Verdictd is a remote attestation implementation comprising of a set of building blocks that utilize Intel/AMD Security features to discover, attest, and enable critical foundation security and confidential computing use-cases. It relies on RATS-TLS to apply the remote attestation fundamentals and standard specifications to maintain a platform data collection service and an efficient verification engine to perform comprehensive trust evaluations. These trust evaluations can be used to govern different trust and security policies applied to any given workload.
Verdictd creates an m-TLS(Mutal Transport Layer Security) connection with Attestation Agent via remote attestation. Mainly functions:
- Implemented verdictd's protocol which includes "decryption" and "get KEK" requests.
- Implemented a ocicrypto containers/ocicrypto compatible gRPC service.
- Implemented a grpc service which can be used to config OPA's policy files.
Please refer design doc to view the design of verdictd.
- rust-lang
- golang
Please refer Download OPA to install OPA tool.
curl -L -o opa https://openpolicyagent.org/downloads/v0.30.1/opa_linux_amd64_static
chmod 755 ./opa
mv opa /usr/local/bin/opa
Install bindgen tool
cargo install protobuf
cargo install bindgen
# Linux(Centos/RHEL)
yum install -y clang-libs clang-devel
# Linux(Ubuntu)
apt-get install llvm-dev libclang-dev clang
cd ${ROOT_DIR}/verdictd/
make
make install
Verdictd relies on rats-tls to listen on tcp socket, the default sockaddr is 127.0.0.1:1234
.
User can use --listen
option to specify a listen address.
verdictd --listen 127.0.0.1:1111
User can use --attester
, --verifier
, --tls
, --crypto
and --mutual
options to specific rats-tls uses instances's type. See details: RATS-TLS
User can use --gRPC
option to specify grpc server's listen address which supports key provider protocol.
verdictd --gRPC [::1]:10000
User can use --config
option to specify configuration server's listen address.
verdictd --config [::1]:10001
These options all exist default values. If user execute ./bin/verdictd
directly, it will execute with following configurations.
verdictd --listen 127.0.0.1:1234 --gRPC [::1]:50000 --config [::1]:60000
Verdictd supports key provider protocol's WrapKey
request by the address designated by --gRPC
option.
So user can use Verdictd and skopeo to generate encrypted container image with the following steps.
# Generate the key provider configuration file
cat <<- EOF >/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf
{
"key-providers": {
"attestation-agent": {
"grpc": "127.0.0.1:50001"
}
}
}
EOF
# Generate a encryption key
cat <<- EOF >/opt/verdictd/keys/84688df7-2c0c-40fa-956b-29d8e74d16c0
1234567890123456789012345678901
EOF
# Launch Verdictd
verdictd --gRPC 127.0.0.1:50001
skopeo --insecure-policy copy docker://docker.io/library/alpine:latest oci:alpine
export OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf
# generate encrypted image
skopeo copy --insecure-policy --encryption-key provider:attestation-agent:84688df7-2c0c-40fa-956b-29d8e74d16c0 oci:alpine oci:alpine-encrypted