Update to the latest way of preforming attestation

using AK registration

Signed-off-by: Roy Kaufman <[email protected]>

Author: iroykaufman

configs/trustee-gcp.bu configs/trustee.buconfigs/trustee-gcp.bu renamed to configs/trustee.bu

@@ -35,6 +35,10 @@ storage:
       mode: 0755
       contents:
         local: populate_kbs.sh
+    - path: /usr/local/bin/kbs-client
+      mode: 0755
+      contents:
+        local: kbs-client
     - path: /etc/containers/systemd/key-generation.container
       mode: 0644
       contents:
@@ -55,5 +59,9 @@ storage:
       mode: 0644
       contents:
         local: containers/nginx.container
+    - path: /etc/containers/systemd/register-ak.container
+      mode: 0644
+      contents:
+        local: containers/register-ak.container
 
 

…igs/trustee-gcp/containers/kbc.container configs/trustee/containers/kbc.containerconfigs/trustee-gcp/containers/kbc.container renamed to configs/trustee/containers/kbc.container configs/trustee-gcp/containers/kbc.container renamed to configs/trustee/containers/kbc.container

@@ -4,7 +4,7 @@ After=key-generation.container
 
 [Container]
 ContainerName=kbs-client
-Image=quay.io/rkaufman/kbs-tpm-snp:v1
+Image=quay.io/trusted-execution-clusters/trustee-attester:TPM-additional-dev
 Network=host
 Volume=user-keys:/opt/confidential-containers/kbs/user-keys
 Exec=tail -f /dev/null

…igs/trustee-gcp/containers/kbs.container configs/trustee/containers/kbs.containerconfigs/trustee-gcp/containers/kbs.container renamed to configs/trustee/containers/kbs.container configs/trustee-gcp/containers/kbs.container renamed to configs/trustee/containers/kbs.container

@@ -4,7 +4,7 @@ After=key-generation.container
 
 [Container]
 ContainerName=kbs
-Image=quay.io/rkaufman/kbs-tpm-snp:v1
+Image=quay.io/trusted-execution-clusters/key-broker-service:fix-TPM-report-data-size
 Network=host
 Entrypoint=/usr/local/bin/kbs
 PublishPort=8080:8080
@@ -13,6 +13,7 @@ Volume=/var/kbs/config/kbs-config.toml:/opt/confidential-containers/kbs/config/k
 Volume=kbs-storage:/opt/confidential-containers/kbs/repository
 Volume=nebula-ca:/opt/confidential-containers/kbs/nebula-ca
 Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Volume=trusted-ak-keys:/etc/tpm/trusted_ak_keys
 Exec=--config-file \
     /opt/confidential-containers/kbs/config/kbs-config.toml
 

…-gcp/containers/key-generation.container …stee/containers/key-generation.containerconfigs/trustee-gcp/containers/key-generation.container renamed to configs/trustee/containers/key-generation.container configs/trustee-gcp/containers/key-generation.container renamed to configs/trustee/containers/key-generation.container

@@ -0,0 +1,13 @@
+[Unit]
+Description=server that allow to register AK
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=register-ak
+Image=quay.io/trusted-execution-clusters/test-server-ak:latest
+PublishPort=5001:5001
+Volume=trusted-ak-keys:/data
+
+[Install]
+WantedBy=default.target

…s/trustee-gcp/containers/nginx.container …nfigs/trustee/containers/nginx.containerconfigs/trustee-gcp/containers/nginx.container renamed to configs/trustee/containers/nginx.container configs/trustee-gcp/containers/nginx.container renamed to configs/trustee/containers/nginx.container

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -euo pipefail
+# set -x
+
+KEY="${KEY:=/opt/confidential-containers/kbs/user-keys/private.key}"
+
+sudo podman exec -ti \
+  kbs-client \
+    kbs-client \
+      config \
+      --auth-private-key "${KEY}" \
+      "${@}"

configs/trustee/containers/register-ak.container

@@ -25,6 +25,9 @@ type = "BuiltIn"
 [attestation_service.rvps_config.storage]
 type = "LocalFs"
 
+[attestation_service.verifier_config.tpm_verifier]
+trusted_ak_keys_dir = "/etc/tpm/trusted_ak_keys"
+max_trusted_ak_keys = 100
 
 [[plugins]]
 name = "resource"

configs/trustee/kbs-client

@@ -9,17 +9,11 @@ KEY=${KEY:=/opt/confidential-containers/kbs/user-keys/private.key}
 ## set reference values for TPM 
 for i in {7,14}; do
     value=$(sudo tpm2_pcrread sha256:${i} | awk -F: '/0x/ {sub(/.*0x/, "", $2); gsub(/[^0-9A-Fa-f]/, "", $2); print tolower($2)}')
-	podman exec -ti kbs-client \
-		 kbs-client  config \
-			--auth-private-key ${KEY} \
-			set-sample-reference-value tpm_pcr${i} "${value}"
+	kbs-client set-sample-reference-value tpm_pcr${i} "${value}"
 done
 
 # Check reference values
-podman exec -ti kbs-client \
-	kbs-client  config \
-		--auth-private-key ${KEY} \
-		get-reference-values
+kbs-client get-reference-values
 
 
 # Create attestation policy
@@ -53,25 +47,15 @@ result := {
 }
 EOF
 
-podman cp A_policy.rego kbs-client:/A_policy.rego
-podman exec -ti kbs-client \
-	kbs-client  config \
-		--auth-private-key ${KEY} \
-		set-attestation-policy \
-		--policy-file /A_policy.rego \
-		--type rego --id default_cpu
+sudo podman cp A_policy.rego kbs-client:/A_policy.rego
+kbs-client set-attestation-policy --policy-file A_policy.rego --type rego --id default_cpu
 
 # Upload resource
 cat > secret << EOF
 { "key_type": "oct", "key": "2b442dd5db4478367729ef8bbf2e7480" }
 EOF
-podman cp secret kbs-client:/secret
-podman exec -ti kbs-client \
-	kbs-client  config \
-		--auth-private-key ${KEY} \
-		set-resource --resource-file /secret \
-		--path ${SECRET_PATH}
-
+sudo podman cp secret kbs-client:/secret
+kbs-client set-resource --resource-file /secret --path ${SECRET_PATH}
 
 # Create resource policy
 ## This policy allows access only if both CPUs report an "affirming" status 
@@ -90,9 +74,5 @@ allow if {
 }
 EOF
 
-podman cp R_policy.rego kbs-client:/R_policy.rego
-podman exec -ti kbs-client \
-	kbs-client  config \
-		--auth-private-key ${KEY} \
-		set-resource-policy \
-		--policy-file /R_policy.rego \
+sudo podman cp R_policy.rego kbs-client:/R_policy.rego
+kbs-client set-resource-policy --policy-file R_policy.rego

configs/trustee-gcp/kbs-config.toml configs/trustee/kbs-config.tomlconfigs/trustee-gcp/kbs-config.toml renamed to configs/trustee/kbs-config.toml

@@ -13,7 +13,7 @@ RUN . /etc/os-release && \
 RUN dnf install -y git tss2-devel tpm2-tss-devel cargo openssl-devel perl
 
 RUN cd /usr/src/ && \
-    git clone https://github.com/confidential-containers/guest-components.git && \
+    git clone https://github.com/trusted-execution-clusters/guest-components.git && \
     cd guest-components && git checkout ${COMMIT}
 
 RUN cd /usr/src/guest-components && \