Skip to content

Commit bdc85ac

Browse files
litian1992richm
authored andcommitted
feat(secret_registration_server): add secret registration server service
The secret registration server service is an HTTPS server. It receives only request from the counterpart secret registration client service. It creates a disk encryption key along with resource policy tied to PCR15 of the client. Signed-off-by: Li Tian <litian@redhat.com>
1 parent 87f716f commit bdc85ac

11 files changed

Lines changed: 340 additions & 106 deletions

README.md

Lines changed: 44 additions & 70 deletions
Original file line numberDiff line numberDiff line change
@@ -3,102 +3,76 @@
33
[![ansible-lint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml) [![codespell.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml) [![markdownlint.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml) [![qemu-kvm-integration-tests.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml) [![shellcheck.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml)
44
![trustee_server](https://github.com/linux-system-roles/trustee_server/workflows/tox/badge.svg)
55

6-
A trustee_server for an ansible role that configures some GNU/Linux subsystem or
7-
service. A brief description of the role goes here.
6+
An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, Attestation Service) for workloads running in Trusted Execution Environments (TEEs).
87

9-
## Requirements
8+
## Features
9+
10+
- **Trustee Server (Quadlet)**: Deploys Trustee Key Broker Service(KBS), Attestation Service(AS) and Reference Value Provider Service(RVPS) using Podman Quadlets from a GitHub repository
11+
- **Secret Registration Server**: HTTPS service that receives attestation-backed registration requests, verifies attestation, creates disk encryption keys, and stores them in Trustee KBS
1012

11-
Any prerequisites that may not be covered by Ansible itself or the role should
12-
be mentioned here. This includes platform dependencies not managed by the
13-
role, hardware requirements, external collections, etc. There should be a
14-
distinction between *control node* requirements (like collections) and
15-
*managed node* requirements (like special hardware, platform provisioning).
13+
## Requirements
1614

17-
### Collection requirements
15+
### Control node
1816

19-
For instance, if the role depends on some collections and has a
20-
`meta/collection-requirements.yml` file for installing those dependencies, and
21-
in order to manage `rpm-ostree` systems, it should be mentioned here that the
22-
user should run
17+
- Ansible 2.9 or later
18+
- Install collection dependencies:
2319

2420
```bash
25-
ansible-galaxy collection install -vv -r meta/collection-requirements.yml
21+
ansible-galaxy collection install -r meta/collection-requirements.yml
2622
```
2723

28-
on the *control node* before using the role.
29-
30-
## Role Variables
31-
32-
A description of all input variables (i.e. variables that are defined in
33-
`defaults/main.yml`) for the role should go here as these form an API of the
34-
role. Each variable should have its own section e.g.
35-
36-
### trustee_server_foo
24+
### Managed node
3725

38-
This variable is required. It is a string that lists the foo of the role.
39-
There is no default value.
26+
- Fedora or RHEL 9+
27+
- Podman
28+
- Python 3
4029

41-
### trustee_server_bar
42-
43-
This variable is optional. It is a boolean that tells the role to disable bar.
44-
The default value is `true`.
45-
46-
Variables that are not intended as input, like variables defined in
47-
`vars/main.yml`, variables that are read from other roles and/or the global
48-
scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in
49-
mind that as these are probably not part of the role API they may change during
50-
the lifetime.
51-
52-
Example of setting the variables:
30+
## Example Playbook
5331

5432
```yaml
55-
trustee_server_foo: "oof"
56-
trustee_server_bar: false
33+
- name: Deploy Trustee Server
34+
hosts: all
35+
vars:
36+
trustee_server_trustee: true
37+
trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git"
38+
trustee_server_quadlet_repo_path: "quadlet"
39+
trustee_server_quadlet_repo_branch: "main"
40+
trustee_server_quadlet_install_dir: "/etc/containers/systemd"
41+
trustee_server_secret_registration_server_enabled: true
42+
trustee_server_secret_registration_listen_port: 8081
43+
roles:
44+
- linux-system-roles.trustee_server
5745
```
5846
59-
## Variables Exported by the Role
60-
61-
This section is optional. Some roles may export variables for playbooks to
62-
use later. These are analogous to "return values" in Ansible modules. For
63-
example, if a role performs some action that will require a system reboot, but
64-
the user wants to defer the reboot, the role might set a variable like
65-
`trustee_server_reboot_needed: true` that the playbook can use to reboot at a more
66-
convenient time.
47+
More examples are in the [`examples/`](examples) directory.
6748

68-
Example:
49+
## Trustee Server
6950

70-
### trustee_server_reboot_needed
51+
When enabled, the role:
7152

72-
Default `false` - if `true`, this means a reboot is needed to apply the changes
73-
made by the role
53+
1. Downloads the Podman Quadlets from designated repo
54+
2. Generates all required certficates of Trustee server components
55+
3. Add KBS port 8080 to firewalld
56+
3. Enables the services by default
7457

75-
## Example Playbook
76-
77-
Including an example of how to use your role (for instance, with variables
78-
passed in as parameters) is always nice for users too:
58+
Note that KBS listens on port 8080 which may require additional network security allowance depending on your environment.
7959

80-
```yaml
81-
- name: Manage the trustee_server subsystem
82-
hosts: all
83-
vars:
84-
trustee_server_foo: "foo foo!"
85-
trustee_server_bar: false
86-
roles:
87-
- linux-system-roles.trustee_server
88-
```
60+
## Secret Registration Server
8961

90-
More examples can be provided in the [`examples/`](examples) directory. These
91-
can be useful, especially for documentation.
62+
When enabled, the secret registration server:
9263

93-
## rpm-ostree
64+
1. Listens for `POST /register-encryption-key` with `attestation_token` and `client_id` (machine-id)
65+
2. Verifies the attestation token (Azure TPM-based)
66+
3. Creates a disk encryption key and stores it in Trustee KBS
67+
4. Appends resource policy to `/etc/trustee/kbs/policy.rego`
9468

95-
See README-ostree.md
69+
Clients can then fetch the key from Trustee CDH using attestation.
9670

9771
## License
9872

99-
Whenever possible, please prefer MIT.
73+
MIT
10074

101-
## Author Information
75+
## Author
10276

10377
An optional section for the role authors to include contact information, or a
10478
website (HTML is not allowed).

defaults/main.yml

Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -11,15 +11,6 @@ trustee_server_quadlet_repo_branch: "main"
1111
trustee_server_quadlet_install_dir: "/etc/containers/systemd"
1212
trustee_attestation_server_config_dir: "/etc/trustee"
1313

14-
# Secret registration service configuration
15-
trustee_server_secret_registration_service_enabled: false
16-
17-
# SSL certificate generation (used with -config trustee_server.conf)
18-
trustee_server_ssl_bits: 4096
19-
trustee_server_ssl_md: sha256
20-
trustee_server_ssl_days: 3650
21-
trustee_server_ssl_cn: trustee-server
22-
trustee_server_ssl_org: Trustee
23-
trustee_server_ssl_country: US
24-
trustee_server_ssl_cert_path: /etc/trustee/kbs/server.crt
25-
trustee_server_ssl_key_path: /etc/trustee/kbs/server.key
14+
# Secret registration server service configuration
15+
trustee_server_secret_registration_server_enabled: false
16+
trustee_server_secret_registration_listen_port: 8081

examples/simple.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,6 @@
88
trustee_server_quadlet_repo_path: "quadlet"
99
trustee_server_quadlet_repo_branch: "main"
1010
trustee_server_quadlet_install_dir: "/etc/containers/systemd"
11-
trustee_server_secret_registration_service_enabled: false
11+
trustee_server_secret_registration_server_enabled: false
1212
roles:
1313
- linux-system-roles.trustee-server

handlers/main.yml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,14 @@
11
# SPDX-License-Identifier: MIT
22
---
3-
- name: Handler for trustee_server to restart services
4-
service:
3+
- name: Reload systemd daemon for trustee
4+
ansible.builtin.systemd:
5+
daemon_reload: true
6+
listen: "restart trustee services"
7+
8+
- name: Enable and restart trustee services
9+
ansible.builtin.systemd:
510
name: "{{ item }}"
11+
enabled: true
612
state: restarted
7-
loop: "{{ __trustee_server_services }}"
13+
loop: "{{ __trustee_attestation_server_services | default([]) }}"
14+
listen: "restart trustee services"

tasks/main.yml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,8 @@
88
include_tasks: trustee_quadlet.yml
99
when: trustee_server_trustee | bool
1010

11-
- name: Create Secret Registration Service
12-
include_tasks: secret_registration_service.yml
13-
when: trustee_server_secret_registration_service_enabled | bool
14-
11+
- name: Deploy Secret Registration Server Service
12+
include_tasks: secret_registration_server.yml
13+
when:
14+
- trustee_attestation_server_secret_registration_enabled | bool
15+
- trustee_attestation_server_trustee | bool
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
# SPDX-License-Identifier: MIT
2+
---
3+
# Secret registration server: receives client requests with Trustee attestation,
4+
# and client ID (machine-id), creates disk encryption keys and stores them in KBS.
5+
# Requires Trustee (trustee_quadlet) to be deployed.
6+
7+
- name: Ensure secret registration server dependencies are installed
8+
ansible.builtin.package:
9+
name: "{{ __trustee_server_secret_registration_packages }}"
10+
state: present
11+
use: "{{ (__trustee_server_is_ostree | d(false)) |
12+
ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
13+
14+
- name: Deploy secret registration server script
15+
ansible.builtin.template:
16+
src: secret_registration_server.py.j2
17+
dest: "/usr/local/bin/secret_registration_server.py"
18+
mode: "0755"
19+
register: __trustee_attestation_server_secret_reg_script
20+
21+
- name: Deploy secret registration server systemd unit
22+
ansible.builtin.template:
23+
src: secret_registration_server.service.j2
24+
dest: /etc/systemd/system/secret_registration_server.service
25+
mode: "0644"
26+
register: __trustee_attestation_server_secret_reg_service
27+
28+
- name: Gather service facts for firewall check
29+
ansible.builtin.service_facts:
30+
31+
- name: Allow secret registration server port in firewall
32+
ansible.posix.firewalld:
33+
port: "{{ trustee_server_secret_registration_listen_port }}/tcp"
34+
permanent: true
35+
immediate: true
36+
state: enabled
37+
when: (ansible_facts.services | default({})).get('firewalld.service', {}).get('state', '') == 'running'
38+
39+
- name: Append secret registration server service to the list of services to restart
40+
set_fact:
41+
__trustee_attestation_server_services: >-
42+
{{ __trustee_attestation_server_services | default([]) + ['secret_registration_server'] }}
43+
changed_when: true
44+
notify: "restart trustee services"

tasks/secret_registration_service.yml

Lines changed: 0 additions & 2 deletions
This file was deleted.

tasks/trustee_quadlet.yml

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,14 @@
7070
- name: Generate certificates for all components
7171
ansible.builtin.shell: |
7272
# Trustee Server SSL
73-
if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.crt ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.key ]; then
74-
openssl req -new -x509 -nodes -sha256 -days 3550 \
73+
if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/server.crt ]; then
74+
openssl req -x509 -newkey rsa:2048 -nodes -keyout {{ trustee_attestation_server_config_dir }}/kbs/server.key \
7575
-subj "/CN=$(hostname -f)/O=Red Hat" \
76-
-out {{ trustee_attestation_server_config_dir }}/kbs/server.crt -keyout {{ trustee_attestation_server_config_dir }}/kbs/server.key
76+
-addext "basicConstraints=CA:FALSE" \
77+
-addext "keyUsage=digitalSignature,keyEncipherment" \
78+
-addext "extendedKeyUsage=serverAuth" \
79+
-addext "subjectAltName=DNS:$(hostname -f)" \
80+
-out {{ trustee_attestation_server_config_dir }}/kbs/server.crt
7781
fi
7882
# KBS authentication key pair
7983
if [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.key ] || [ ! -f {{ trustee_attestation_server_config_dir }}/kbs/auth.pub ]; then
@@ -89,6 +93,7 @@
8993
mkdir -p {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs
9094
cp {{ trustee_attestation_server_config_dir }}/as/token.crt {{ trustee_attestation_server_config_dir }}/kbs/trusted_certs/token0.crt
9195
fi
96+
changed_when: true
9297

9398
- name: Gather service facts
9499
ansible.builtin.service_facts:
@@ -99,26 +104,25 @@
99104
permanent: true
100105
immediate: true
101106
state: enabled
102-
when: ansible_facts.services['firewalld.service'].state == 'running'
107+
when: (ansible_facts.services | default({})).get('firewalld.service', {}).get('state', '') == 'running'
103108

104109
- name: Get the installed Trustee Server pod name
105110
ansible.builtin.find:
106111
paths: "{{ trustee_server_quadlet_install_dir }}"
107112
patterns: "*.pod"
108-
register: trustee_server_pod_name
113+
register: __trustee_attestation_server_pod_name
109114

110-
- name: Enable and start Trustee Server services
111-
ansible.builtin.systemd:
112-
name: "{{ trustee_server_pod_name.files[0].path | basename | regex_replace('\\.pod$', '') }}-pod.service"
113-
enabled: true
114-
state: restarted
115-
daemon_reload: true
116-
when: trustee_server_pod_name.files | length > 0
117-
failed_when: false
115+
- name: Append Trustee Server services to the list of services to restart
116+
set_fact:
117+
__trustee_attestation_server_services: >-
118+
{{ __trustee_attestation_server_services | default([]) + [__trustee_attestation_server_pod_name.files[0].path | basename | replace('.pod', '-pod')] }}
119+
when: __trustee_attestation_server_pod_name.files | length > 0
120+
changed_when: true
121+
notify: Handler for trustee_attestation_server to restart services
118122

119123
# TODO keep the server.crt and DNS names in the role variables
120124

121125
- name: Clean up temporary repository directory
122126
ansible.builtin.file:
123127
path: "{{ __trustee_server_quadlet_repo_dir.path }}"
124-
state: absent
128+
state: absent

0 commit comments

Comments
 (0)