|
3 | 3 | [](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-lint.yml) [](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/ansible-test.yml) [](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/codespell.yml) [](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/markdownlint.yml) [](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/qemu-kvm-integration-tests.yml) [](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/shellcheck.yml) [](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft.yml) [](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/tft_citest_bad.yml) [](https://github.com/linux-system-roles/trustee_attestation_server/actions/workflows/woke.yml) |
4 | 4 |  |
5 | 5 |
|
6 | | -A trustee_server for an ansible role that configures some GNU/Linux subsystem or |
7 | | -service. A brief description of the role goes here. |
| 6 | +An Ansible role that deploys [Trustee](https://confidentialcontainers.org/docs/attestation/) server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, Attestation Service) for workloads running in Trusted Execution Environments (TEEs). |
8 | 7 |
|
9 | | -## Requirements |
| 8 | +## Features |
| 9 | + |
| 10 | +- **Trustee Server (Quadlet)**: Deploys Trustee Key Broker Service(KBS), Attestation Service(AS) and Reference Value Provider Service(RVPS) using Podman Quadlets from a GitHub repository |
| 11 | +- **Secret Registration Server**: HTTPS service that receives attestation-backed registration requests, verifies attestation, creates disk encryption keys, and stores them in Trustee KBS |
10 | 12 |
|
11 | | -Any prerequisites that may not be covered by Ansible itself or the role should |
12 | | -be mentioned here. This includes platform dependencies not managed by the |
13 | | -role, hardware requirements, external collections, etc. There should be a |
14 | | -distinction between *control node* requirements (like collections) and |
15 | | -*managed node* requirements (like special hardware, platform provisioning). |
| 13 | +## Requirements |
16 | 14 |
|
17 | | -### Collection requirements |
| 15 | +### Control node |
18 | 16 |
|
19 | | -For instance, if the role depends on some collections and has a |
20 | | -`meta/collection-requirements.yml` file for installing those dependencies, and |
21 | | -in order to manage `rpm-ostree` systems, it should be mentioned here that the |
22 | | - user should run |
| 17 | +- Ansible 2.9 or later |
| 18 | +- Install collection dependencies: |
23 | 19 |
|
24 | 20 | ```bash |
25 | | -ansible-galaxy collection install -vv -r meta/collection-requirements.yml |
| 21 | +ansible-galaxy collection install -r meta/collection-requirements.yml |
26 | 22 | ``` |
27 | 23 |
|
28 | | -on the *control node* before using the role. |
29 | | - |
30 | | -## Role Variables |
31 | | - |
32 | | -A description of all input variables (i.e. variables that are defined in |
33 | | -`defaults/main.yml`) for the role should go here as these form an API of the |
34 | | -role. Each variable should have its own section e.g. |
35 | | - |
36 | | -### trustee_server_foo |
| 24 | +### Managed node |
37 | 25 |
|
38 | | -This variable is required. It is a string that lists the foo of the role. |
39 | | -There is no default value. |
| 26 | +- Fedora or RHEL 9+ |
| 27 | +- Podman |
| 28 | +- Python 3 |
40 | 29 |
|
41 | | -### trustee_server_bar |
42 | | - |
43 | | -This variable is optional. It is a boolean that tells the role to disable bar. |
44 | | -The default value is `true`. |
45 | | - |
46 | | -Variables that are not intended as input, like variables defined in |
47 | | -`vars/main.yml`, variables that are read from other roles and/or the global |
48 | | -scope (ie. hostvars, group vars, etc.) can be also mentioned here but keep in |
49 | | -mind that as these are probably not part of the role API they may change during |
50 | | -the lifetime. |
51 | | - |
52 | | -Example of setting the variables: |
| 30 | +## Example Playbook |
53 | 31 |
|
54 | 32 | ```yaml |
55 | | -trustee_server_foo: "oof" |
56 | | -trustee_server_bar: false |
| 33 | +- name: Deploy Trustee Server |
| 34 | + hosts: all |
| 35 | + vars: |
| 36 | + trustee_server_trustee: true |
| 37 | + trustee_server_quadlet_repo_url: "https://github.com/litian1992/trustee-quadlet-rhel.git" |
| 38 | + trustee_server_quadlet_repo_path: "quadlet" |
| 39 | + trustee_server_quadlet_repo_branch: "main" |
| 40 | + trustee_server_quadlet_install_dir: "/etc/containers/systemd" |
| 41 | + trustee_server_secret_registration_server_enabled: true |
| 42 | + trustee_server_secret_registration_listen_port: 8081 |
| 43 | + roles: |
| 44 | + - linux-system-roles.trustee_server |
57 | 45 | ``` |
58 | 46 |
|
59 | | -## Variables Exported by the Role |
60 | | -
|
61 | | -This section is optional. Some roles may export variables for playbooks to |
62 | | -use later. These are analogous to "return values" in Ansible modules. For |
63 | | -example, if a role performs some action that will require a system reboot, but |
64 | | -the user wants to defer the reboot, the role might set a variable like |
65 | | -`trustee_server_reboot_needed: true` that the playbook can use to reboot at a more |
66 | | -convenient time. |
| 47 | +More examples are in the [`examples/`](examples) directory. |
67 | 48 |
|
68 | | -Example: |
| 49 | +## Trustee Server |
69 | 50 |
|
70 | | -### trustee_server_reboot_needed |
| 51 | +When enabled, the role: |
71 | 52 |
|
72 | | -Default `false` - if `true`, this means a reboot is needed to apply the changes |
73 | | -made by the role |
| 53 | +1. Downloads the Podman Quadlets from designated repo |
| 54 | +2. Generates all required certficates of Trustee server components |
| 55 | +3. Add KBS port 8080 to firewalld |
| 56 | +3. Enables the services by default |
74 | 57 |
|
75 | | -## Example Playbook |
76 | | - |
77 | | -Including an example of how to use your role (for instance, with variables |
78 | | -passed in as parameters) is always nice for users too: |
| 58 | +Note that KBS listens on port 8080 which may require additional network security allowance depending on your environment. |
79 | 59 |
|
80 | | -```yaml |
81 | | -- name: Manage the trustee_server subsystem |
82 | | - hosts: all |
83 | | - vars: |
84 | | - trustee_server_foo: "foo foo!" |
85 | | - trustee_server_bar: false |
86 | | - roles: |
87 | | - - linux-system-roles.trustee_server |
88 | | -``` |
| 60 | +## Secret Registration Server |
89 | 61 |
|
90 | | -More examples can be provided in the [`examples/`](examples) directory. These |
91 | | -can be useful, especially for documentation. |
| 62 | +When enabled, the secret registration server: |
92 | 63 |
|
93 | | -## rpm-ostree |
| 64 | +1. Listens for `POST /register-encryption-key` with `attestation_token` and `client_id` (machine-id) |
| 65 | +2. Verifies the attestation token (Azure TPM-based) |
| 66 | +3. Creates a disk encryption key and stores it in Trustee KBS |
| 67 | +4. Appends resource policy to `/etc/trustee/kbs/policy.rego` |
94 | 68 |
|
95 | | -See README-ostree.md |
| 69 | +Clients can then fetch the key from Trustee CDH using attestation. |
96 | 70 |
|
97 | 71 | ## License |
98 | 72 |
|
99 | | -Whenever possible, please prefer MIT. |
| 73 | +MIT |
100 | 74 |
|
101 | | -## Author Information |
| 75 | +## Author |
102 | 76 |
|
103 | 77 | An optional section for the role authors to include contact information, or a |
104 | 78 | website (HTML is not allowed). |
0 commit comments