Create Attestation

Learn to create an attestation profile in vHSM using the CLI to enable trusted workload execution based on identity and access policies.

Note:

If you started Nitride by using the vhsm nitride init command then, it performs a series of operations to configure and secure your environment:

Creates essential Nitride identities, including: platform, firmware, and workload
Creates and attaches a Nitride policy from an embedded policy configuration.
Generates attestation objects based on your setup.
Bootstraps the environment to allow secure workload attestation and the issuance of access tokens with the appropriate permissions.

Creating attestation

Create a attestation.json file that defines how vHSM verifies identities and applies the policy.

{
  "name": "basic-attestation",
  "policy": "nitride-policy"
}

Where:

Field

Description

name

Logical name of the attestation profile

policy

The policy to apply after successful attestation

Create the attestation profile:

vhsm nitride attestation create @attestation.json

Example output:

Key            Value
---            -----
created        1742558170
description    n/a
events         n/a
name           basic-attestation
namespace      n/a
nonce          n/a
policy         nitride-policy
updated        0
uuid           db5f752d-9688-40e7-922d-ba972bc4e2c7

Check that the attestation profile exists:

vhsm nitride attestation list

View details of the profile:

vhsm nitride attestation read <attestation-profile-uuid>

4. Verify if the attestation was successful.

Note: If the workload in not linked to any attestation provider then you can specify the provider as local-none-debug .

vhsm nitride attestation -provider=<provider-name> report <attestation-profile-uuid>

The output is similar to:

Key                       Value
---                       -----
token                     hvs.CAESIJ5U59CS8UXBfe8-APVoAxayD97efnATwvlRamfXhaNPGh4KHGh2cy51b0xqcjlLQUpBTVJMYllJSFViM09XTWU
token_accessor            6ESlahcrvOUb03mJ8l3g0Wno
token_duration            768h
token_renewable           false
token_policies            ["default" "enclaive-attested"]
identity_policies         []
policies                  ["default" "enclaive-attested"]
token_meta_measurement    ffd92c5d5207afadf3b93be300060a98f9b96bd2a1300c97f1042f2b5f313b964ffc3c14645a7b706c5f6fe5ccfa51d7
token_meta_namespace      n/a
token_meta_workload       19dc0836-bc80-4a4c-8362-4c1f8eb17710
created                   1742714856
description               n/a
events                    n/a
name                      basic-attestation
namespace                 n/a
nonce                     n/a
policy                    azure-dc2asv5-raw
updated                   1742714977
uuid                      19dc0836-bc80-4a4c-8362-4c1f8eb17710

Note: Ensure that the workload UUID 19dc0836-bc80-4a4c-8362-4c1f8eb17710is linked to a policy that matches the attestation provider — in this case, a policy was configured for azure-sev-snp-vtpm.

Last updated 8 months ago

Was this helpful?