Create Attestation

Creating attestation

Create a attestation.json file that defines how vHSM verifies identities and applies the policy.

Example:

{
  "name": "basic-attestation",
  "policy": "nitride-policy"
  "namespace": "test"
}

Where:

"name": Logical name of the attestation profile.
"policy": The policy to apply after successful attestation
"namespace": The namespace in which the attestation should be created.

Create the attestation profile

Example:

vhsm nitride attestation create @attestation.json

Output:

Key            Value
---            -----
created        1742558170
description    n/a
events         n/a
name           basic-attestation
namespace      test
nonce          n/a
policy         nitride-policy
updated        0
uuid           db5f752d-9688-40e7-922d-ba972bc4e2c7

Verify that the attestation profile exists

Example:

vhsm nitride attestation list -namespace=test

Output:

Keys
----
39547c1c-2139-402d-a532-2a352c55106c
737f83e1-cb7b-409e-8e53-b9a8125f651f
b39fc691-f935-4c07-a770-e487ea213d08

View details of the profile:

vhsm nitride attestation read <attestation-profile-uuid>

Verify if the attestation was successful

Note: If the workload in not linked to any attestation provider then you can specify the provider as local-none-debug .

Example:

vhsm nitride attestation -provider=<provider-name> report <attestation-profile-uuid>

Output:

Key                       Value
---                       -----
token                     hvs.CAESIJ5U59CS8UXBfe8-APVoAxayD97efnATwvlRamfXhaNPGh4KHGh2cy51b0xqcjlLQUpBTVJMYllJSFViM09XTWU
token_accessor            6ESlahcrvOUb03mJ8l3g0Wno
token_duration            768h
token_renewable           false
token_policies            ["default" "enclaive-attested"]
identity_policies         []
policies                  ["default" "enclaive-attested"]
token_meta_measurement    ffd92c5d5207afadf3b93be300060a98f9b96bd2a1300c97f1042f2b5f313b964ffc3c14645a7b706c5f6fe5ccfa51d7
token_meta_namespace      n/a
token_meta_workload       19dc0836-bc80-4a4c-8362-4c1f8eb17710
created                   1742714856
description               n/a
events                    n/a
name                      basic-attestation
namespace                 test
nonce                     n/a
policy                    azure-dc2asv5-raw
updated                   1742714977
uuid                      19dc0836-bc80-4a4c-8362-4c1f8eb17710

Note: Ensure that the workload UUID 19dc0836-bc80-4a4c-8362-4c1f8eb17710is linked to a policy that matches the attestation provider — in this case, a policy was configured for azure-sev-snp-vtpm.

This output confirms that vHSM successfully interacted with the attestation service regarding the specified workload and received an authentication token with specific policies attached, indicating a successful attestation or a simulated attestation outcome. For more information, see vHSM Nitride CLI.

Last updated 4 months ago

Was this helpful?