Verifying the attestation process

Edit online

To verify the attestation process, run the signed image (workload) in the deployed OpenShift sandboxed containers cluster. If the workload runs successfully, it confirms a successful key exchange between the SE-enabled PeerPod VM and the Trustee.

The following section explains the verification process using BusyBox as a sample workload.

Procedure

  1. Create a initdata.toml file using the encrypted_contract generated in the earlier step:
    $ cat << EOF > initdata.toml
algorithm = "sha384"
version = "0.1.0"
[data]
"aa.toml" = '''
[token_configs]
[token_configs.coco_as]
url = 'https://<CCRV_KBS_IP>:8080' (1)
[token_configs.kbs]
url = 'https://<CCRV_KBS_IP>:8080'
cert = """
<localhost.crt>
"""
'''

"cdh.toml" = '''
socket = 'unix:///run/confidential-containers/cdh.sock'
credentials = []
[kbc]
name = 'cc_kbc'
url = 'https://<CCRV_KBS_IP>:8080'
kbs_cert = """
<localhost.crt>
"""
[image]
image_security_policy_uri = 'kbs:///default/security-policy/osc'
'''
"policy.rego" = '''
package agent_policy
import future.keywords.in
import future.keywords.every
import input
default CopyFileRequest := true
default CreateContainerRequest := true
default CreateSandboxRequest := true
default DestroySandboxRequest := true
default ExecProcessRequest := true
default GetOOMEventRequest := true
default GuestDetailsRequest := true
default OnlineCPUMemRequest := true
default PullImageRequest := true
default ReadStreamRequest := true
default RemoveContainerRequest := true
default RemoveStaleVirtiofsShareMountsRequest := true
default SignalProcessRequest := true
default StartContainerRequest := true
default StatsContainerRequest := true
default TtyWinResizeRequest := true
default UpdateEphemeralMountsRequest := true
default UpdateInterfaceRequest := true
default UpdateRoutesRequest := true
default WaitProcessRequest := true
default WriteStreamRequest := true
'''
EOF

    1: Specify the LPAR IP where trustee would be provisioned on CCRV.

  2. Encode the initdata.toml file with initdata annotation:
    $ initdata_annotation=$(cat "initdata.toml" | base64 -w 0)
  3. Deploy a sample workload busybox.yaml:
    $ cat << EOF > busybox.yaml
apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
  labels:
    run: busybox
  annotations:
    io.katacontainers.config.runtime.cc_init_data: ${initdata_annotation}
spec:
  runtimeClassName: kata-remote
  restartPolicy: Never
  containers:
  - name: busybox
    image: quay.io/<username>/busybox
EOF
  4. Create the pod by running the following command:
    $ oc create -f busybox.yaml
  5. Log in to the pod by running the following command:
    $ oc exec -it busybox -n default -- /bin/sh
  6. Check if the pod is running by running the following command: 
    $ oc create -f busybox.yaml
    Example output 
    busybox   1/1     Running   0          101s
  7. Get the secret key by running the following command: 
    $ oc exec -it busybox -n default  -- wget http://127.0.0.1:8006/cdh/resource/default/busybox/key
    Example output 
    Connecting to 127.0.0.1:8006 (127.0.0.1:8006)
saving to 'key'
key                 100% |*******************************************|     8  0:00:00 ETA
'key' saved
  8. Display the key value by running the following command: 
    $ cat key
    Example output 
    mykey