Remote attestation with PCRs and AMD SEV-SNP on GCP using RHCOS

.github/workflows/build-fcos-image.yml

@@ -3,7 +3,7 @@ name: "Build and push fedora-coreos container image with customized initrd"
 env:
   NAME: "fedora-coreos"
   REGISTRY: "quay.io/trusted-execution-clusters"
-  FCOS_IMG: "quay.io/fedora/fedora-coreos:42.20251012.2.0"
+  FCOS_IMG: "quay.io/trusted-execution-clusters/fedora-coreos@sha256:79a0657399e6c67c7c95b8a09193d18e5675b5aa3cfb4d75ea5c8d4d53b2af74"
 on:
   push:
     branches:

.gitignore

@@ -7,3 +7,5 @@ coreos/*.qcow2
 secret
 tmp/
 trustee/keys
+*.tar
+*.tar.gz

README.md

@@ -27,9 +27,9 @@ Build the Fedora CoreOS or Centos Stream CoreOS image with the custom initrd:
 ```bash
 cd coreos
 # Centos Stream CoreOS image
-just os=scos build oci-archive osbuild-qemu
+just os=scos build oci-archive osbuild
 # Fedora CoreOS image
-just build oci-archive osbuild-qemu
+just build oci-archive osbuild
 ```
 
 ### Create local Trustee deployment

configs/trustee.bu

@@ -0,0 +1,67 @@
+variant: fcos
+version: 1.6.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+      - <KEY>
+
+systemd:
+  units:
+    - name: [email protected]
+      dropins:
+      - name: autologin-core.conf
+        contents: |
+          [Service]
+          # Override Execstart in main unit
+          ExecStart=
+          # Add new Execstart with `-` prefix to ignore failure`
+          ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM
+
+storage:
+  directories:
+  - path: /var/kbs/config
+    overwrite: true
+  - path: /var/srv/www
+    overwrite: true
+  files:
+    - path: /etc/profile.d/systemd-pager.sh
+      mode: 0644
+      contents:
+        inline: |
+          # Tell systemd to not use a pager when printing information
+          export SYSTEMD_PAGER=cat
+    - path: /usr/local/bin/populate_kbs.sh
+      mode: 0755
+      contents:
+        local: populate_kbs.sh
+    - path: /usr/local/bin/kbs-client
+      mode: 0755
+      contents:
+        local: kbs-client
+    - path: /etc/containers/systemd/key-generation.container
+      mode: 0644
+      contents:
+        local: containers/key-generation.container
+    - path: /var/kbs/config/kbs-config.toml
+      mode: 0644
+      contents:
+        local: kbs-config.toml
+    - path: /etc/containers/systemd/kbs.container
+      mode: 0644
+      contents:
+        local: containers/kbs.container
+    - path: /etc/containers/systemd/kbs-client.container
+      mode: 0644
+      contents:
+        local: containers/kbc.container
+    - path: /etc/containers/systemd/nginx.container
+      mode: 0644
+      contents:
+        local: containers/nginx.container
+    - path: /etc/containers/systemd/register-ak.container
+      mode: 0644
+      contents:
+        local: containers/register-ak.container
+
+

configs/trustee/containers/kbc.container

@@ -0,0 +1,13 @@
+[Unit]
+Description=Trustee KBS client container
+After=key-generation.container
+
+[Container]
+ContainerName=kbs-client
+Image=quay.io/trusted-execution-clusters/trustee-attester:TPM-additional-dev
+Network=host
+Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Exec=tail -f /dev/null
+
+[Install]
+WantedBy=default.target

configs/trustee/containers/kbs.container

@@ -0,0 +1,21 @@
+[Unit]
+Description=Trustee KBS container
+After=key-generation.container
+
+[Container]
+ContainerName=kbs
+Image=quay.io/trusted-execution-clusters/key-broker-service:fix-TPM-report-data-size
+Network=host
+Entrypoint=/usr/local/bin/kbs
+PublishPort=8080:8080
+Environment=RUST_LOG=debug
+Volume=/var/kbs/config/kbs-config.toml:/opt/confidential-containers/kbs/config/kbs-config.toml:z
+Volume=kbs-storage:/opt/confidential-containers/kbs/repository
+Volume=nebula-ca:/opt/confidential-containers/kbs/nebula-ca
+Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Volume=trusted-ak-keys:/etc/tpm/trusted_ak_keys
+Exec=--config-file \
+    /opt/confidential-containers/kbs/config/kbs-config.toml
+
+[Install]
+WantedBy=default.target

configs/trustee/containers/key-generation.container

@@ -0,0 +1,17 @@
+[Unit]
+Description=Trustee Key Generator
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=keyprovider
+Image=docker.io/alpine/openssl:latest
+Entrypoint=/bin/ash
+Volume=user-keys:/opt/confidential-containers/kbs/user-keys
+Exec=-c "if [ ! -s /opt/confidential-containers/kbs/user-keys/private.key ]; then \
+        /usr/bin/openssl genpkey -algorithm ed25519 > /opt/confidential-containers/kbs/user-keys/private.key && \
+        /usr/bin/openssl pkey -in /opt/confidential-containers/kbs/user-keys/private.key -pubout \
+            -out /opt/confidential-containers/kbs/user-keys/public.pub; else exit 0; fi;"
+
+[Install]
+WantedBy=default.target

configs/trustee/containers/nginx.container

@@ -0,0 +1,14 @@
+[Unit]
+Description=nginx HTTP server emulating registration server
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=nginx
+Image=quay.io/fedora/nginx-126:latest
+PublishPort=8000:8080
+Volume=/srv/www:/opt/app-root/src:z
+Exec=nginx -g "daemon off;"
+
+[Install]
+WantedBy=default.target

configs/trustee/containers/register-ak.container

@@ -0,0 +1,13 @@
+[Unit]
+Description=server that allow to register AK
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=register-ak
+Image=quay.io/trusted-execution-clusters/test-server-ak:latest
+PublishPort=5001:5001
+Volume=trusted-ak-keys:/data
+
+[Install]
+WantedBy=default.target

configs/trustee/kbs-client

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -euo pipefail
+# set -x
+
+KEY="${KEY:=/opt/confidential-containers/kbs/user-keys/private.key}"
+
+sudo podman exec -ti \
+  kbs-client \
+    kbs-client \
+      config \
+      --auth-private-key "${KEY}" \
+      "${@}"

configs/trustee/kbs-config.toml

@@ -0,0 +1,35 @@
+[http_server]
+sockets = ["0.0.0.0:8080"]
+insecure_http = true
+
+[admin]
+insecure_api = true
+auth_public_key = "./keys/public.pub"
+
+
+[attestation_token]
+insecure_key = true
+
+[attestation_service]
+type = "coco_as_builtin"
+work_dir = "/opt/confidential-containers/attestation-service"
+policy_engine = "opa"
+
+[attestation_service.attestation_token_broker]
+type = "Ear"
+duration_min = 5
+
+[attestation_service.rvps_config]
+type = "BuiltIn"
+
+[attestation_service.rvps_config.storage]
+type = "LocalFs"
+
+[attestation_service.verifier_config.tpm_verifier]
+trusted_ak_keys_dir = "/etc/tpm/trusted_ak_keys"
+max_trusted_ak_keys = 100
+
+[[plugins]]
+name = "resource"
+type = "LocalFs"
+dir_path = "/opt/confidential-containers/kbs/repository"

configs/trustee/populate_kbs.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+set -xe
+
+SECRET_PATH=${SECRET_PATH:=default/machine/root}
+KEY=${KEY:=/opt/confidential-containers/kbs/user-keys/private.key}
+
+
+## set reference values for TPM 
+for i in {7,4,14}; do
+    value=$(sudo tpm2_pcrread sha256:${i} | awk -F: '/0x/ {sub(/.*0x/, "", $2); gsub(/[^0-9A-Fa-f]/, "", $2); print tolower($2)}')
+	kbs-client set-sample-reference-value tpm_pcr${i} "${value}"
+done
+
+# Check reference values
+kbs-client get-reference-values
+
+
+# Create attestation policy
+## This policy allows access only if the system’s TPM or SNP 
+## hardware measurements match trusted reference values
+cat << 'EOF' > A_policy.rego
+package policy
+import rego.v1
+
+default hardware := 97
+default executables := 3 
+default configuration := 2 
+
+##### TPM
+
+hardware := 2 if {
+	input.tpm.pcr07 in data.reference.tpm_pcr7
+    input.tpm.pcr14 in data.reference.tpm_pcr14
+    input.tpm.pcr04 in data.reference.tpm_pcr4
+}
+
+hardware := 2 if {
+	input.snp.reported_tcb_snp == 27
+}
+
+
+##### Final decision
+result := {
+	"executables": executables,
+	"hardware": hardware,
+	"configuration": configuration
+}
+EOF
+
+sudo podman cp A_policy.rego kbs-client:/A_policy.rego
+kbs-client set-attestation-policy --policy-file A_policy.rego --type rego --id default_cpu
+
+# Upload resource
+cat > secret << EOF
+{ "key_type": "oct", "key": "2b442dd5db4478367729ef8bbf2e7480" }
+EOF
+sudo podman cp secret kbs-client:/secret
+kbs-client set-resource --resource-file /secret --path ${SECRET_PATH}
+
+# Create resource policy
+## This policy allows access only if both CPUs report an "affirming" status 
+## and provide TPM and SNP attestation evidence.
+cat << 'EOF' > R_policy.rego
+package policy
+import rego.v1
+
+default allow = false
+
+allow if {
+    input["submods"]["cpu0"]["ear.status"] == "affirming"
+    input["submods"]["cpu1"]["ear.status"] == "affirming"
+	input["submods"]["cpu1"]["ear.veraison.annotated-evidence"]["tpm"]
+    input["submods"]["cpu0"]["ear.veraison.annotated-evidence"]["snp"]
+}
+EOF
+
+sudo podman cp R_policy.rego kbs-client:/R_policy.rego
+kbs-client set-resource-policy --policy-file R_policy.rego

containerfiles/trustee-attester.container

@@ -13,7 +13,7 @@ RUN . /etc/os-release && \
 RUN dnf install -y git tss2-devel tpm2-tss-devel cargo openssl-devel perl
 
 RUN cd /usr/src/ && \
-    git clone https://github.com/confidential-containers/guest-components.git && \
+    git clone https://github.com/trusted-execution-clusters/guest-components.git && \
     cd guest-components && git checkout ${COMMIT}
 
 RUN cd /usr/src/guest-components && \

coreos/Containerfile

@@ -1,7 +1,14 @@
 ARG BASE
-FROM quay.io/trusted-execution-clusters/trustee-attester:fedora-b13fd8a as kbc
-FROM quay.io/trusted-execution-clusters/clevis-pin-trustee as clevis
-FROM ghcr.io/trusted-execution-clusters/ignition:20260112-85608d6 as ignition
+ARG TRUSTEE_ATTESTER=quay.io/trusted-execution-clusters/trustee-attester:fedora-b13fd8a
+ARG CLEVIS_PIN_TRUSTEE_IMAGE=quay.io/trusted-execution-clusters/clevis-pin-trustee
+ARG IGNITION=ghcr.io/trusted-execution-clusters/ignition:20260112-85608d6
+
+FROM $TRUSTEE_ATTESTER as kbc
+
+FROM $CLEVIS_PIN_TRUSTEE_IMAGE as clevis
+
+FROM $IGNITION as ignition
+
 FROM $BASE
 
 COPY ./usr /usr

coreos/justfile

@@ -1,7 +1,7 @@
 os := "fcos"
 
 scos_base_img:= "quay.io/okd/scos-content@sha256:3813e6608a999756931d3d621932af9662860e71a552b2670f9fe320bf0d3585"
-fcos_base_img:= "quay.io/fedora/fedora-coreos:42.20251012.2.0"
+fcos_base_img:= "quay.io/trusted-execution-clusters/fedora-coreos@sha256:79a0657399e6c67c7c95b8a09193d18e5675b5aa3cfb4d75ea5c8d4d53b2af74"
 
 scos_img:= "quay.io/trusted-execution-clusters/scos"
 fcos_img:= "quay.io/trusted-execution-clusters/fcos"
@@ -20,6 +20,8 @@ image := if os == "scos" { scos_img } else { fcos_img }
 os_name := if os == "scos" { scos_os } else { fcos_os }
 label := if os == "scos" { scos_label } else { fcos_label }
 archive := os + ".ociarchive"
+platform := "qemu"
+
 
 config := if os == "scos" { scos_config } else { fcos_config }
 full_name := if os == "scos" { "centos-stream-coreos" } else { "fedora-coreos" }
@@ -28,7 +30,7 @@ build:
     sudo podman build --no-cache --build-arg BASE={{base}} --build-arg COM_COREOS_OSNAME={{label}} -t {{image}} -f Containerfile .
 
 oci-archive:
-    sudo skopeo copy containers-storage:{{image}} oci-archive:{{archive}}
+    sudo skopeo copy containers-storage:{{image}}:latest oci-archive:{{archive}}
 
 # Reusable cosa function definition
 cosa_function := '''
@@ -73,3 +75,22 @@ kubevirt:
     {{cosa_function}}
     cd cache
     cosa osbuild kubevirt
+osbuild:
+    #!/bin/bash
+    set -xeuo pipefail
+
+    SELINUX_STATUS=$(getenforce)
+
+    if [ "$SELINUX_STATUS" = "Enforcing" ]; then
+        echo "WARNING: SELinux is in Enforcing mode. Temporarily disabling for osbuild operation..."
+    fi
+
+    TMPDIR=$(mktemp -d)
+    git clone --depth 1 https://github.com/coreos/custom-coreos-disk-images ${TMPDIR}
+
+    sudo -E ${TMPDIR}/custom-coreos-disk-images.sh --platform {{platform}} \
+        --ociarchive {{archive}} \
+        --osname {{os_name}}
+    rm -rf "$TMPDIR"
+    sudo chown $USER:$USER {{os}}-{{platform}}.x86_64.*
+