Host attestation

Edit online

The host-attestation section contains one or more host key documents (HKD).

When VSI is running on Z16 or later, the boot process attempts to perform Ultravisor attestation to verify that the image is running on the correct host. The Ultravisor attestation produces evidence that is revealed through the Attestation Document. For more information, see Attestation.

env: |
   type: env
   host-attestation:
    HKD-<MODEL>-<PLANT><SERIAL>:
      description:<Description of HKD>
      host-key-doc: <A Host Key Document encoded in base64>
    HKD-<MODEL>-<PLANT><SERIAL>:
      description: :<Description of HKD>
      host-key-doc: <A Host Key Document encoded in base64>
To ensure that the VSI (Virtual Secure Instance) boots up correctly on a Z Secure Execution KVM host, it is essential to follow the required format. You can obtain the identifiers like MODEL, PLANT, and SERIAL by running the following command on the host: 
cat /proc/sysinfo

Alternatively, you can derive these identifiers from the naming convention of the downloaded HKD certificate file. For example, if the certificate file is named HKD-3931-0271A28.crt, the corresponding identifier will be HKD-3931-0271A28. You can use this identifier (without the .crt extension) as a reference for MODEL, PLANT, and SERIAL values when setting up the VSI. For more information about downloading HKD, see Obtaining a host key document from Resource Link.

Other mandatory fields like logging and volume sections are not in scope of this topic. For information about logging, volume, and so on, see About contract.

To create encrypted contract, see:

  • Creating the encrypted workload section of a contract

    Example:

    type: workload
auths:
us.icr.io:
  password: ${API_KEY}
  username: <username>
play:
resources:
  - apiVersion: v1
    kind: Pod
    metadata:
      name: <pod name>
      labels:
        app: <app name>
    name: <name>
    spec:
      containers:
      - name: <container name>
        image: <image>
        restart: always
        volumeMounts:
        - mountPath: /var/hyperprotect
          name: datavolume
          readOnly: false
        ports:
        - containerPort: 8080
          hostPort: 8080
      volumes:
      - hostPath:
          path: /var/hyperprotect
          type: DirectoryOrCreate
        name: datavolume 
volumes:
test:
  mount: "/mnt/data"
  seed: <workload seed value with minimum 15 characters>
  filesystem: "ext4"

  • Creating the encrypted env section of a contract

    Example:

    type: env
host-attestation:
  HKD-3931-xxxxxxx:
    description: test1
    host-key-doc: <A Host Key Document encoded in base64>
  HKD-3931-xxxxxxx:
    description: test2
    host-key-doc: <A Host Key Document encoded in base64>
logging:
  logRouter:
    hostname: 9f5272aa-29a1.ingress.us-south.logs.cloud.ibm.com
    iamApiKey: 0ol51g**************************
    port: 443
volumes:
  test:
    seed: <env seed value with minimum 15 characters>

To create VSI with prepared contract refer Setting up and configuring IBM Hyper Protect Virtual Servers.