Commit d140fac
authored
feat: harden bare metal attestation policy with firmware checks (#28)
* feat: harden bare metal attestation policy with firmware checks
Add firmware measurement verification and debug-disabled enforcement for
Intel TDX and AMD SEV-SNP bare metal deployments while maintaining
backwards compatibility.
**TDX hardening:**
- Check mr_td (initial TD measurement) against reference values
- Check rtmr_1 (firmware + bootloader) against reference values
- Verify TEE type and vendor ID
- Enforce debug=false in td_attributes
- Backwards-compatible fallback when no firmware values available
**SNP hardening:**
- Check launch_measurement against reference values
- Enforce debug=false in policy
- Backwards-compatible fallback when no firmware values available
**Trust claims impact:**
- executables: 3 (unchanged - init_data still required)
- hardware: 2 (now conditional on firmware OR fallback)
- configuration: 2 (now conditional on debug==false)
**Backwards compatibility:**
Without firmware reference values in RVPS (kbs.baremetal.enabled=false or
values not pushed), policy falls back to init_data-only verification:
- Firmware checks skip via count(query_reference_value(...)) == 0
- Attestation succeeds with init_data verification alone
- No breaking changes to existing deployments
**With firmware values:**
When kbs.baremetal.enabled=true and firmware values pushed to RVPS:
- mr_td/rtmr_1 (TDX) or launch_measurement (SNP) must match
- debug must be disabled
- Provides stronger hardware and configuration assurance
**Security:**
Debug-disabled enforcement prevents:
- Memory inspection via hypervisor
- Secret extraction from guest
- Single-stepping attacks
Production workloads MUST run with debug=false.
Part of Wave 2 (firmware hardening). Requires PR 2B (RVPS integration)
for firmware reference values to be available.
* fix: use bracket notation and make Azure TCB checks optional
Align attestation policy with upstream trustee-operator v1.1.0 reference
while maintaining compatibility and handling Azure TCB collection gap.
Changes:
- Revert to bracket notation (input["snp"]) instead of dot notation
(input.snp) for field access - prior testing showed issues with dots
- Keep underscore field names (az_snp_vtpm, reported_tcb_bootloader)
- Make Azure TCB/firmware checks optional with fallbacks:
- az_snp_vtpm: hardware claim 2 with TCB, fallback to 3 without
- az_snp_vtpm: configuration claim 2 with platform config, fallback to 3
- az_tdx_vtpm: hardware claim 2 with mr_td, fallback to 3 without
- az_tdx_vtpm: configuration claim 2 with xfam, fallback to 3 without
- Bare metal TDX/SNP: all TCB checks remain required (collectible via veritas)
Rationale: Azure TCB values are embedded in runtime attestation evidence
but reference value collection workflow not yet documented/implemented.
Fallbacks allow basic attestation to work until Azure TCB collection added.
Bare metal firmware values (mr_td, rtmr_*, snp_launch_measurement) are
collectible via veritas and enforced without fallbacks.
* fix: enforce init_data check in bare metal configuration fallbacks
Ensure init_data is always validated even when firmware reference
values (xfam for TDX, platform config for SNP) are not available.
Changes:
- Bare metal TDX configuration fallback: add init_data check
- Bare metal SNP configuration fallback: add init_data check
Rationale: init_data validates runtime configuration (workload image,
environment variables, secrets). This check must pass regardless of
whether optional firmware/platform reference values are available.
Security impact: Prevents attestation from succeeding with only debug
checks when init_data reference values are missing.
* feat: add validated identifiers and align resource policy with upstream
Align attestation and resource policies with trustee-operator v1.1.0
reference implementation for complete workload identity binding and
trustworthiness-vector validation.
Attestation policy changes:
- Add EAR extensions with validated identifiers (container images, UIDs)
- Parse init_data_claims to extract workload metadata
- Bind workload identity to hardware attestation evidence
- Applied to both default_cpu.rego and default_gpu.rego
Resource policy changes:
- Align with upstream resource-policy-restrictive.rego
- Replace simple ear.status check with trustworthiness-vector validation
- Check executables, configuration, and hardware claims separately
- Require claims in affirming range (2-31)
- Add kbs.resourcePolicy.enforceHardware flag (default: true)
- When false, hardware claim failures are bypassed
New values:
- kbs.baremetal.enabled: false (firmware reference values feature gate)
- kbs.resourcePolicy.enforceHardware: true (hardware claim enforcement)
Security impact:
- EAR tokens now include validated workload identifiers for audit trail
- Resource policy enforces granular trust claim validation
- Hardware enforcement can be disabled for environments without TCB values
Upstream alignment:
- attestation-policy.yaml: matches ear_default_attestation_policy_cpu.rego
- resource-policy.yaml: matches resource-policy-restrictive.rego1 parent 5844a0f commit d140fac
3 files changed
Lines changed: 378 additions & 49 deletions
0 commit comments