feat: update policies, RVPS format, and admin config for Trustee 1.1 (#18)

butler54 · claude · web-flow · commit d2c7ad9a704c · 2026-04-22T09:31:45.000+09:00
Trustee 1.1 introduces several breaking changes requiring updates across
the chart:

- OPA attestation policy: use hyphenated TEE keys (az-snp-vtpm,
  az-tdx-vtpm) with bracket notation, query_reference_value() extension
  instead of data.reference, and add trust_claims output object
- Resource policy: migrate to Rego v1 syntax (import rego.v1, :=, if)
- RVPS reference values: switch to top-level value array format and
  include both secure and debug initdata PCR8 hashes
- KBS admin config: add kbs.admin.format value (default v1.0) to
  support v1.1 type = "Simple" with [[admin.personas]] format

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/templates/attestation-policy.yaml b/templates/attestation-policy.yaml
@@ -14,66 +14,43 @@ data:
     default hardware := 97
     default configuration := 36
 
-    ## miminimal but reliable attestation policy
-    ## hardware and firmware changes. This is not in our control. It's up to the user to update acceptable measurements
-    ## In conjuction with verification with the service provider.
-    ## currently setup for azure vTPM
-
+    trust_claims := {
+      "executables": executables,
+      "hardware": hardware,
+      "configuration": configuration,
+    }
 
     ##### Azure vTPM SNP
     executables := 3 if {
-      # input.azsnpvtpm.measurement in data.reference.measurement
-      input.azsnpvtpm.tpm.pcr03 in data.reference.snp_pcr03
-      input.azsnpvtpm.tpm.pcr08 in data.reference.snp_pcr08
-      input.azsnpvtpm.tpm.pcr09 in data.reference.snp_pcr09
-      input.azsnpvtpm.tpm.pcr11 in data.reference.snp_pcr11
-      input.azsnpvtpm.tpm.pcr12 in data.reference.snp_pcr12
+      input["az-snp-vtpm"].tpm.pcr03 in query_reference_value("snp_pcr03")
+      input["az-snp-vtpm"].tpm.pcr08 in query_reference_value("snp_pcr08")
+      input["az-snp-vtpm"].tpm.pcr09 in query_reference_value("snp_pcr09")
+      input["az-snp-vtpm"].tpm.pcr11 in query_reference_value("snp_pcr11")
+      input["az-snp-vtpm"].tpm.pcr12 in query_reference_value("snp_pcr12")
     }
 
     hardware := 2 if {
-      # Check the reported TCB to validate the ASP FW
-      # input.azsnpvtpm.reported_tcb_bootloader in data.reference.tcb_bootloader
-      # input.azsnpvtpm.reported_tcb_microcode in data.reference.tcb_microcode
-      # input.azsnpvtpm.reported_tcb_snp in data.reference.tcb_snp
-      # input.azsnpvtpm.reported_tcb_tee in data.reference.tcb_tee
-      input.azsnpvtpm
+      input["az-snp-vtpm"]
     }
 
-    # For the 'configuration' trust claim 2 stands for
-    # "The configuration is a known and approved config."
-    #
-    # For this, we compare all the configuration fields.
     configuration := 2 if {
-      # input.azsnpvtpm.platform_smt_enabled in data.reference.smt_enabled
-      # input.azsnpvtpm.platform_tsme_enabled in data.reference.tsme_enabled
-      # input.azsnpvtpm.policy_abi_major in data.reference.abi_major
-      # input.azsnpvtpm.policy_abi_minor in data.reference.abi_minor
-      # input.azsnpvtpm.policy_single_socket in data.reference.single_socket
-      # input.azsnpvtpm.policy_smt_allowed in data.reference.smt_allowed
-      input.azsnpvtpm
+      input["az-snp-vtpm"]
     }
 
     ##### Azure vTPM TDX
     executables := 3 if {
-      input.aztdxvtpm.tpm.pcr03 in data.reference.tdx_pcr03
-      input.aztdxvtpm.tpm.pcr08 in data.reference.tdx_pcr08
-      input.aztdxvtpm.tpm.pcr09 in data.reference.tdx_pcr09
-      input.aztdxvtpm.tpm.pcr11 in data.reference.tdx_pcr11
-      input.aztdxvtpm.tpm.pcr12 in data.reference.tdx_pcr12
+      input["az-tdx-vtpm"].tpm.pcr03 in query_reference_value("tdx_pcr03")
+      input["az-tdx-vtpm"].tpm.pcr08 in query_reference_value("tdx_pcr08")
+      input["az-tdx-vtpm"].tpm.pcr09 in query_reference_value("tdx_pcr09")
+      input["az-tdx-vtpm"].tpm.pcr11 in query_reference_value("tdx_pcr11")
+      input["az-tdx-vtpm"].tpm.pcr12 in query_reference_value("tdx_pcr12")
     }
 
     hardware := 2 if {
-      # Check the quote is a TDX quote signed by Intel SGX Quoting Enclave
-      input.aztdxvtpm.quote.header.tee_type == "81000000"
-      input.aztdxvtpm.quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"
-
-      # Check TDX Module version and its hash. Also check OVMF code hash.
-      # input.aztdxvtpm.quote.body.mr_seam in data.reference.mr_seam
-      # input.aztdxvtpm.quote.body.tcb_svn in data.reference.tcb_svn
-      # input.aztdxvtpm.quote.body.mr_td in data.reference.mr_td
+      input["az-tdx-vtpm"].quote.header.tee_type == "81000000"
+      input["az-tdx-vtpm"].quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"
     }
 
     configuration := 2 if {
-      # input.aztdxvtpm.quote.body.xfam in data.reference.xfam
-      input.aztdxvtpm
+      input["az-tdx-vtpm"]
     }
diff --git a/templates/kbs-config-map.yaml b/templates/kbs-config-map.yaml
@@ -13,8 +13,17 @@ data:
     private_key = "/etc/https-key/tls.key"
     certificate = "/etc/https-cert/tls.crt"
     [admin]
+    {{- if eq (default "v1.0" .Values.kbs.admin.format) "v1.1" }}
+    type = "Simple"
+    insecure_api = false
+
+    [[admin.personas]]
+    id = "admin"
+    public_key_path = "/etc/auth-secret/publicKey"
+    {{- else }}
     insecure_api = false
     auth_public_key = "/etc/auth-secret/publicKey"
+    {{- end }}
 
     [attestation_token]
     insecure_key = false
diff --git a/templates/reference-values.yaml b/templates/reference-values.yaml
@@ -7,7 +7,5 @@ metadata:
   annotations:
     argocd.argoproj.io/sync-wave: "4"
 data:
-  reference-values.json: |
-    [
-    ]
+  reference-values.json: '[]'
 {{ end }}
diff --git a/templates/resource-policy.yaml b/templates/resource-policy.yaml
@@ -8,7 +8,11 @@ metadata:
 data:
   policy.rego: |
     package policy
-    default allow = false
-    allow {
+
+    import rego.v1
+
+    default allow := false
+
+    allow if {
       input["submods"]["cpu0"]["ear.status"] == "affirming"
     }
diff --git a/templates/rvps-values-policies.yaml b/templates/rvps-values-policies.yaml
@@ -20,12 +20,13 @@ spec:
         severity: medium
         object-templates-raw: |
           {{`{{- $pcr8Hash := fromConfigMap "imperative" "initdata" "PCR8_HASH" -}}`}}
+          {{`{{- $debugPcr8Hash := fromConfigMap "imperative" "debug-initdata" "PCR8_HASH" -}}`}}
           {{`{{- $secretData := (lookup "v1" "Secret" "trustee-operator-system" "pcr-stash").data.json | base64dec | fromJson -}}`}}
           {{`{{- $pcr03 := $secretData.measurements.sha256.pcr03 -}}`}}
           {{`{{- $pcr09 := $secretData.measurements.sha256.pcr09 -}}`}}
           {{`{{- $pcr11 := $secretData.measurements.sha256.pcr11 -}}`}}
           {{`{{- $pcr12 := $secretData.measurements.sha256.pcr12 -}}`}}
-          {{`{{- $referenceValues := list (dict "name" "snp_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) (dict "name" "tdx_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) (dict "name" "snp_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash)) (dict "name" "tdx_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash)) (dict "name" "snp_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) (dict "name" "tdx_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) (dict "name" "snp_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) (dict "name" "tdx_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) (dict "name" "snp_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) (dict "name" "tdx_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}}
+          {{`{{- $referenceValues := list (dict "name" "snp_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) (dict "name" "tdx_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) (dict "name" "snp_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) (dict "name" "tdx_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) (dict "name" "snp_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) (dict "name" "tdx_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) (dict "name" "snp_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) (dict "name" "tdx_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) (dict "name" "snp_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) (dict "name" "tdx_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}}
           - complianceType: mustonlyhave
             objectDefinition:
               apiVersion: v1
diff --git a/values.yaml b/values.yaml
@@ -20,6 +20,11 @@ global:
 
 # KBS (Key Broker Service) configuration
 kbs:
+  admin:
+    # Admin config format: "v1.0" for Trustee 1.0 (auth_public_key),
+    # "v1.1" for Trustee 1.1+ (type = "Simple" with [[admin.personas]])
+    format: "v1.0"
+
   # Security policy is an expected secret and is required to be pushed into the KBS
   # presumes security policy flavour is signed
   cosignKeys: secret/data/hub/coSignKeys
