Home
DocumentationTutorials

Register Identities

Learn to register identities that are critical for enabling secure workload attestation and enforcing policies based on the trustworthiness of the underlying platform, firmware, and workload.

Note:

If you started Nitride by using the vhsm nitride init command then, it performs a series of operations to configure and secure your environment:

  1. Creates essential Nitride identities, including: platform, firmware, and workload

  2. Creates and attaches a Nitride policy from an embedded policy configuration.

  3. Generates attestation objects based on your setup.

  4. Bootstraps the environment to allow secure workload attestation and the issuance of access tokens with the appropriate permissions.

Registering identities

Note:

  • Identity names must be unique within the environment.

  • Make sure the identity metadata such as serial numbers, digests matches what is attested by the workload at runtime.

  • Keep your identity definitions version-controlled for reproducibility.

  1. Create a JSON file representing Platform identity, that identifies the host or virtual machine. For example, a file name platform.json . For more information about how to get the value for root_of_trust, see Create identities and Policies. Ensure that you replace amd-sev-snp-milan-vcek with the certificate chain stored in the vHSM for root_of_trust in the following:

{
			"type": "platform",
			"name": "amd-sev-snp-milan-vcek",
			"values": {
				"firmware": ">= 1.55.22",
				"root_of_trust": "amd-sev-snp-milan-vcek"
			}
		}

  1. Create a JSON file representing Firmware identity, that identifies the trusted execution environment such as SEV-SNP, TDX. For example, a file name firmware.json that contains the following:

{
			"type": "firmware",
			"name": "azure-dc2as-v5",
			"values": {
				"measurement": "122d0d6fcd1b714a7c34f32d0dc9262ab08976cc8e22132b40ef2569f1dcc47b71ba617debed11563389d7a3f8481d99"
			}
		}

  1. Create a JSON file representing Workload identity, that identifies the application or container that is attested before accessing secrets or resources. For example, a file name workload.json that contains the following:

{
			"type": "workload",
			"name": "azure-sev-snp-vtpm-ubuntu-jammy",
			"values": {
				"hash": "SHA512",
				"pcrs": {
					"0": "054cfc271ddcbd79285968a660bf84ad5b0ca308d2355ce4e0934cecb89590ed",
					"1": "c273c7c778afae92ec7227855d4585444bd7818df9134ba6bf75d53ed8017ebf"
				}
			}
		}

4. Use the vhsm nitride identity create command to register each identity.

Note: the @filename.json syntax allows the CLI to read and embed the file content directly.

Register Platform Identity:

vhsm nitride identity create @platform.json

Register Firmware Identity:

vhsm nitride identity create @firmware.json

Register Workload Identity:

vhsm nitride identity create @workload.json

5. To verify that the identities are created:

vhsm nitride identity list

Output is similar to:

Keys
----
firmware/
platform/
workload/

Last updated

Was this helpful?