Skip to content

trustee-attester: Allow passing initdata #1163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 1, 2025
+44 −20
Merged

trustee-attester: Allow passing initdata #1163

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0a830c3
trustee-attester/man: Reformat
Jakob-Naucke Oct 31, 2025
15269b0
trustee-attester: Allow passing initdata
Jakob-Naucke Sep 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion attestation-agent/kbs_protocol/src/bin/trustee-attester/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ cargo build -p kbs_protocol --bin trustee-attester --no-default-features
## Run: ##

```bash
$ trustee-attester --url <Trustee-URL> [--cert-file <path>] get-resource --path <resource-path>
$ trustee-attester --url <Trustee-URL> [--cert-file <path>] get-resource --path <resource-path> [--initdata <initdata>]
```

## Example: ##
Expand Down
15 changes: 11 additions & 4 deletions attestation-agent/kbs_protocol/src/bin/trustee-attester/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ enum Commands {
/// Document: https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md
#[clap(long, value_parser)]
path: String,

/// Initdata string
#[clap(long)]
initdata: Option<String>,
},
}

Expand Down Expand Up @@ -69,16 +73,19 @@ async fn main() -> Result<()> {
client_builder = client_builder.add_kbs_cert(&cert)
}

// Build the client. This client is used throughout the program
let mut client = client_builder.build()?;

match cli.command {
Commands::GetResource { path } => {
Commands::GetResource { path, initdata } => {
// resource_path should start with '/' but not with '//'
let resource_path = match path.starts_with('/') {
false => format!("/{path}"),
true => path,
};

if let Some(init) = initdata {
client_builder = client_builder.add_initdata(init);
}
let mut client = client_builder.build()?;

let resource = ResourceUri::new("", &resource_path)?;
let (_token, _key) = client.get_token().await?; // attest first
let resource_bytes = client.get_resource(resource).await?;
Expand Down
47 changes: 32 additions & 15 deletions attestation-agent/kbs_protocol/src/bin/trustee-attester/trustee-attester.1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,42 +6,59 @@ trustee-attester \- attest and fetch secrets from Trustee

.SH SYNOPSIS
.B trustee-attester
.RB OPTIONS
.RB get-resource \-\-path <RESOURCE_PATH>
\-\-url <URL-of-Trustee> [ OPTIONS ] get-resource \-\-path <resource-path> [ RESOURCE-OPTIONS ]

.SH DESCRIPTION
trustee-attester is a simple client to easily attest and fetch secrets
(a.k.a confidential resources) from Trustee.

.IR get-resource
Do attestation and get a secret from Trustee.
RESOURCE_PATH is a of format <repo>/<type>/<name>

It is assumed that the secret was uploaded to Trustee, with the
exact same RESOURCE_PATH, before trustee-attester runs.

For more information look at
https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md

.SH OPTIONS
.RB \-\-url <URL-of-Trustee> [\-\-cert-file <path-to-certificate>]
.B \-\-url <URL-of-Trustee> [\-\-cert-file <path-to-certificate>]

.RB \-\-url <URL-of-Trustee>
.B \-\-url <URL-of-Trustee>
Format of <URL-of-Trustee> is <protocol>://<host>:<port>
where <protocol> is
.B http
or
.B https

.RB \-\-cert-file <path-to-certificate>
.B \-\-cert-file <path-to-certificate>
Optional. When <protocol> is https, add a certificate to verify the Trustee server.

.SH SUBCOMMAND
.IR get-resource
\-\-path <resource-path> [\-\-initdata <initdata-string>]

.RS
Do attestation and get a secret from Trustee.
<resource-path> is a of format <repo>/<type>/<name>

It is assumed that the secret was uploaded to Trustee, with the
exact same <resource-path>, before trustee-attester runs.

Plaintext initdata can optionally be passed as a string with the
.B \-\-initdata
flag. The verifier will generally expect its hash to be measured,
e.g. in PCR8 when using the TPM attester.

For more information look at
https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/KBS_URI.md

.SH EXAMPLES
trustee-attester --url http://10.0.0.4:50000 get-resource --path default/secrets/secret1

trustee-attester --url https://10.0.0.4:50000 --cert-file /etc/trustee-attester/server_cert.pem
get-resource --path myrepo/keys/mykey1

trustee-attester --url http://10.0.0.4:50000 get-resource --path default/secrets/secret2
--initdata 'version = "0.1.0"
.br
algorithm = "sha256"
.br
[data]
.br
key1 = "value1"'

.SH NOTES
.B trustee-attester
is a part of https://github.com/confidential-containers/guest-components.
Expand Down