Skip to content

Commit d140fac

Browse files
authored
feat: harden bare metal attestation policy with firmware checks (#28)
* feat: harden bare metal attestation policy with firmware checks Add firmware measurement verification and debug-disabled enforcement for Intel TDX and AMD SEV-SNP bare metal deployments while maintaining backwards compatibility. **TDX hardening:** - Check mr_td (initial TD measurement) against reference values - Check rtmr_1 (firmware + bootloader) against reference values - Verify TEE type and vendor ID - Enforce debug=false in td_attributes - Backwards-compatible fallback when no firmware values available **SNP hardening:** - Check launch_measurement against reference values - Enforce debug=false in policy - Backwards-compatible fallback when no firmware values available **Trust claims impact:** - executables: 3 (unchanged - init_data still required) - hardware: 2 (now conditional on firmware OR fallback) - configuration: 2 (now conditional on debug==false) **Backwards compatibility:** Without firmware reference values in RVPS (kbs.baremetal.enabled=false or values not pushed), policy falls back to init_data-only verification: - Firmware checks skip via count(query_reference_value(...)) == 0 - Attestation succeeds with init_data verification alone - No breaking changes to existing deployments **With firmware values:** When kbs.baremetal.enabled=true and firmware values pushed to RVPS: - mr_td/rtmr_1 (TDX) or launch_measurement (SNP) must match - debug must be disabled - Provides stronger hardware and configuration assurance **Security:** Debug-disabled enforcement prevents: - Memory inspection via hypervisor - Secret extraction from guest - Single-stepping attacks Production workloads MUST run with debug=false. Part of Wave 2 (firmware hardening). Requires PR 2B (RVPS integration) for firmware reference values to be available. * fix: use bracket notation and make Azure TCB checks optional Align attestation policy with upstream trustee-operator v1.1.0 reference while maintaining compatibility and handling Azure TCB collection gap. Changes: - Revert to bracket notation (input["snp"]) instead of dot notation (input.snp) for field access - prior testing showed issues with dots - Keep underscore field names (az_snp_vtpm, reported_tcb_bootloader) - Make Azure TCB/firmware checks optional with fallbacks: - az_snp_vtpm: hardware claim 2 with TCB, fallback to 3 without - az_snp_vtpm: configuration claim 2 with platform config, fallback to 3 - az_tdx_vtpm: hardware claim 2 with mr_td, fallback to 3 without - az_tdx_vtpm: configuration claim 2 with xfam, fallback to 3 without - Bare metal TDX/SNP: all TCB checks remain required (collectible via veritas) Rationale: Azure TCB values are embedded in runtime attestation evidence but reference value collection workflow not yet documented/implemented. Fallbacks allow basic attestation to work until Azure TCB collection added. Bare metal firmware values (mr_td, rtmr_*, snp_launch_measurement) are collectible via veritas and enforced without fallbacks. * fix: enforce init_data check in bare metal configuration fallbacks Ensure init_data is always validated even when firmware reference values (xfam for TDX, platform config for SNP) are not available. Changes: - Bare metal TDX configuration fallback: add init_data check - Bare metal SNP configuration fallback: add init_data check Rationale: init_data validates runtime configuration (workload image, environment variables, secrets). This check must pass regardless of whether optional firmware/platform reference values are available. Security impact: Prevents attestation from succeeding with only debug checks when init_data reference values are missing. * feat: add validated identifiers and align resource policy with upstream Align attestation and resource policies with trustee-operator v1.1.0 reference implementation for complete workload identity binding and trustworthiness-vector validation. Attestation policy changes: - Add EAR extensions with validated identifiers (container images, UIDs) - Parse init_data_claims to extract workload metadata - Bind workload identity to hardware attestation evidence - Applied to both default_cpu.rego and default_gpu.rego Resource policy changes: - Align with upstream resource-policy-restrictive.rego - Replace simple ear.status check with trustworthiness-vector validation - Check executables, configuration, and hardware claims separately - Require claims in affirming range (2-31) - Add kbs.resourcePolicy.enforceHardware flag (default: true) - When false, hardware claim failures are bypassed New values: - kbs.baremetal.enabled: false (firmware reference values feature gate) - kbs.resourcePolicy.enforceHardware: true (hardware claim enforcement) Security impact: - EAR tokens now include validated workload identifiers for audit trail - Resource policy enforces granular trust claim validation - Hardware enforcement can be disabled for environments without TCB values Upstream alignment: - attestation-policy.yaml: matches ear_default_attestation_policy_cpu.rego - resource-policy.yaml: matches resource-policy-restrictive.rego
1 parent 5844a0f commit d140fac

3 files changed

Lines changed: 378 additions & 49 deletions

File tree

0 commit comments

Comments
 (0)