From 0a830c381483a0100d9c7b33995fd1f396e31e3c Mon Sep 17 00:00:00 2001
From: Jakob Naucke <jnaucke@redhat.com>
Date: Fri, 31 Oct 2025 16:47:34 +0100
Subject: [PATCH 1/2] trustee-attester/man: Reformat

- Do not use the RB formatter, which drops spaces and alternates
  bold/non-bold formatting which was probably unintended.
- Indent get-resource subcommand and move below options.

Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
---
 .../bin/trustee-attester/trustee-attester.1   | 33 ++++++++++---------
 1 file changed, 18 insertions(+), 15 deletions(-)

diff --git a/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1 b/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1
index 91dea36d4..ec3143388 100644
--- a/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1
+++ b/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1
@@ -6,36 +6,39 @@ trustee-attester \- attest and fetch secrets from Trustee
 
 .SH SYNOPSIS
 .B trustee-attester
-.RB    OPTIONS
-.RB    get-resource  \-\-path  <RESOURCE_PATH>
+\-\-url <URL-of-Trustee> [ OPTIONS ] get-resource \-\-path <resource-path>
 
 .SH DESCRIPTION
 trustee-attester is a simple client to easily attest and fetch secrets
 (a.k.a confidential resources) from Trustee.
 
-.IR get-resource
-Do attestation and get a secret from Trustee.
-RESOURCE_PATH is a of format <repo>/<type>/<name>
-
-It is assumed that the secret was uploaded to Trustee, with the
-exact same RESOURCE_PATH, before trustee-attester runs.
-
-For more information look at
-https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md
-
 .SH OPTIONS
-.RB    \-\-url  <URL-of-Trustee>   [\-\-cert-file  <path-to-certificate>]
+.B    \-\-url  <URL-of-Trustee>   [\-\-cert-file  <path-to-certificate>]
 
-.RB    \-\-url  <URL-of-Trustee>
+.B    \-\-url  <URL-of-Trustee>
 Format of <URL-of-Trustee> is <protocol>://<host>:<port>
 where <protocol> is
 .B http
 or
 .B https
 
-.RB    \-\-cert-file  <path-to-certificate>
+.B    \-\-cert-file  <path-to-certificate>
 Optional. When <protocol> is https, add a certificate to verify the Trustee server.
 
+.SH SUBCOMMAND
+.IR get-resource
+\-\-path <resource-path>
+
+.RS
+Do attestation and get a secret from Trustee.
+<resource-path> is a of format <repo>/<type>/<name>
+
+It is assumed that the secret was uploaded to Trustee, with the
+exact same <resource-path>, before trustee-attester runs.
+
+For more information look at
+https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md
+
 .SH EXAMPLES
 trustee-attester --url http://10.0.0.4:50000 get-resource --path default/secrets/secret1
 

From 15269b0d615fcd48dc56a0e57143f1587760349e Mon Sep 17 00:00:00 2001
From: Jakob Naucke <jnaucke@redhat.com>
Date: Wed, 17 Sep 2025 14:56:58 +0200
Subject: [PATCH 2/2] trustee-attester: Allow passing initdata

Add `--initdata` flag to trustee-attester, taking initdata as a string.

Signed-off-by: Jakob Naucke <jnaucke@redhat.com>
---
 .../src/bin/trustee-attester/README.md         |  2 +-
 .../src/bin/trustee-attester/main.rs           | 15 +++++++++++----
 .../bin/trustee-attester/trustee-attester.1    | 18 ++++++++++++++++--
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/attestation-agent/kbs_protocol/src/bin/trustee-attester/README.md b/attestation-agent/kbs_protocol/src/bin/trustee-attester/README.md
index a38b8174d..c36dc5527 100644
--- a/attestation-agent/kbs_protocol/src/bin/trustee-attester/README.md
+++ b/attestation-agent/kbs_protocol/src/bin/trustee-attester/README.md
@@ -23,7 +23,7 @@ cargo build -p kbs_protocol --bin trustee-attester --no-default-features
 ## Run: ##
 
 ```bash
-$ trustee-attester --url <Trustee-URL> [--cert-file <path>] get-resource --path <resource-path>
+$ trustee-attester --url <Trustee-URL> [--cert-file <path>] get-resource --path <resource-path> [--initdata <initdata>]
 ```
 
 ## Example: ##
diff --git a/attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs b/attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs
index b0ee3c731..f8d5a7b28 100644
--- a/attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs
+++ b/attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs
@@ -41,6 +41,10 @@ enum Commands {
         /// Document: https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md
         #[clap(long, value_parser)]
         path: String,
+
+        /// Initdata string
+        #[clap(long)]
+        initdata: Option<String>,
     },
 }
 
@@ -69,16 +73,19 @@ async fn main() -> Result<()> {
         client_builder = client_builder.add_kbs_cert(&cert)
     }
 
-    // Build the client. This client is used throughout the program
-    let mut client = client_builder.build()?;
-
     match cli.command {
-        Commands::GetResource { path } => {
+        Commands::GetResource { path, initdata } => {
             // resource_path should start with '/' but not with '//'
             let resource_path = match path.starts_with('/') {
                 false => format!("/{path}"),
                 true => path,
             };
+
+            if let Some(init) = initdata {
+                client_builder = client_builder.add_initdata(init);
+            }
+            let mut client = client_builder.build()?;
+
             let resource = ResourceUri::new("", &resource_path)?;
             let (_token, _key) = client.get_token().await?; // attest first
             let resource_bytes = client.get_resource(resource).await?;
diff --git a/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1 b/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1
index ec3143388..296dd0077 100644
--- a/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1
+++ b/attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1
@@ -6,7 +6,7 @@ trustee-attester \- attest and fetch secrets from Trustee
 
 .SH SYNOPSIS
 .B trustee-attester
-\-\-url <URL-of-Trustee> [ OPTIONS ] get-resource \-\-path <resource-path>
+\-\-url <URL-of-Trustee> [ OPTIONS ] get-resource \-\-path <resource-path> [ RESOURCE-OPTIONS ]
 
 .SH DESCRIPTION
 trustee-attester is a simple client to easily attest and fetch secrets
@@ -27,7 +27,7 @@ Optional. When <protocol> is https, add a certificate to verify the Trustee serv
 
 .SH SUBCOMMAND
 .IR get-resource
-\-\-path <resource-path>
+\-\-path <resource-path> [\-\-initdata <initdata-string>]
 
 .RS
 Do attestation and get a secret from Trustee.
@@ -36,6 +36,11 @@ Do attestation and get a secret from Trustee.
 It is assumed that the secret was uploaded to Trustee, with the
 exact same <resource-path>, before trustee-attester runs.
 
+Plaintext initdata can optionally be passed as a string with the
+.B \-\-initdata
+flag. The verifier will generally expect its hash to be measured,
+e.g. in PCR8 when using the TPM attester.
+
 For more information look at
 https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md
 
@@ -45,6 +50,15 @@ trustee-attester --url http://10.0.0.4:50000 get-resource --path default/secrets
 trustee-attester --url https://10.0.0.4:50000 --cert-file /etc/trustee-attester/server_cert.pem
 get-resource --path myrepo/keys/mykey1
 
+trustee-attester --url http://10.0.0.4:50000 get-resource --path default/secrets/secret2
+--initdata 'version = "0.1.0"
+.br
+algorithm = "sha256"
+.br
+[data]
+.br
+key1 = "value1"'
+
 .SH NOTES
 .B trustee-attester
 is a part of https://github.com/confidential-containers/guest-components.