR#1093](https://github.com/confidential-containers/guest-components/pull/1093), and the changes in Trustee are related to [PR#851](https://github.com/confidential-containers/trustee/pull/851), where the most significant change is the removal of the trusted Attestation Key (AK) list.
+
+This uses a modified version of `clevis-pin-trustee` that adds AK before performing attestation. The source code is available here: [clevis-pin-trustee](https://github.com/iroykaufman/clevis-pin-trustee/tree/create-tpm-ak)
+
+## Attestation Policy
+
+The policy only checks hardware for both SEV-SNP and TPM.
+
+## Resource Policy
+
+Verify that both devices are affirming and exist.
+
+
diff --git a/scripts/GCP/deploy-trustee.sh b/scripts/GCP/deploy-trustee.sh
diff --git a/scripts/GCP/deploy-vm.sh b/scripts/GCP/deploy-vm.sh
diff --git a/scripts/GCP/network_setup.sh b/scripts/GCP/network_setup.sh
diff --git a/scripts/GCP/upload_image_gcp.sh b/scripts/GCP/upload_image_gcp.sh
diff --git a/scripts/common.sh b/scripts/common.sh
diff --git a/scripts/populate-trustee-kbs.sh b/scripts/populate-trustee-kbs.sh
