Skip to content

Latest commit

 

History

History
60 lines (51 loc) · 2.65 KB

File metadata and controls

60 lines (51 loc) · 2.65 KB

Offline file system KBC module

The offline file system KBC reads keys and resources from files present in the guest file system. The offline file system KBC is only secure to use when the guest file system is at no point readable by a hypothetical adversary, such as with IBM Secure Execution for Linux (IBM Z & LinuxONE). Being an offline module, it is not a broker client in the stricter sense of the word. See the offline file system KBS for correspondent software to wrap keys.

Usage

The guest must provide OpenSSL at runtime. Keys must be provided in the guest file system at /etc/aa-offline_fs_kbc-keys.json like:

{
    "key_id1": "base64-encoded-key",
    "key_id2": "base64-encoded-key",
    ...
}

with the 32-byte keys base64-encoded.

The script generate_keys.sh can be used to generate some sample keys based on /dev/random if it fits your use case sufficiently well. Here is a sample generated keys file aa-offline_fs_kbc-keys.json

Resources must be provide in the guest file system at /etc/aa-offline_fs_kbc-resources.json like:

{
  "Policy": "<base64-encoded content from policy.json>",
  "Sigstore Config": "<base64-encoded content from sigstore_config.yaml>",
  "GPG Keyring": "<base64-encoded content from pubkey.gpg>",
  "Cosign Key": "<base64-encoded content from cosign.pub>",
  "Credential": "<base64-encoded content from auth.json>"
}

The values are base64-encoded related file content, can be generated by command such as:

cat </path/to/policy.json> | base64
cat </path/to/sigstore_config.yaml> | base64
cat </path/to/pubkey.gpg> | base64
cat </path/to/cosign.pub> | base64
cat </path/to/auth.json> | base64

Here is a sample resource file aa-offline_fs_kbc-resources.json which base on the files under sample_kbc folder:

AA with this KBC can be build and run with e.g.:

cd attestation-agent
make KBC=offline_fs_kbc && make install
attestation-agent --keyprovider_sock 127.0.0.1:47777 --getresource_sock 127.0.0.1:48888