Create Policy

Learn to create a policy i n vHSM that defines what actions an attested identity can perform after successful remote attestation.

Note:

If you started Nitride by using the vhsm nitride init command then, it performs a series of operations to configure and secure your environment:

  1. Creates essential Nitride identities, including: platform, firmware, and workload

  2. Creates and attaches a Nitride policy from an embedded policy configuration.

  3. Generates attestation objects based on your setup.

  4. Bootstraps the environment to allow secure workload attestation and the issuance of access tokens with the appropriate permissions.

Creating a policy

  1. Create a policy.json file that outlines the actions or capabilities and the resources or paths the identity is allowed to access after successful attestation. To create a policy that is attached to a provider see vhsm nitride policy -help command.

{
	"name": "nitride-policy",
	"identities": {
		"provider": "azure-sev-snp-vtpm",
		"platform": [
			{
				"name": "amd-sev-snp-milan-vcek"
			}
		],
		"firmware": [
			{
				"name": "azure-dc2as-v5"
			}
		],
		"workload": {
			"name": "azure-sev-snp-vtpm-ubuntu-jammy",
			"policy": {
				"hash": false,
				"pcrs.0": false
			}
		},
		"metadata": null
	}
}

Where:

  • name: Logical name of the policy.

  • identities: contains the list of identities

  1. Use the vhsm nitride policy create command to register the policy:

vhsm nitride policy create @policy.json

The @policy.json syntax ensures that the CLI can read and embed the file contents directly into the request.

The output is similar to:

Key           Value
---           -----
created       1742820324
identities    map[firmware:[map[name:azure-dc2asv5 policy:<nil>]] metadata:<nil> platform:[map[name:amd-sev-snp-milan-vcek policy:<nil>]] provider:azure-sev-snp-vtpm workload:<nil>]
name          nitride-policy
  1. Verify that the policy was created:

vhsm nitride policy list

The output is similar to:

Keys
----
nitride-policy

You can also reference this policy in your attestation.json to bind it to specific identities.

Last updated

Was this helpful?