Description

The initdata section is not accurate for bare metal deployments.

Steps to reproduce

1. Read chapter 2.
2. see items 3..5

Expected result

1. how to set reference values to Trustee do not belong to bare metal provisioning
2.  (how to build reference values must have a clear story how it works)

Actual result

1. the text uses sha384 and sha256
2. the text talks about PCRs which do not exist for bare metal (SEV-SNP or TDX)

Impact

• initdata checking fails

Env

OSC 1.11

Additional helpful info

Important rules about how initdata works: 1) users can choose any of sha256|384|512 as the hash algorithm in the file, 2) the file can be either json or toml (but currently only toml is supported in bare metal), 3) TEEs have different native measurement register width (SNP HOSTDATA 32bytes/sha256, TDX MRCONFIGID 48bytes/sha384 etc) and Kata takes this into account but the native hash algorithm is a good choice since it's used for other reference values too.

when computing the reference values for Trustee, the "algorithm = " value must be checked and the hash algo tool is selected accordingly.

$ yq  -r  .metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" <your pod yaml>.yaml | base64 -d | gunzip | sha384sum 
889abf4718f037e38d74464c11e7c91a6e9890b5546409e1e7df9de7a51ca93152bf847bd2440328e90adb18b150ed67  -
$ kubectl exec -it tdx-workshop-policy -- curl http://127.0.0.1:8006/aa/token\?token_type\=kbs | jq -r '.token |split(".") | .[1] | @base64d | fromjson | .submods.cpu0."ear.veraison.annotated-evidence".init_data'
889abf4718f037e38d74464c11e7c91a6e9890b5546409e1e7df9de7a51ca93152bf847bd2440328e90adb18b150ed67