feat: harden bare metal attestation policy with firmware checks#28
Merged
butler54 merged 4 commits intoMay 28, 2026
Merged
Conversation
Add firmware measurement verification and debug-disabled enforcement for Intel TDX and AMD SEV-SNP bare metal deployments while maintaining backwards compatibility. **TDX hardening:** - Check mr_td (initial TD measurement) against reference values - Check rtmr_1 (firmware + bootloader) against reference values - Verify TEE type and vendor ID - Enforce debug=false in td_attributes - Backwards-compatible fallback when no firmware values available **SNP hardening:** - Check launch_measurement against reference values - Enforce debug=false in policy - Backwards-compatible fallback when no firmware values available **Trust claims impact:** - executables: 3 (unchanged - init_data still required) - hardware: 2 (now conditional on firmware OR fallback) - configuration: 2 (now conditional on debug==false) **Backwards compatibility:** Without firmware reference values in RVPS (kbs.baremetal.enabled=false or values not pushed), policy falls back to init_data-only verification: - Firmware checks skip via count(query_reference_value(...)) == 0 - Attestation succeeds with init_data verification alone - No breaking changes to existing deployments **With firmware values:** When kbs.baremetal.enabled=true and firmware values pushed to RVPS: - mr_td/rtmr_1 (TDX) or launch_measurement (SNP) must match - debug must be disabled - Provides stronger hardware and configuration assurance **Security:** Debug-disabled enforcement prevents: - Memory inspection via hypervisor - Secret extraction from guest - Single-stepping attacks Production workloads MUST run with debug=false. Part of Wave 2 (firmware hardening). Requires PR 2B (RVPS integration) for firmware reference values to be available.
Align attestation policy with upstream trustee-operator v1.1.0 reference while maintaining compatibility and handling Azure TCB collection gap. Changes: - Revert to bracket notation (input["snp"]) instead of dot notation (input.snp) for field access - prior testing showed issues with dots - Keep underscore field names (az_snp_vtpm, reported_tcb_bootloader) - Make Azure TCB/firmware checks optional with fallbacks: - az_snp_vtpm: hardware claim 2 with TCB, fallback to 3 without - az_snp_vtpm: configuration claim 2 with platform config, fallback to 3 - az_tdx_vtpm: hardware claim 2 with mr_td, fallback to 3 without - az_tdx_vtpm: configuration claim 2 with xfam, fallback to 3 without - Bare metal TDX/SNP: all TCB checks remain required (collectible via veritas) Rationale: Azure TCB values are embedded in runtime attestation evidence but reference value collection workflow not yet documented/implemented. Fallbacks allow basic attestation to work until Azure TCB collection added. Bare metal firmware values (mr_td, rtmr_*, snp_launch_measurement) are collectible via veritas and enforced without fallbacks.
Ensure init_data is always validated even when firmware reference values (xfam for TDX, platform config for SNP) are not available. Changes: - Bare metal TDX configuration fallback: add init_data check - Bare metal SNP configuration fallback: add init_data check Rationale: init_data validates runtime configuration (workload image, environment variables, secrets). This check must pass regardless of whether optional firmware/platform reference values are available. Security impact: Prevents attestation from succeeding with only debug checks when init_data reference values are missing.
Align attestation and resource policies with trustee-operator v1.1.0 reference implementation for complete workload identity binding and trustworthiness-vector validation. Attestation policy changes: - Add EAR extensions with validated identifiers (container images, UIDs) - Parse init_data_claims to extract workload metadata - Bind workload identity to hardware attestation evidence - Applied to both default_cpu.rego and default_gpu.rego Resource policy changes: - Align with upstream resource-policy-restrictive.rego - Replace simple ear.status check with trustworthiness-vector validation - Check executables, configuration, and hardware claims separately - Require claims in affirming range (2-31) - Add kbs.resourcePolicy.enforceHardware flag (default: true) - When false, hardware claim failures are bypassed New values: - kbs.baremetal.enabled: false (firmware reference values feature gate) - kbs.resourcePolicy.enforceHardware: true (hardware claim enforcement) Security impact: - EAR tokens now include validated workload identifiers for audit trail - Resource policy enforces granular trust claim validation - Hardware enforcement can be disabled for environments without TCB values Upstream alignment: - attestation-policy.yaml: matches ear_default_attestation_policy_cpu.rego - resource-policy.yaml: matches resource-policy-restrictive.rego
butler54
force-pushed
the
feat/harden-baremetal-attestation
branch
from
558a977 to
7eddc80
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Add firmware measurement verification and debug-disabled enforcement for Intel TDX and AMD SEV-SNP bare metal deployments while maintaining backwards compatibility.
This is PR 2C of Wave 2 (firmware hardening) from the bare metal attestation hardening plan.
Changes
TDX Hardening
🔒 Firmware verification:
mr_td(initial TD measurement) against reference valuesrtmr_1(firmware + bootloader) against reference values81000000) and Intel vendor ID🛡️ Security configuration:
debug=falseintd_attributesSNP Hardening
🔒 Firmware verification:
launch_measurementagainst reference values🛡️ Security configuration:
debug=falsein policyTrust Claims Impact
Backwards Compatibility
✅ Fully backwards compatible:
Without firmware values (kbs.baremetal.enabled=false or values not pushed):
count(query_reference_value(...)) == 0With firmware values (kbs.baremetal.enabled=true + values in RVPS):
Security Impact
Debug-Disabled Enforcement
Prevents production attack vectors:
Production workloads MUST run with debug=false.
Firmware Measurement Enforcement
When enabled, ensures:
Blocks:
Testing
Tested scenarios:
Dependencies
Related
Part of Wave 2 (firmware hardening) from the bare metal attestation hardening roadmap.
After this merges, trustee-chart v0.5.0 will be released.