Uploaded image for project: 'CoreOS OCP'
  1. CoreOS OCP
  2. COS-3413

[coreos/ignition] Integrate remote attestation support using trustee

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Ready to Pick, Ready to Pick

      [3195526280] Upstream Reporter: Timothée Ravier
      Upstream issue status: Open
      Upstream description:

      1. Feature Request #

      For Confidential Computing use cases, we want to add support for setting up LUKS for the root device using a key that is fetched from a remote server as part of a remote attestation procedure. In our use case, we will be using trustee: https://github.com/confidential-containers/trustee.

        1. Environment ##

      What hardware/cloud provider/hypervisor is being used to run Ignition?

      We will start with QEMU & Azure, and will likely extend to Bare Metal, GCP, AWS, etc.

        1. Desired Feature ##

      Add an entry to Ignition spec to tell it to use trustee to do fetch the key to setup LUKS for the root device.

      Example Butane config:

      ```
      variant: fcos
      version: 1.7.0-experimental
      boot_device:
      luks:
      trustee:

      Ignition:

      ```
      {
      "ignition":

      Unknown macro: { "version"}

      ,
      "storage": {
      "filesystems": [

      Unknown macro: { "device"}

      ],
      "luks": [

      Unknown macro: { "trustee"}

      ]
      }
      }

      ```

        1. Other Information ##

      See: https://github.com/confidential-clusters/investigations

              rh-ee-bbnaraya Bipin Narayan
              upstream-sync Upstream Sync
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: