diff --git a/templates/firmware-refvals-eso.yaml b/templates/firmware-refvals-eso.yaml new file mode 100644 index 0000000..03aaec7 --- /dev/null +++ b/templates/firmware-refvals-eso.yaml @@ -0,0 +1,22 @@ +{{- if .Values.kbs.baremetal.enabled }} +--- +apiVersion: "external-secrets.io/v1beta1" +kind: ExternalSecret +metadata: + annotations: + argocd.argoproj.io/sync-wave: "1" + name: firmware-refvals-eso + namespace: trustee-operator-system +spec: + refreshInterval: 15s + secretStoreRef: + name: {{ .Values.secretStore.name }} + kind: {{ .Values.secretStore.kind }} + target: + name: firmware-reference-values + template: + type: generic + dataFrom: + - extract: + key: 'secret/data/hub/firmwareReferenceValues' +{{- end }} diff --git a/templates/rvps-values-policies.yaml b/templates/rvps-values-policies.yaml index 33e11aa..db67af7 100644 --- a/templates/rvps-values-policies.yaml +++ b/templates/rvps-values-policies.yaml @@ -44,6 +44,30 @@ spec: {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}} {{`{{- $referenceValues = append $referenceValues (dict "name" "tdx_pcr12" "expiration" "2027-12-12T00:00:00Z" "value" (list $pcr12)) -}}`}} {{`{{- end -}}`}} + {{`{{- $firmwareStash := (lookup "v1" "Secret" "trustee-operator-system" "firmware-reference-values") -}}`}} + {{`{{- if $firmwareStash -}}`}} + {{`{{- $firmwareData := $firmwareStash.data -}}`}} + {{`{{- if $firmwareData.mr_td -}}`}} + {{`{{- $mrTdValues := ($firmwareData.mr_td | base64dec | fromJson) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "mr_td" "expiration" "2027-12-12T00:00:00Z" "value" $mrTdValues) -}}`}} + {{`{{- end -}}`}} + {{`{{- if $firmwareData.rtmr_1 -}}`}} + {{`{{- $rtmr1Values := ($firmwareData.rtmr_1 | base64dec | fromJson) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "rtmr_1" "expiration" "2027-12-12T00:00:00Z" "value" $rtmr1Values) -}}`}} + {{`{{- end -}}`}} + {{`{{- if $firmwareData.rtmr_2 -}}`}} + {{`{{- $rtmr2Values := ($firmwareData.rtmr_2 | base64dec | fromJson) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "rtmr_2" "expiration" "2027-12-12T00:00:00Z" "value" $rtmr2Values) -}}`}} + {{`{{- end -}}`}} + {{`{{- if $firmwareData.snp_launch_measurement -}}`}} + {{`{{- $snpLaunchValues := ($firmwareData.snp_launch_measurement | base64dec | fromJson) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "snp_launch_measurement" "expiration" "2027-12-12T00:00:00Z" "value" $snpLaunchValues) -}}`}} + {{`{{- end -}}`}} + {{`{{- if $firmwareData.xfam -}}`}} + {{`{{- $xfamValues := ($firmwareData.xfam | base64dec | fromJson) -}}`}} + {{`{{- $referenceValues = append $referenceValues (dict "name" "xfam" "expiration" "2027-12-12T00:00:00Z" "value" $xfamValues) -}}`}} + {{`{{- end -}}`}} + {{`{{- end -}}`}} - complianceType: mustonlyhave objectDefinition: apiVersion: v1 diff --git a/values.yaml b/values.yaml index 03f9bca..bb40e6c 100644 --- a/values.yaml +++ b/values.yaml @@ -67,6 +67,16 @@ kbs: # For Azure: Use https://global.acccache.azure.net/sgx/certification/v4/ # For bare metal/Intel: Use https://api.trustedservices.intel.com/sgx/certification/v4/ collateralService: "https://api.trustedservices.intel.com/sgx/certification/v4/" + + # Bare metal attestation configuration + # Enables firmware reference value collection and enforcement + baremetal: + # Enable bare metal firmware reference values (Intel TDX / AMD SEV-SNP) + # When enabled, creates ExternalSecret to pull firmware measurements from Vault + # Requires firmware values pushed to secret/data/hub/firmwareReferenceValues + # See docs/firmware-reference-values.md in coco-pattern for collection workflow + enabled: false + # Attestation token certificate configuration # Used when secretStore.backend is "none" (cert-manager generates certs) attestation: