|
4 | 4 |
|
5 | 5 |  |
6 | 6 |
|
7 | | -A trustee_server for an ansible role that configures some GNU/Linux subsystem or |
8 | | -service. A brief description of the role goes here. |
| 7 | +An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, Attestation Service) for workloads running in Trusted Execution Environments (TEEs). |
9 | 8 |
|
10 | | -## Requirements |
| 9 | +## Features |
| 10 | + |
| 11 | +- **Trustee Server (Quadlet)**: Deploys Trustee Key Broker Service(KBS), Attestation Service(AS) and Reference Value Provider Service(RVPS) using Podman Quadlets from a GitHub repository |
| 12 | +- **Secret Registration Server**: HTTPS service that receives attestation-backed registration requests, verifies attestation, creates disk encryption keys, and stores them in Trustee KBS |
11 | 13 |
|
12 | | -Any prerequisites that may not be covered by Ansible itself or the role should |
13 | | -be mentioned here. This includes platform dependencies not managed by the |
14 | | -role, hardware requirements, external collections, etc. There should be a |
15 | | -distinction between *control node* requirements (like collections) and |
16 | | -*managed node* requirements (like special hardware, platform provisioning). |
| 14 | +## Requirements |
17 | 15 |
|
18 | | -### Collection requirements |
| 16 | +### Control node |
19 | 17 |
|
20 | | -For instance, if the role depends on some collections and has a |
21 | | -`meta/collection-requirements.yml` file for installing those dependencies, and |
22 | | -in order to manage `rpm-ostree` systems, it should be mentioned here that the |
23 | | - user should run |
| 18 | +- Ansible 2.9 or later |
| 19 | +- Install collection dependencies: |
24 | 20 |
|
25 | 21 | ```bash |
26 | | -ansible-galaxy collection install -vv -r meta/collection-requirements.yml |
| 22 | +ansible-galaxy collection install -r meta/collection-requirements.yml |
27 | 23 | ``` |
28 | 24 |
|
29 | | -on the *control node* before using the role. |
30 | | - |
31 | | -## Role Variables |
32 | | - |
33 | | -A description of all input variables (i.e. variables that are defined in |
34 | | -`defaults/main.yml`) for the role should go here as these form an API of the |
35 | | -role. Each variable should have its own section e.g. |
36 | | - |
37 | | -### trustee_server_foo |
| 25 | +### Managed node |
38 | 26 |
|
39 | | -This variable is required. It is a string that lists the foo of the role. |
40 | | -There is no default value. |
| 27 | +- Fedora or RHEL 9+ |
| 28 | +- Podman |
| 29 | +- Python 3 |
41 | 30 |
|
42 | | -### trustee_server_bar |
43 | | - |
44 | | -This variable is optional. It is a boolean that tells the role to disable bar. |
45 | | -The default value is `true`. |
46 | | - |
47 | | -Variables that are not intended as input, like variables defined in |
48 | | -`vars/main.yml`, variables that are read from other roles and/or the global |
49 | | -scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in |
50 | | -mind that as these are probably not part of the role API they may change during |
51 | | -the lifetime. |
52 | | - |
53 | | -Example of setting the variables: |
| 31 | +## Example Playbook |
54 | 32 |
|
55 | 33 | ```yaml |
56 | | -trustee_server_foo: "oof" |
57 | | -trustee_server_bar: false |
| 34 | +- name: Deploy Trustee Server |
| 35 | + hosts: all |
| 36 | + vars: |
| 37 | + trustee_server_trustee: true |
| 38 | + trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" |
| 39 | + trustee_server_quadlet_repo_path: "quadlet" |
| 40 | + trustee_server_quadlet_repo_branch: "main" |
| 41 | + trustee_server_quadlet_install_dir: "/etc/containers/systemd" |
| 42 | + trustee_server_secret_registration_server_enabled: true |
| 43 | + trustee_server_secret_registration_listen_port: 8081 |
| 44 | + roles: |
| 45 | + - linux-system-roles.trustee_server |
58 | 46 | ``` |
59 | 47 |
|
60 | | -## Variables Exported by the Role |
61 | | -
|
62 | | -This section is optional. Some roles may export variables for playbooks to |
63 | | -use later. These are analogous to "return values" in Ansible modules. For |
64 | | -example, if a role performs some action that will require a system reboot, but |
65 | | -the user wants to defer the reboot, the role might set a variable like |
66 | | -`trustee_server_reboot_needed: true` that the playbook can use to reboot at a more |
67 | | -convenient time. |
| 48 | +More examples are in the [`examples/`](examples) directory. |
68 | 49 |
|
69 | | -Example: |
| 50 | +## Trustee Server |
70 | 51 |
|
71 | | -### trustee_server_reboot_needed |
| 52 | +When enabled, the role: |
72 | 53 |
|
73 | | -Default `false` - if `true`, this means a reboot is needed to apply the changes |
74 | | -made by the role |
| 54 | +1. Downloads the Podman Quadlets from designated repo |
| 55 | +2. Generates all required certficates of Trustee server components |
| 56 | +3. Add KBS port 8080 to firewalld |
| 57 | +3. Enables the services by default |
75 | 58 |
|
76 | | -## Example Playbook |
77 | | - |
78 | | -Including an example of how to use your role (for instance, with variables |
79 | | -passed in as parameters) is always nice for users too: |
| 59 | +Note that KBS listens on port 8080 which may require additional network security allowance depending on your environment. |
80 | 60 |
|
81 | | -```yaml |
82 | | -- name: Manage the trustee_server subsystem |
83 | | - hosts: all |
84 | | - vars: |
85 | | - trustee_server_foo: "foo foo!" |
86 | | - trustee_server_bar: false |
87 | | - roles: |
88 | | - - linux-system-roles.trustee_server |
89 | | -``` |
| 61 | +## Secret Registration Server |
90 | 62 |
|
91 | | -More examples can be provided in the [`examples/`](examples) directory. These |
92 | | -can be useful, especially for documentation. |
| 63 | +When enabled, the secret registration server: |
93 | 64 |
|
94 | | -## rpm-ostree |
| 65 | +1. Listens for `POST /register-encryption-key` with `attestation_token` and `client_id` (machine-id) |
| 66 | +2. Verifies the attestation token (Azure TPM-based) |
| 67 | +3. Creates a disk encryption key and stores it in Trustee KBS |
| 68 | +4. Appends resource policy to `/etc/trustee/kbs/policy.rego` |
95 | 69 |
|
96 | | -See README-ostree.md |
| 70 | +Clients can then fetch the key from Trustee CDH using attestation. |
97 | 71 |
|
98 | 72 | ## License |
99 | 73 |
|
100 | | -Whenever possible, please prefer MIT. |
| 74 | +MIT |
101 | 75 |
|
102 | | -## Author Information |
| 76 | +## Author |
103 | 77 |
|
104 | 78 | An optional section for the role authors to include contact information, or a |
105 | 79 | website (HTML is not allowed). |
0 commit comments