Create identities and policies

In this tutorial, we will focus on creating identities and policies. Identities consist of multiple parts:

Platform
- The root of trust of the attestation, mainly the certificate chain used to verify the attestation. These are provided by the vendor of the attestation technology.
Firmware
- The verification attributes of the OVMF/UEFI firmware that was used to boot the confidential VM. You need to measure this value based on the binary or extract it from the report.
Workload
- CSP specific attestation attributes. We will leave them out for this tutorial and focus on the shared properties of all providers.
Metadata
- Additional information that is attached to an attestation. Not used for verification and also left out for this tutorial.

Identities are then used in a policy and associated with a provider. Providers are constants that define how the attestation is generated and what attributes are included. Currently supported providers:

azure-sev-snp-vtpm
aws-sev-snp-raw
gcp-sev-snp-raw

Providers are specific to the used CSP, attestation technology and attestation flow.

To extract the values for a provider, this command can be used:

vhsm nitride attestation -provider=azure-sev-snp-vtpm dump

This will print the report, so additional fields for workloads can be extracted and for providers with vTPM based attestation the report can be processed further to extract the firmware measurement.

When using the vhsm nitride init command, basic identities for all supported CSPs will already be created, besides mounting the attestation plugin at ratls. This includes the platform identities for AMD SEV-SNP Milan/Genoa for VCEK/VLEK based attestations and firmware identities for Azure, AWS and GCP for the smallest available VM size at the time of writing.

Predefined Platform identities:

amd-sev-snp-milan-vcek
amd-sev-snp-milan-vlek
amd-sev-snp-genoa-vcek
amd-sev-snp-genoa-vlek

These are downloaded from https://kdsintf.amd.com/vcek/v1/{product}/cert_chain and the vlek counterpart. The certificate chains are valid for all chips or all cloud providers respectively. Currently, only AWS uses the VLEK based attestation. The attestation for AWS includes the VLEK in the request to verify the attestation. VCEKs for other providers are fetched automatically.

Platform firmware versions as of AMD-SB-3015:

Milan, >= 1.55.22
Genoa, >= 1.55.38

Predefined Firmware identities:

azure-dc2asv5
gcp-small
aws-c6a.large

These follow the format {provider}-{size}, as the measurement can be different for the same firmware if the vCPU count is changed, depending on the hypervisor.

Creating or updating identities

Identities are versioned by the creation timestamp. For verification, the newest available identity for a given name is used. So if an identity becomes outdated, you can easily update it without having to change the policy or the attestation itself.

Method and URL

POST http://localhost:8200/v1/auth/{mount}/identities

Headers

Name

Value

X-Vault-Token

Body

Name

Type

Example

type

string

firmware / platform / workload / metadata

name

string

aws-c6a.large

values

object

{"measurement":"eb5c02d3ba319e65218994fc47925cf8a5e9a433081c44d4d989434f15a7c6d715d302401b3147da04e49abc99e50aea"}

Request

vault write auth/ratls/identities - <<'EOF'
{
  "type": "firmware",
  "name": "test",
  "values": {
    "measurement": "eb5c02d3ba319e65218994fc47925cf8a5e9a433081c44d4d989434f15a7c6d715d302401b3147da04e49abc99e50aea"
  }
}
EOF

curl -H "X-Vault-Token: hvs.XXXXX" \
    http://localhost:8200/v1/auth/ratls/identities \
    --data '{"type":"firmware","name":"test","values":{"measurement":"eb5c02d3ba319e65218994fc47925cf8a5e9a433081c44d4d989434f15a7c6d715d302401b3147da04e49abc99e50aea"}}'

Response

Key        Value
---        -----
created    1734560058
name       test
type       firmware
values     map[measurement:eb5c02d3ba319e65218994fc47925cf8a5e9a433081c44d4d989434f15a7c6d715d302401b3147da04e49abc99e50aea]

{
  "request_id": "97074d26-615c-a20d-ff88-8b14d2a75b93",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "created": 1734559789,
    "name": "test",
    "type": "firmware",
    "values": {
      "measurement": "eb5c02d3ba319e65218994fc47925cf8a5e9a433081c44d4d989434f15a7c6d715d302401b3147da04e49abc99e50aea"
    }
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

{
  "errors": [
    "failed parsing: unknown type"
  ]
}

Description of `values`

The values field is dependent on the type of the identity.

platform
- firmware
  - the firmware version of the platform, supports semver contraints like >= 1.55.22
- root_of_trust
  - the certificate chain used in the verification process
firmware
- measurement
  - the OVMF/UEFI measurement
workload
- hash
  - human-readable name of the used hash function
- pcrs
  - dictionary from integer to string for the encoded PCR value
metadata
- Currently empty

Creating a policy from identities

The next step is to create a policy that will be used in the verification process.

Method and URL

POST http://localhost:8200/v1/auth/{mount}/policies

Headers

Name

Value

X-Vault-Token

Body

Name

Type

Example

name

string

aws-c6a.large

identities

object

{

"provider": string,

"platform": object,

"firmware": object,

"workload": object,

"metadata": object

}

Request

vault write auth/ratls/policies - <<'EOF'
{
  "name": "test",
  "identities": {
    "provider": "aws-sev-snp-raw",
    "platform": {
      "name": "amd-sev-snp-milan-vlek"
    },
    "firmware": {
      "name": "test"
    },
    "workload": null,
    "metadata": null
  }
}
EOF

curl -H "X-Vault-Token: hvs.XXXX" \
    http://127.0.0.1:8200/v1/auth/ratls/policies \
    --data '{"name":"test","identities":{"provider":"aws-sev-snp-raw","platform":{"name":"amd-sev-snp-milan-vlek"},"firmware":{"name":"test"},"workload":null,"metadata":null}}'

Response

Key           Value
---           -----
created       1734560736
identities    map[firmware:map[name:aws-c6a.large policy:<nil>] metadata:<nil> platform:map[name:amd-sev-snp-milan-vlek policy:<nil>] provider:aws-sev-snp-raw workload:<nil>]
name          test

{
  "request_id": "48c75684-ddbc-9a57-2a79-a0e700730fa7",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "created": 1734560857,
    "identities": {
      "firmware": {
        "name": "test",
        "policy": null
      },
      "metadata": null,
      "platform": {
        "name": "amd-sev-snp-milan-vlek",
        "policy": null
      },
      "provider": "aws-sev-snp-raw",
      "workload": null
    },
    "name": "test"
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

{
  "errors": [
    "Invalid request"
  ]
}

Description of nested identity objects

As seen in the example, this contains at least the name of the identity. Additionally, the field policy can configure which parts of the identity are actually used for the verification.

Example for a workload identity:

{
    "name": "vtpm",
    "policy": {
        "hash": false,
        "pcrs.1": false
    }
}

Verification of fields is enabled by default. Nested fields, like seen here with a specific PCR value, can be disabled using a path notation similar to jq.

Locally testing identities and policies

When attesting against the plugin in vHSM, the policy will be filled with the values from the named identities. To test these values locally, this command can be used:

vhsm nitride attestation -provider=azure-sev-snp-vtpm local @policy.json

The contents of policy.json match the values of each identity in identities of the policy stored in the plugin. This example only verifies the platform of a SEV-SNP Milan VCEK attestation:

{
  "platform": {
    "firmware": ">=1.55.22",
    "root_of_trust": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdpVENDQkRpZ0F3SUJBZ0lEQVFBQk1FWUdDU3FHU0liM0RRRUJDakE1b0E4d0RRWUpZSVpJQVdVREJBSUMKQlFDaEhEQWFCZ2txaGtpRzl3MEJBUWd3RFFZSllJWklBV1VEQkFJQ0JRQ2lBd0lCTUtNREFnRUJNSHN4RkRBUwpCZ05WQkFzTUMwVnVaMmx1WldWeWFXNW5NUXN3Q1FZRFZRUUdFd0pWVXpFVU1CSUdBMVVFQnd3TFUyRnVkR0VnClEyeGhjbUV4Q3pBSkJnTlZCQWdNQWtOQk1SOHdIUVlEVlFRS0RCWkJaSFpoYm1ObFpDQk5hV055YnlCRVpYWnAKWTJWek1SSXdFQVlEVlFRRERBbEJVa3N0VFdsc1lXNHdIaGNOTWpBeE1ESXlNVGd5TkRJd1doY05ORFV4TURJeQpNVGd5TkRJd1dqQjdNUlF3RWdZRFZRUUxEQXRGYm1kcGJtVmxjbWx1WnpFTE1Ba0dBMVVFQmhNQ1ZWTXhGREFTCkJnTlZCQWNNQzFOaGJuUmhJRU5zWVhKaE1Rc3dDUVlEVlFRSURBSkRRVEVmTUIwR0ExVUVDZ3dXUVdSMllXNWoKWldRZ1RXbGpjbThnUkdWMmFXTmxjekVTTUJBR0ExVUVBd3dKVTBWV0xVMXBiR0Z1TUlJQ0lqQU5CZ2txaGtpRwo5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBblUyZHJyTlRmYmhOUUlsbGYrVzJ5K1JPQ2JTeklkMWFLWmZ0CjJUOXpqWlFPempHY2NsMTdpMW1JS1dsN05UY0IwVllYdDNKeFpTek9aanNqTE5WQUVOMk1HajlUaWVkTCtRZXcKS1pYMEptUUV1WWptK1dLa3NMdHhnZExwOUU3RVpOd05EcVYxcjBxUlA1dEI4T1dreVFiSWRMZXU0YUN6N2ovUwpsMUZrQnl0ZXY5c2JGR3p0N2N3bmp6aTltN25vcXNrK3VSVkJwMytJbjM1UVBkY2o4WWZsRW1uSEJOdnVVREpoCkxDSk1XOEtPalA2KytQaGJzM2lDaXRKY0FORXRXNHFUTkZvS1czQ0hsYmNTQ2pUTThLc05iVXgzQThlazVFVkwKalpXSDFwdDlFM1RmcFI2WHlmUUtuWTZrbDVhRUlQd2RXM2VGWWFxQ0ZQcklvOXBRVDZXdURTUDRKQ1lKYlpuZQpLS0liWmp6WGtKdDNOUUczMkV1a1lJbUJiOVNDa205K2ZTNUxaRmc5b2p6dWJNWDMrTmtCb1NYSTdPUHZuSE14Cmp1cDltdzVzZTZRVVY3R3FwQ0EyVE55cG9sbXVRK2NBYXhWN0pxSEU4ZGw5cFdmK1kzYXJiKzlpaUZDd0Z0NGwKQWxKdzVEMENUUlRDMVk1WVdGREJDckEvdkdubVRucUc4QytqalVBUzdjampSOHE0T1BoeURtSlJQbmFDL1pHNQp1UDBLMHo2R29PLzN1ZW45d3FzaEN1SGVnTFRwT2VIRUpSS3JRRnI0UFZJd1ZPQjArZWJPNUZnb3lPdzQzbnlGCkQ1VUtCRHhFQjRCS28vMHVBaUtITFJ2dmdMYk9SYlU4S0FSSXMxRW9xRWptRjhVdHJtUVdWMmhVand6cXd2SEYKZWk4clB4TUNBd0VBQWFPQm96Q0JvREFkQmdOVkhRNEVGZ1FVTzhadUdDckQvVDFpWkVpYjQ3ZEhMTFQ4di9ndwpId1lEVlIwakJCZ3dGb0FVaGF3YTBVUDN5S3hWMU1VZFFVaXIxWGhLMUZNd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCi93SUJBREFPQmdOVkhROEJBZjhFQkFNQ0FRUXdPZ1lEVlIwZkJETXdNVEF2b0MyZ0s0WXBhSFIwY0hNNkx5OXIKWkhOcGJuUm1MbUZ0WkM1amIyMHZkbU5sYXk5Mk1TOU5hV3hoYmk5amNtd3dSZ1lKS29aSWh2Y05BUUVLTURtZwpEekFOQmdsZ2hrZ0JaUU1FQWdJRkFLRWNNQm9HQ1NxR1NJYjNEUUVCQ0RBTkJnbGdoa2dCWlFNRUFnSUZBS0lECkFnRXdvd01DQVFFRGdnSUJBSWdlVVFTY0FmM2xEWXFnV1UxVnRsRGJtSU44UzJkQzVrbVF6c1ovSHRBalFuTEUKUEkxamgzZ0piTHhMNmdmM0s4anhjdHpPV25rWWNiZGZNT09yMjhLVDM1SWFBUjIwcmVrS1JGcHRUSGhlK0RGcgozQUZ6WkxERDdjV0syOS9HcFBpdFBKREtDdkk3QTRVZzA2cms3SjB6QmUxZnovcWU0aTIvRjEycnZmd0NHWWhjClJ4UHk3UUYzcThmUjZHQ0pkQjFVUTVTbHdDakZ4RDR1ZXpVUnp0SWxJQWpNa3Q3REZ2S1JoKzJ6Sys1cGxWR0cKRnNqREp0TXoydWQ5eTBwdk9FNGozZEg1SVc5akd4YVNHU3RxTnJhYm5ucEYyMzZFVHIxL2E0M2I4RkZLTDVRTgptdDhWcjl4blhScHpucUNSdnFqcitrVnJiNmRsZnVUbGxpWGVRVE1sQm9SV0ZKT1JMOEFjQkp4R1o0SzJtWGZ0CmwxalU1VExlaDVLWEw5Tlc3YS9xQU9JVXMyRmlPaHFydHpBaEpSZzlJajhRa1E5UGsrY0tHenc2RWwzVDNrRnIKRWc2emt4bXZNdWFiWk9zZEtmUmtXZmhIMlpLY1RsRGZtSDFIMHpxMFEyYkczdXZhVmRpQ3RGWTFMbFd5QjM4SgpTMmZOc1IvUHk2dDVickVKQ0ZOdnphRGt5NktlQzRpb24vY1ZnVWFpN3p6UzNiR1FXektES1UzNVNxTlUyV2tQCkk4eENaMDBXdElpS0tGblhXVVF4dmxLbW1nWkJJWVBlMDF6RDBOOGF0RnhtV2lTbmZKbDY5MEI5ckpwTlIvZkkKYWp4Q1czU2Vpd3M2cjFabSt0Q3VWYk1pTnRwUzlUaGpOWDR1dmU1dGh5ZkUyRGdveFJGdlkxQ3NvRjVNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdZekNDQkJLZ0F3SUJBZ0lEQVFBQU1FWUdDU3FHU0liM0RRRUJDakE1b0E4d0RRWUpZSVpJQVdVREJBSUMKQlFDaEhEQWFCZ2txaGtpRzl3MEJBUWd3RFFZSllJWklBV1VEQkFJQ0JRQ2lBd0lCTUtNREFnRUJNSHN4RkRBUwpCZ05WQkFzTUMwVnVaMmx1WldWeWFXNW5NUXN3Q1FZRFZRUUdFd0pWVXpFVU1CSUdBMVVFQnd3TFUyRnVkR0VnClEyeGhjbUV4Q3pBSkJnTlZCQWdNQWtOQk1SOHdIUVlEVlFRS0RCWkJaSFpoYm1ObFpDQk5hV055YnlCRVpYWnAKWTJWek1SSXdFQVlEVlFRRERBbEJVa3N0VFdsc1lXNHdIaGNOTWpBeE1ESXlNVGN5TXpBMVdoY05ORFV4TURJeQpNVGN5TXpBMVdqQjdNUlF3RWdZRFZRUUxEQXRGYm1kcGJtVmxjbWx1WnpFTE1Ba0dBMVVFQmhNQ1ZWTXhGREFTCkJnTlZCQWNNQzFOaGJuUmhJRU5zWVhKaE1Rc3dDUVlEVlFRSURBSkRRVEVmTUIwR0ExVUVDZ3dXUVdSMllXNWoKWldRZ1RXbGpjbThnUkdWMmFXTmxjekVTTUJBR0ExVUVBd3dKUVZKTExVMXBiR0Z1TUlJQ0lqQU5CZ2txaGtpRwo5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBMExkNTJSSk9kZWlKbHFLMkpkc1ZtRDdGa3R1b3RXd1gxZk5nClc0MVhZOVh6MUhFaFNVbWhMejlDdTlESFJsdmdKU054YmVZWXNuSmZ2eWp4MU1mVTBWNXRrS2lVMUVlc05GdGEKMWtUQTBzek5pc2RZYzlpc3FrN21YVDUrS2ZHUmJmYzRWLzl6UkljRThqbEhONjFTMWp1OFg5Mys2ZHhEVXJHMgpTenhxSjRCaHF5WW1VRHJ1UFhKU1g0dlVjMDFQN2o5OE1wcU9TOTVyT1JkR0hlSTUyTmF6NW0yQitPK3Zqc0MwCjYwZDM3alk5TEZldU9QNE1lcmk4cWdmaTJTNWtLcWcvYUY2YVB0dUFaUVZSN3UzS0ZZWFA1OVhtSmd0Y29nMDUKZ21JMFQvT2l0TGh1elZ2cFpjTHBoMG9kaC8xSVBYcXgzK01uakQ5N0E3ZlhwcUdkL3k4S3hYN2prc1RFekFPZwpiS0FlYW0zbG0rM3lLSWNUWU1sc1JNWFBjak5iSXZtc0J5a0QvL3hTbml1c3VIQmtnbmxFTkVXeDFVY2JRUXJzCitnVkRrdVZQaHNueklSTmdZdk00OFkrN0xHaUpZbnJtRTh4Y3JleGVrQnhydmEyVjlUSlFxbk4zUTUza3Q1dmkKUWkzK2dDZm1rd0MwRjB0aXJJWmJMa1hQclB3elowTTllTnhoSXlTYjJucEpmZ25xejU1STB1MzN3aDRyMFpOUQplVEdmdzAzTUJVdHl1ekdlc0drY3crbG9xTWFxMXFSNHRqR2JQWXhDdnBDcTcrT2dwQ0NvTU5pdDJ1TG85TTE4CmZIejEwbE9NVDhuV0FVdlJaRnp0ZVhDbSs3UEhkWVBsbVF3VXczTHZlbkovSUxYb1FQSGZia0gwQ3lQZmhsMWoKV2hKRlphc0NBd0VBQWFOK01Id3dEZ1lEVlIwUEFRSC9CQVFEQWdFR01CMEdBMVVkRGdRV0JCU0ZyQnJSUS9mSQpyRlhVeFIxQlNLdlZlRXJVVXpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTURvR0ExVWRId1F6TURFd0w2QXRvQ3VHCktXaDBkSEJ6T2k4dmEyUnphVzUwWmk1aGJXUXVZMjl0TDNaalpXc3ZkakV2VFdsc1lXNHZZM0pzTUVZR0NTcUcKU0liM0RRRUJDakE1b0E4d0RRWUpZSVpJQVdVREJBSUNCUUNoSERBYUJna3Foa2lHOXcwQkFRZ3dEUVlKWUlaSQpBV1VEQkFJQ0JRQ2lBd0lCTUtNREFnRUJBNElDQVFDNm0wa0RwNnp2NE9qZmd5K3psZWVoc3g2b2wwb2NnVmVsCkVUb2JweCtFdUNzcVZGUlBLMWpaMXNwL2x5ZDkrMGZRMHI2Nm43a2FnUms0Q2EzOWc2NldHVEpNZUpkcVlyaXcKU1RqakRDS1ZQU2VzV1hZUFZBeURobVA1bjJ2K0JZaXBaV2hwdnFwYWlPK0VHSzVJQlArNTc4UWVXL3NTb2tySwpkSGFMQXhHMkxoWnhqOWFGNzNmcUM3T0FKWjVhUG9udzRSRTI5OUZWYXJoMVR4MmVUM3dTZ2tEZ3V0Q1RCMVlxCnpUNUR1d3ZBZStjbzJDSVZJek1EYW1ZdVNGalBOMEJDZ29qbDdWK2JUb3U3ZE1zcUl1L1RXL3JQQ1g5L0VVY3AKS0dLcVBRM1ArTjlyMWhqRUZZMXBsQmc5M3Q1M09PbzQ5R05JK1YxenZYUExJNnhJRlZzaCttdG8yUnRnRVgvZQpwbU1LVE5ONnBzVzg4cWc3YzFoVFd0TjZNYlJ1UTB2bStPKy8ydEtCRjJoOFRIYjk0T3Z2SEhvRkRwYkNFTGxxCkhuSVloeHkwWUtYR3lhVzFOamZVTHhycm14Vlc0d2NuNUU4R2RkbXZOYTZ5WW04c2NKYWdFaTEzbWhHdTRKcWgKM1FVM3NmOGlVU1VyMDl4UUR3SHRPUVVWSXF4NG1hQlpQQnRTTWYrcVVEdGpYU1NxOGxmV2NkOGJMcjltZHNVbgpKWkowK3R1UE1LbUJuU0g4NjBsbEtrK1ZwVlFzZ3FiekRJdk9MdkQ2VzFVbXEyNWJveENZSitUdUJvYTRzK0hICkNWaUF2Z1Q5a2YvckJxMWQraXZqNnNra0h4dXpjeGJrMXh2NlpHeHJ0ZUp4Vkg3S2xYN1lSZFo2ZUFSS3dMZTQKQUZaRUF3b0tDUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
  }
}

Last updated 14 hours ago

Creating or updating identities

Method and URL

Request

Description of values

Creating a policy from identities

Method and URL

Request

Description of nested identity objects

Locally testing identities and policies

Description of `values`