Skip to content

linux-system-roles/trustee_attestation_client

BranchesTags

Repository files navigation

trustee_attestation_client

ansible-lint.yml ansible-test.yml codespell.yml markdownlint.yml qemu-kvm-integration-tests.yml shellcheck.yml tft.yml tft_citest_bad.yml woke.yml

trustee_attestation_client

Ansible role for deploying Trustee Guest Components using Podman Quadlets for confidential virtual machine deployments. The role downloads quadlet files and configuration files from a GitHub repository, installs them, and manages them as systemd services. The role also supports an optional secret registration client for disk key registration and optional disk encryption for securing additional storage devices.

Features

  • Trustee Client (Quadlet): Deploys Trustee guest components Attestation Agent(AA), Confidential Data Hub(CDH) and API Server REST(ASR) using Podman Quadlets from a Github repository
  • Secret Registration Client: Utility script and service which registers to Secret Registration Server on Trustee Server. It acquires the encryption key from Trustee and decrypts the designated disk upon boot
  • Encrypt Disk: Does LUKS2 encryption of the found empty data disk. The encryption key is provided by Secret Registration Client.

Example of setting the variables:

trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
trustee_attestation_client_quadlet_repo_path: "quadlet"
trustee_attestation_client_quadlet_repo_branch: "main"
trustee_attestation_client_kbs_url: "https://kbs.example.com"
trustee_attestation_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
trustee_attestation_client_secret_registration_enabled: true
trustee_attestation_client_encrypt_disk: true

Example Playbook

Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:

- name: Deploy Trustee Guest Components using Podman Quadlets
  hosts: all
  vars:
    trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
    trustee_attestation_client_quadlet_repo_path: "quadlet"
    trustee_attestation_client_quadlet_repo_branch: "main"
    trustee_attestation_client_kbs_url: "https://kbs.example.com"
    trustee_attestation_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
    trustee_attestation_client_secret_registration_enabled: true
    trustee_attestation_client_encrypt_disk: true
  roles:
    - linux-system-roles.trustee_attestation_client

Trustee Client

The task:

  1. Downloads the Podman Quadlets from designated repo
  2. Configures the settings in /etc/trustee-gc/
  3. Enables and starts trustee-gc.pod as a service

Secret Registration Client

When enabled, this task:

  1. Sends registration request to Secret Registration Server via HTTPS to acquire disk encryption keys
  2. Requests above disk encryption key upon boot when Encrypt Disk is enabled to decrypt and mount disk

Encrypt Disk

When enabled, this task:

  1. Finds the first unpartitioned and unmounted disk
  2. Requests disk encryption key from Secret Registration Client
  3. Encrypts the disk using above encryption key and mounts it at the designated path

License

Whenever possible, please prefer MIT.

Author Information

An optional section for the role authors to include contact information, or a website (HTML is not allowed).

About

Ansible role for managing confidential computing machine deployment

Resources

Readme

License

MIT license

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages