feat: add baremetal TDX/SNP and NVIDIA GPU attestation support (#21)

* feat: add baremetal TDX and SNP attestation support

Add direct TEE attestation rules for baremetal Intel TDX and AMD SEV-SNP.
These use init_data hash verification (platform-independent) rather than
Azure vTPM PCR measurements.

Make pcr-stash secret lookup conditional in RVPS policy so baremetal
deployments (which lack pcr-stash) don't fail. The init_data reference
value is always included for both Azure and baremetal platforms.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: disable TLS cert verification for PCCS in QCNL config

The PCCS service uses a self-signed certificate which causes
SGX_QL_ROOT_CA_UNTRUSTED errors during TDX quote verification.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: support both Azure vTPM and baremetal init_data reference values

The init_data RVPS entry now includes four values:
- PCR8_HASH (secure + debug): SHA256(zeros || SHA256(toml)) for Azure vTPM
- RAW_HASH padded (secure + debug): SHA256(toml) zero-padded to 48 bytes for baremetal TDX/SNP

This allows a single attestation server to validate both Azure vTPM
attestation (which presents PCR-extended hashes) and baremetal TDX/SNP
attestation (which presents raw SHA-256 initdata hashes in the quote's
mr_config_id field, zero-padded to SHA-384 width).

Long-term, veritas (https://github.com/confidential-devhub/veritas)
should be integrated for comprehensive reference value generation
including firmware, kernel, and RTMR measurements.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use chained single-item append calls for ACM compatibility

ACM ConfigurationPolicy template engine rejects variadic append
(want 2 got 11). Chain individual append calls instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat: add NVIDIA GPU attestation via NRAS remote verifier

- Add kbs.gpu.enabled value (default false) for GPU attestation support
- Configure NRAS remote verifier when GPU enabled (kbs-config-map)
- Add default_gpu.rego policy for NRAS x-nvidia-* claims
- Add GPU-aware resource policy requiring both cpu0 and gpu0 affirming
- Existing GPU rules in default_cpu.rego handle CPU-class + GPU evidence

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: ensure GPU attestation is required when GPU is enabled

Previously, when GPU attestation was enabled, the policy would still
allow access with only CPU attestation due to the first rule being
unconditionally present. This fix ensures the CPU-only rule only
applies when GPU is disabled, preventing the bypass.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: version bump

Signed-off-by: Chris Butler <chris.butler@redhat.com>

---------

Signed-off-by: Chris Butler <chris.butler@redhat.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: butler54

Chart.yaml

@@ -7,4 +7,4 @@ keywords:
 - confidential-containers
 name: trustee
 # DO NOT EDIT VERSION HERE, IT IS AUTO-GENERATED BY SEMANTIC-RELEASE
-version: 0.3.2
+version: 0.3.3

README.md

@@ -1,6 +1,6 @@
 # trustee
 
-![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square)
+![Version: 0.3.3](https://img.shields.io/badge/Version-0.3.3-informational?style=flat-square)
 
 A Helm chart to provide an opinionated deployment of Trustee in a validated pattern
 
@@ -34,6 +34,7 @@ In order to use this chart, you will need to:
 | kbs.admin.format | string | `"v1.0"` |  |
 | kbs.cosignKeys | string | `"secret/data/hub/coSignKeys"` |  |
 | kbs.extraSecrets | list | `[]` |  |
+| kbs.gpu.enabled | bool | `false` |  |
 | kbs.publicKey | string | `"secret/data/hub/kbsPublicKey"` |  |
 | kbs.secretResources[0].key | string | `"secret/data/hub/kbsres1"` |  |
 | kbs.secretResources[0].name | string | `"kbsres1"` |  |

templates/attestation-policy.yaml

@@ -53,4 +53,78 @@ data:
 
     configuration := 2 if {
       input["az-tdx-vtpm"]
-    }
+    }
+
+    ##### Baremetal TDX
+    executables := 3 if {
+      input["tdx"]
+      input.init_data in query_reference_value("init_data")
+    }
+    hardware := 2 if { input["tdx"] }
+    configuration := 2 if { input["tdx"] }
+
+    ##### Baremetal SNP
+    executables := 3 if {
+      input["snp"]
+      input.init_data in query_reference_value("init_data")
+    }
+    hardware := 2 if { input["snp"] }
+    configuration := 2 if { input["snp"] }
+    {{- if .Values.kbs.gpu.enabled }}
+
+    ##### GPU Attestation (NVIDIA H100/H200) — CPU-class evidence with GPU data
+    hardware := 2 if {
+      input["snp"]
+      input["gpu"]
+    }
+
+    executables := 3 if {
+      input["snp"]
+      input["gpu"]
+      input.init_data in query_reference_value("init_data")
+    }
+
+    configuration := 2 if {
+      input["snp"]
+      input["gpu"]
+    }
+    {{- end }}
+{{- if .Values.kbs.gpu.enabled }}
+  default_gpu.rego: |
+    package policy
+
+    import rego.v1
+
+    default hardware := 97
+    default executables := 33
+    default configuration := 36
+
+    trust_claims := {
+      "executables": executables,
+      "hardware": hardware,
+      "configuration": configuration,
+    }
+
+    hardware := 2 if {
+      input.nvidia
+      input.nvidia["x-nvidia-gpu-attestation-report-cert-chain"]["x-nvidia-cert-status"] == "valid"
+      input.nvidia["x-nvidia-gpu-attestation-report-parsed"]
+      input.nvidia["x-nvidia-gpu-attestation-report-signature-verified"]
+      input.nvidia["x-nvidia-gpu-arch-check"]
+    }
+
+    configuration := 2 if {
+      input.nvidia.secboot
+      input.nvidia.dbgstat == "disabled"
+    }
+
+    executables := 3 if {
+      input.nvidia["x-nvidia-gpu-driver-rim-fetched"]
+      input.nvidia["x-nvidia-gpu-driver-rim-schema-validated"]
+      input.nvidia["x-nvidia-gpu-driver-rim-signature-verified"]
+      input.nvidia["x-nvidia-gpu-vbios-rim-fetched"]
+      input.nvidia["x-nvidia-gpu-vbios-rim-schema-validated"]
+      input.nvidia["x-nvidia-gpu-vbios-rim-signature-verified"]
+      input.nvidia.measres == "success"
+    }
+{{- end }}

templates/kbs-config-map.yaml

@@ -52,6 +52,11 @@ data:
     [attestation_service.rvps_config.storage]
     type = "LocalJson"
     file_path = "/opt/confidential-containers/rvps/reference-values/reference-values.json"
+    {{- if .Values.kbs.gpu.enabled }}
+
+    [attestation_service.verifier_config.nvidia_verifier]
+    type = "Remote"
+    {{- end }}
 
     [[plugins]]
     name = "resource"

templates/resource-policy.yaml

@@ -12,7 +12,15 @@ data:
     import rego.v1
 
     default allow := false
+    {{- if not .Values.kbs.gpu.enabled }}
 
     allow if {
       input["submods"]["cpu0"]["ear.status"] == "affirming"
-    }
+    }
+    {{- else }}
+
+    allow if {
+      input["submods"]["cpu0"]["ear.status"] == "affirming"
+      input["submods"]["gpu0"]["ear.status"] == "affirming"
+    }
+    {{- end }}

templates/rvps-values-policies.yaml

@@ -21,12 +21,29 @@ spec:
         object-templates-raw: |
           {{`{{- $pcr8Hash := fromConfigMap "imperative" "initdata" "PCR8_HASH" -}}`}}
           {{`{{- $debugPcr8Hash := fromConfigMap "imperative" "debug-initdata" "PCR8_HASH" -}}`}}
-          {{`{{- $secretData := (lookup "v1" "Secret" "trustee-operator-system" "pcr-stash").data.json | base64dec | fromJson -}}`}}
+          {{`{{- $rawHash := fromConfigMap "imperative" "initdata" "RAW_HASH" -}}`}}
+          {{`{{- $debugRawHash := fromConfigMap "imperative" "debug-initdata" "RAW_HASH" -}}`}}
+          {{`{{- $rawHashPadded := printf "%s00000000000000000000000000000000" $rawHash -}}`}}
+          {{`{{- $debugRawHashPadded := printf "%s00000000000000000000000000000000" $debugRawHash -}}`}}
+          {{`{{- $referenceValues := list (dict "name" "init_data" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash $rawHashPadded $debugRawHashPadded)) -}}`}}
+          {{`{{- $pcrStash := (lookup "v1" "Secret" "trustee-operator-system" "pcr-stash") -}}`}}
+          {{`{{- if $pcrStash -}}`}}
+          {{`{{- $secretData := $pcrStash.data.json | base64dec | fromJson -}}`}}
           {{`{{- $pcr03 := $secretData.measurements.sha256.pcr03 -}}`}}
           {{`{{- $pcr09 := $secretData.measurements.sha256.pcr09 -}}`}}
           {{`{{- $pcr11 := $secretData.measurements.sha256.pcr11 -}}`}}
           {{`{{- $pcr12 := $secretData.measurements.sha256.pcr12 -}}`}}
-          {{`{{- $referenceValues := list (dict "name" "snp_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) (dict "name" "tdx_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) (dict "name" "snp_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) (dict "name" "tdx_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) (dict "name" "snp_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) (dict "name" "tdx_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) (dict "name" "snp_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) (dict "name" "tdx_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) (dict "name" "snp_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) (dict "name" "tdx_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr03" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr03)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr08" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr8Hash $debugPcr8Hash)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr09" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr09)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr11" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr11)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}}
+          {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}}
+          {{`{{- end -}}`}}
           - complianceType: mustonlyhave
             objectDefinition:
               apiVersion: v1

templates/tdx-config.yaml

@@ -9,6 +9,7 @@ metadata:
 data:
   sgx_default_qcnl.conf: |
     {
-      "collateral_service": "{{ .Values.kbs.tdx.collateralService }}"
+      "collateral_service": "{{ .Values.kbs.tdx.collateralService }}",
+      "use_secure_cert": false
     }
 {{- end }}

values.yaml

@@ -48,6 +48,10 @@ kbs:
   # exist in the trustee-operator-system namespace.
   extraSecrets: []
 
+  # NVIDIA GPU confidential computing configuration
+  gpu:
+    enabled: false
+
   # Intel TDX (Trust Domain Extensions) configuration
   tdx:
     # Enable TDX attestation support