Skip to content

Add node ID in resource policy #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 25, 2025
Merged

Add node ID in resource policy #51

merged 3 commits into from
Nov 25, 2025

Conversation

@Jakob-Naucke
Copy link
Contributor

@Jakob-Naucke Jakob-Naucke commented Nov 12, 2025

Requires initdata-compatible trustee-attester [1] and clevis-pin-trustee [2]. Uses a Trustee that does not verify initdata for now [3].

[1] confidential-containers/guest-components#1163
[2] latchset/clevis-pin-trustee#12
[3] https://github.com/confidential-clusters/trustee/tree/skip-verify-initdata

@Jakob-Naucke Jakob-Naucke requested a review from alicefr November 12, 2025 14:13
@alicefr
Copy link
Contributor

alicefr commented Nov 12, 2025

@Jakob-Naucke I forgot, is it trustee always checking pcr8 with the initdata?

@Jakob-Naucke
Copy link
Contributor Author

Jakob-Naucke commented Nov 12, 2025
edited
Loading

Yes. Setting initdata like in this PR with upstream Trustee will give you:

Verifier evaluate failed: TPM PCR[8] doesn't match expected initdata hash

@alicefr
Copy link
Contributor

alicefr commented Nov 12, 2025
edited
Loading

The PR latchset/clevis-pin-trustee#12 has been merged so we can avoid to branch it and directly refer main

@alicefr
Copy link
Contributor

alicefr commented Nov 12, 2025

But otherwise, LGTM

@Jakob-Naucke
Copy link
Contributor Author

Jakob-Naucke commented Nov 14, 2025
edited
Loading

Do not merge, #50 broke the regular 2-VM setup and this will break it even harder. Working on a fix.

@Jakob-Naucke
Deprecate non-attestation key setups
ac03340 
Broken by the Trustee that requires them, infeasible to keep multiple
versions running.

Signed-off-by: Jakob Naucke <[email protected]>
@Jakob-Naucke
Fix some paths
f934155 
- Add qcows & Trustee keys to .gitignore
- Instruct key creation in README

Signed-off-by: Jakob Naucke <[email protected]>
@Jakob-Naucke
Add node ID in resource policy
9cb7601 
Requires initdata-compatible trustee-attester [1] and
clevis-pin-trustee [2]. Uses a Trustee that does not verify initdata
for now [3].

[1] confidential-containers/guest-components#1163
[2] latchset/clevis-pin-trustee#12
[3] https://github.com/confidential-clusters/trustee/tree/skip-verify-initdata

Signed-off-by: Jakob Naucke <[email protected]>
@Jakob-Naucke
Copy link
Contributor Author

Jakob-Naucke commented Nov 19, 2025

I could also convert to draft instead of writing a comment. Anyway, ready for review.

@alicefr
Copy link
Contributor

alicefr commented Nov 25, 2025

@Jakob-Naucke we don't want this to be merged right?

@Jakob-Naucke
Copy link
Contributor Author

Jakob-Naucke commented Nov 25, 2025

Yes we do (modulo review of course), I removed the broken workflows. Let me cross out the DNM for clarity which I should have done right away.

@Jakob-Naucke Jakob-Naucke merged commit 853f337 into trusted-execution-clusters:main Nov 25, 2025
2 checks passed
@Jakob-Naucke Jakob-Naucke deleted the id-res-policy branch November 25, 2025 18:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alicefr alicefr alicefr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jakob-Naucke @alicefr