feat: add firmware reference values workflow for bare metal attestation#89
Open
butler54 wants to merge 5 commits into
Open
feat: add firmware reference values workflow for bare metal attestation#89butler54 wants to merge 5 commits into
butler54 wants to merge 5 commits into
Conversation
Add comprehensive tooling and documentation for collecting and managing firmware reference values (TDX/SNP measurements) used in bare metal attestation policies. **New documentation:** - docs/firmware-reference-values.md: Complete workflow guide covering: - Architecture of TDX (mr_td, rtmr_1/2, xfam) and SNP measurements - SHA-256 vs SHA-384 algorithm clarification (different layers, both correct) - Step-by-step collection using veritas tool - Multi-OCP-version support via merged arrays - Known veritas gaps (TCB versions, SNP policy bits, image measurements) - Security considerations and policy trade-offs **New script:** - scripts/collect-firmware-refvals.sh: Automated wrapper that: - Extracts measurements from veritas JSON output - Transforms to KBS/RVPS expected format (arrays of hex strings) - Merges with existing Vault values to support multi-version - Pushes to secret/data/hub/firmwareReferenceValues **Integration:** - Makefile: Add `make push-firmware-refvals REFVALS_FILE=<path>` target - values-secret.yaml.template: Document firmwareReferenceValues structure This is PR 2A of Wave 2 (firmware hardening). The actual attestation policy enforcement and ESO integration come in subsequent PRs. Part of the bare metal attestation hardening roadmap.
Add blank lines before lists and code blocks to comply with markdownlint rules MD031 (blanks-around-fences) and MD032 (blanks-around-lists).
Add blank lines before all lists and code blocks to comply with markdownlint rules MD031 (blanks-around-fences) and MD032 (blanks-around-lists). Fixed warnings at lines: 138, 178, 187, 195, 221, 230, 238, 248
Add blank lines before code block (line 265) and list (line 300).
…cycle Replace direct Vault push script with full lifecycle automation following the established Pattern A (local file → values-secret.yaml → Vault): - Rewrite collect-firmware-refvals.sh to manage complete pod lifecycle: launch kata pod, install veritas, collect measurements, save locally, cleanup pod via trap handlers - Change output format from multi-key Vault secret to single JSON blob saved to ~/.coco-pattern/firmware-reference-values.json - Add --merge option to support multi-OCP-version reference values - Add --namespace, --output, --runtime-class, --pod-image options - Update values-secret.yaml.template to reference local JSON file - Update Makefile targets: collect-firmware-refvals and collect-firmware-refvals-merge - Update gen-secrets.sh bare metal messaging - Rewrite docs/firmware-reference-values.md for automated workflow This aligns firmware reference value management with pcrStash and KBS keys patterns, eliminating manual Vault interaction. Requires trustee-chart PR validatedpatterns#30 (single JSON blob consumption). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Add comprehensive tooling and documentation for collecting and managing firmware reference values (TDX/SNP measurements) used in bare metal attestation policies.
This is PR 2A of Wave 2 (firmware hardening) from the bare metal attestation hardening plan.
Changes
Full Lifecycle Automation
🛠️ scripts/collect-firmware-refvals.sh - Complete pod lifecycle automation:
Pattern A Integration (Local File → values-secret → Vault)
make collect-firmware-refvalsandmake collect-firmware-refvals-mergetargetsDocumentation
📘 docs/firmware-reference-values.md - Complete workflow guide:
make collect-firmware-refvalsUsage
Output Format
Single JSON object with arrays (supports multiple valid values per field):
Dependencies
Requires trustee-chart PR #30 (change RVPS to consume single JSON blob instead of multi-key secret).
Testing
This PR only adds documentation and tooling. The actual attestation policy enforcement comes in subsequent PRs:
Related
Part of Wave 2 (firmware hardening) from the bare metal attestation hardening roadmap.
Aligns firmware reference value management with established patterns (pcrStash, KBS keys) - eliminates manual Vault interaction.