Skip to content

feat: add firmware reference values ESO and RVPS integration#27

Merged
butler54 merged 1 commit into
validatedpatterns:mainfrom
butler54:feat/firmware-reference-values
May 28, 2026
Merged

feat: add firmware reference values ESO and RVPS integration#27
butler54 merged 1 commit into
validatedpatterns:mainfrom
butler54:feat/firmware-reference-values

Conversation

@butler54

@butler54 butler54 commented May 28, 2026

Copy link
Copy Markdown
Collaborator

Overview

Enable bare metal attestation policy enforcement using firmware measurements (Intel TDX / AMD SEV-SNP) collected via veritas and stored in Vault.

This is PR 2B of Wave 2 (firmware hardening) from the bare metal attestation hardening plan.

Changes

New Template

📦 templates/firmware-refvals-eso.yaml - ExternalSecret (gated on kbs.baremetal.enabled)

  • Pulls from secret/data/hub/firmwareReferenceValues in Vault
  • Creates firmware-reference-values secret in trustee-operator-system
  • sync-wave 1 (before RVPS policy)

Modified Template

🔄 templates/rvps-values-policies.yaml - Add firmware reference value block
Reads firmware-reference-values secret and appends to RVPS ConfigMap:

  • mr_td: TDX initial TD measurement (SHA-384)
  • rtmr_1: TDX firmware + bootloader (SHA-384)
  • rtmr_2: TDX kernel + initrd (SHA-384)
  • snp_launch_measurement: SNP initial memory measurement (SHA-384)
  • xfam: TDX extended feature mask (hex)

Each value is an array (supports multi-version via merged values). Conditionally appends only if key exists in secret.

New Value

⚙️ kbs.baremetal.enabled: false (default off, enabled per-profile)

  • Controls firmware ESO creation
  • Enables bare metal-specific attestation features

Integration Flow

  1. Firmware values collected via veritas and pushed to Vault (coco-pattern PR 2A workflow)
  2. ESO syncs from Vault → firmware-reference-values secret (sync-wave 1)
  3. RVPS policy reads secret → builds rvps-reference-values ConfigMap (sync-wave 6)
  4. Attestation policy enforces firmware checks using RVPS values (PR 2C)

Backwards Compatibility

Fully backwards compatible:

  • ESO only created when kbs.baremetal.enabled=true
  • RVPS block conditionally appends if secret exists
  • No functional change when disabled
  • Azure deployments unaffected

Testing

Tested on bare metal cluster with:

  • Firmware values collected via veritas
  • Values pushed to Vault at secret/data/hub/firmwareReferenceValues
  • ESO synced successfully
  • RVPS ConfigMap contains firmware reference values

Dependencies

  • Requires coco-pattern PR 2A for firmware value collection workflow
  • Followed by PR 2C for attestation policy enforcement

Related

Part of Wave 2 (firmware hardening) from the bare metal attestation hardening roadmap.

@butler54
feat: add firmware reference values ESO and RVPS integration
d580c4b 
Enable bare metal attestation policy enforcement using firmware measurements
(Intel TDX / AMD SEV-SNP) collected via veritas and stored in Vault.

**New template:**
- templates/firmware-refvals-eso.yaml: ExternalSecret (gated on kbs.baremetal.enabled)
  Pulls from secret/data/hub/firmwareReferenceValues into firmware-reference-values
  secret in trustee-operator-system namespace

**Modified template:**
- templates/rvps-values-policies.yaml: Add firmware reference value block
  Reads firmware-reference-values secret and appends to RVPS ConfigMap:
  - mr_td: TDX initial TD measurement (SHA-384)
  - rtmr_1: TDX firmware + bootloader (SHA-384)
  - rtmr_2: TDX kernel + initrd (SHA-384)
  - snp_launch_measurement: SNP initial memory measurement (SHA-384)
  - xfam: TDX extended feature mask (hex)

  Each value is an array (supports multi-version via merged values)
  Conditionally appends only if key exists in secret

**New value:**
- kbs.baremetal.enabled: false (default off, enabled per-profile)
  Controls firmware ESO creation and enables bare metal-specific features

**Integration:**
- Firmware values pushed to Vault via coco-pattern scripts/collect-firmware-refvals.sh
- ESO syncs from Vault to firmware-reference-values secret (sync-wave 1)
- RVPS policy reads secret and builds ConfigMap (sync-wave 6)
- Attestation policy (PR 2C) will enforce firmware checks using RVPS values

**Backwards compatible:**
- ESO only created when kbs.baremetal.enabled=true
- RVPS block conditionally appends if secret exists
- No functional change when disabled

Part of Wave 2 (firmware hardening) from bare metal attestation plan.
This is PR 2B - requires PR 2A (coco-pattern workflow) for value collection.
@butler54 butler54 merged commit 5844a0f into validatedpatterns:main May 28, 2026
4 checks passed
@butler54 butler54 deleted the feat/firmware-reference-values branch May 28, 2026 05:31
@butler54 butler54 mentioned this pull request May 28, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@butler54