In order to Trustee to work properly with IBM SE, a directory containing certificates and keys needs to be mounted in the trustee pod file system. More information about the IBM download process can be found here.
By the end of the aforementioned procedure, you should end up having a directory like the following:
├── certs
│ ├── ibm-z-host-key-signing-gen2.crt
| └── DigiCertCA.crt
├── crls
│ └── ibm-z-host-key-gen2.crl
│ └── DigiCertTrustedRootG4.crl
│ └── DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
├── hdr
│ └── hdr.bin
├── hkds
│ └── HKD-3931-0275D38.crt
└── rsa
├── encrypt_key.pem
└── encrypt_key.pub
For mounting the above directory to the trustee pod filesystem, we'd need to create a Persistent Volume (PV) and a Persistent Volume Claim (PVC). The configuration of PV/PVC is deployment specific (e.g. dependent on cloud provider), so it is not reported here in this guide.
In a development environment, you may want to create a PV/PVC that makes use of a local directory. This approach is not recommended for production environments:
PersistentVolume:
apiVersion: v1
kind: PersistentVolume
metadata:
name: ibmse-pv
namespace: trustee-operator-system
spec:
capacity:
storage: 100Mi
accessModes:
- ReadOnlyMany
storageClassName: ""
local:
path: /opt/confidential-containers/ibmse
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/worker
operator: ExistsNote: the path has to match a local directory on the worker node, and the correct permission for this directory must be set:
sudo chmod -R 755 /opt/confidential-containers/ibmse/PersistentVolumeClaim:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ibmse-pvc
namespace: trustee-operator-system
spec:
accessModes:
- ReadOnlyMany
storageClassName: ""
resources:
requests:
storage: 100Mi- Please update the
ibmse-attestation-policyconfigmap with correct values
apiVersion: v1
kind: ConfigMap
metadata:
name: ibmse-attestation-policy
namespace: trustee-operator-system
data:
default.rego: |
package policy
import rego.v1
default allow = false
converted_version := sprintf("%v", [input["se.version"]])
allow if {
input["se.attestation_phkh"] == "<se.attestation_phkh>"
input["se.image_phkh"] == "<se.image_phkh>"
input["se.tag"] == "<se.tag>"
input["se.user_data"] == "00"
converted_version == "256"
}Note: Retrieve the IBM SE fields <se.attestation_phkh>, <se.image_phkh> and <se.tag> for attestation policy from here
- Please check the
ibmse-resource-policyconfigmap
apiVersion: v1
kind: ConfigMap
metadata:
name: ibmse-resource-policy
namespace: trustee-operator-system
data:
policy.rego: |
package policy
default allow = false
path := split(data["resource-path"], "/")
allow {
count(path) == 3
input["tee"] == "se"
}For enabling IBM specific configuration in trustee pod, the KbsConfig custom resource should have the ibmSEConfigSpec section populated as in the following example:
apiVersion: confidentialcontainers.org/v1alpha1
kind: KbsConfig
metadata:
name: kbsconfig-sample
namespace: trustee-operator-system
spec:
# omitted all the rest of config
# ...
kbsAttestationPolicyConfigMapName: ibmse-attestation-policy
kbsResourcePolicyConfigMapName: ibmse-resource-policy
kbsServiceType: NodePort
# IBMSE settings
ibmSEConfigSpec:
certStorePvc: ibmse-pvcNote:
- The
kbsAttestationPolicyConfigMapNamehas to useibmse-attestation-policyinstead of defaultattestation-policy. - The
kbsResourcePolicyConfigMapNamehas to useibmse-resource-policyinstead of defaultresource-policy. - The
certStorePvchas to match the aforementioned PVC name. - if the https is enabled, please make sure include the worker node ips to the
[alt_names]section, here is the document about how to generate a self signed certificate... [alt_names] DNS.1 = kbs-service IP.1 = <ocp-worker-node-0-ip> IP.2 = <ocp-worker-node-1-ip>