vhsm nitride

vhsm nitride

The vhsm nitride command is the primary entrypoint for interacting with the Enclaive Nitride remote attestation plugin. It provides a full suite of subcommands for managing identities, policies, and attestation workloads.

The default mount path for the Nitride plugin is ratls/. All commands implicitly operate under this path.

vhsm nitride init

Initializes the Nitride attestation backend. This command typically sets up the plugin at its default path, enables it, and may provision default identities and policies for common platforms (e.g., AWS, Azure).

Usage:

vhsm nitride init [options]

Example:

Run the initialization process to set up the Nitride plugin with sensible defaults.

$ vhsm nitride init

Success! Initialized the Nitride attestation plugin at path "ratls/".
Default platform identities and policies have been created.

For more information about using vhsm nitride init for namespace, see Enable Namespacing.

vhsm nitride identity

Manages the attestation identities. An identity represents a verifiable piece of evidence, such as a specific firmware measurement, a platform certificate, or a workload hash.

Usage:

vhsm nitride identity <subcommand> [args]

Common subcommands include create, read, list, delete

Example: Create a new identity

The following command creates a new firmware identity for an Azure VM SKU. The measurement value is a known-good hash of the firmware.

$ vhsm nitride identity create \
    type="firmware" \
    name="azure-dc2asv5-firmware" \
    values=measurement="ffd92c5d5207afadf3b93be300060a98f9b96bd2a1300c97f1042f2b5f313b964ffc3c14645a7b706c5f6fe5ccfa51d7"

Success! Created new firmware identity "azure-dc2asv5-firmware".

vhsm nitride policy

Manages attestation policies. A policy is a rule that defines a valid set of identities. For an attestation to succeed, the submitted evidence must match all identities referenced in the policy.

Usage:

vhsm nitride policy <subcommand> [args]

(Common subcommands include create, read, list, delete)

Example: Create a new policy

The following command creates a policy named ubuntu-container-policy that requires the attesting environment to match both a specific firmware identity and a specific workload (e.g., container image) identity.

$ vhsm nitride policy create name="ubuntu-container-policy" - <<'EOF'
{
  "identities": {
    "provider": "azure-sev-snp-vtpm",
    "firmware": [
      { "name": "azure-dc2asv5-firmware" }
    ],
    "workload": {
      "name": "ubuntu-focal-base-image"
    }
  }
}
EOF

Success! Created policy "ubuntu-container-policy".

vhsm nitride attestation

Manages attestation workloads. A workload is the entity being attested. These commands allow you to register workloads, get nonces, and submit reports for verification.

Usage:

vhsm nitride attestation <subcommand> [args]

(Common subcommands include create, report, read, list)

Example 1: Create a new workload

This command registers a new workload that will be validated against the ubuntu-container-policy.

$ vhsm nitride attestation create \
    name="billing-api-prod" \
    policy="ubuntu-container-policy" \
    description="Production billing API container"

Key           Value
---           -----
uuid          8ebd607e-791b-44a9-a91c-6e2d88f6af0e
name          billing-api-prod
policy        ubuntu-container-policy
...

Example 2: Perform an attestation

This command retrieves an attestation report from the local hardware and submits it to vHSM for verification against the policy associated with the workload's UUID.

$ vhsm nitride attestation report \
    -provider=azure-sev-snp-vtpm \
    8ebd607e-791b-44a9-a91c-6e2d88f6af0e

Success! Attestation passed.
vHSM token: s.aBcDeFgHiJkLmNoPqRsTuVwXyZ

vhsm nitride log

Views the audit logs for attestation events. This is useful for debugging and monitoring attestation successes and failures.

Usage:

vhsm nitride log [options] [workload_uuid]

Example:

Retrieve all logs for a specific workload UUID.

$ vhsm nitride log 8ebd607e-791b-44a9-a91c-6e2d88f6af0e

Time                          Event      Status      Policy
----                          -----      ------      ------
2023-10-27T10:00:05Z          Report     SUCCESS     ubuntu-container-policy
2023-10-27T09:45:15Z          Report     FAIL        ubuntu-container-policy (measurement mismatch)

vhsm nitride totp

Manages Time-based One-Time Passwords (TOTP) for authorizing sensitive operations, such as updating policies or identities in a production environment.

Usage:

vhsm nitride totp <subcommand> [args]

(Common subcommands include create, validate)

Example: Generate a TOTP for a policy update

$ vhsm nitride totp create policy="ubuntu-container-policy" expiration="5m"

Success! TOTP generated. Use this code to authorize an update.
Code: 843109

vhsm nitride config

Reads the global configuration for the Nitride plugin.

Usage:

vhsm nitride config read

Example:

$ vhsm nitride config read

Key                  Value
---                  -----
namespace            true
inline_policy        ...