Verify identities and policies locally

Learn to create a attestation for a workload and verify the UUID locally.

To perform an attestation verification flow for the given workload UUID and, upon successful verification , issues an authentication token. This token represents the result of the attestation process and can be used to grant access based on the verified state of the workload.

Prerequisites

Install and configure Nitride.
Install vHSM CLI.
Install curl and jq tools.
Log in as root user to use the vHSM CLI tool, else use the root token for vHSM instance to use curl.
Create an identity, and create a policy.

To verify the identity named test-local , and the policy named test-local you need to create an attestation locally.

Create a attestation.json file with the following content as vHSM-Nitride admin or user.

{
  "name": "Azure MariaDB",
  "description": "A small Azure VM running MariaDB",
  "namespace": "my-namespace",
  "events": "http://localhost:8000",
  "policy": "test-local"
}

Create a attestation workload for the provider local-none-debug using: vhsm nitride attestation create @attestation.json .

The output is similar to:

Key            Value
---            -----
created        1749559274
description    A small Azure VM running MariaDB
events         http://localhost:8000
name           Azure MariaDB
namespace      my-namespace
nonce          n/a
policy         test-local
updated        0
uuid           f03da938-f84c-472c-80b7-6ecb10058261

List the attestations that are available: vhsm nitride attestation list
Verify the attestation for the workload that you created: vhsm nitride attestation -provider=local-none-debug report <uuid>

The output is similar to:

Key                       Value
---                       -----
token                     hvs.CAESIBi0Pzvf_zPrhCa68Tb1h625tyZ3MJNdHJdOS2MBuL_QGh4KHGh2cy5KRnB2Y3NlVWhIWVZ2ZU1CaHJuWWM4eWE
token_accessor            QRCJEzKxf7a66TDpzYHH74LT
token_duration            768h
token_renewable           false
token_policies            ["default" "enclaive-attested"]
identity_policies         []
policies                  ["default" "enclaive-attested"]
token_meta_namespace      my-namespace
token_meta_workload       f03da938-f84c-472c-80b7-6ecb10058261
token_meta_measurement    none
created                   1749559274
description               A small Azure VM running MariaDB
events                    http://localhost:8000
name                      Azure MariaDB
namespace                 my-namespace
nonce                     n/a
policy                    test-local
updated                   1749559344
uuid                      f03da938-f84c-472c-80b7-6ecb10058261

This output confirms that vHSM successfully interacted with the attestation service regarding the specified workload and received an authentication token with specific policies attached, indicating a successful attestation or a simulated attestation outcome. Next Steps:

You've successfully set up and tested attestation with the local-none-debug provider including identity, policy, workload, and report.Now, to attest a "buckypaper VM," you'll need to:

Identify the appropriate real attestation provider for that VM such as "aws-sev-snp-raw", "azure-sev-snp-vtpm", or other supported providers.
Create specific identities and policies for the buckypaper VM, aligning with its provider.
Generate the actual attestation report from within the buckypaper VM.
Submit and verify this report using the vHSM CLI tool with the correct provider.

Last updated 6 months ago

Was this helpful?