Design document for the AK registration #66
Conversation
There was a problem hiding this comment.
I think the passing of the Ignition config ("Configuration Schema" in the doc) is missing here. Unless it isn't passed, in which case I find the wording in the doc a little misleading. Maybe also an illustration of subsequent boots (below a separator)?
There was a problem hiding this comment.
Do we need to complicate the picture with that? I mean, ignition and the AK registration run only on first boot
|
|
||
| ## Ignition Configuration | ||
|
|
||
| The AK registration is configured through Ignition's attestation section. This configuration is provided during the firstboot merge process from the registration service. |
There was a problem hiding this comment.
The registration service provides a config in which it states its location and certificate, both of which Ignition would already have needed to know to (securely) connect to it in the first place? e: offline, we concluded that the registration service does not provide this configuration
There was a problem hiding this comment.
Not sure I get the comment, ignition needs to have an endpoint where to put the AK. This endpoint will be served by the operator and then it will configure trustee with the AK
There was a problem hiding this comment.
This configuration is provided during the firstboot merge process from the registration service.
reads as if the registration service provides the configuration schema (the JSON that is listed below), which it won't afaict
Signed-off-by: Alice Frosi <afrosi@redhat.com>
alicefr
force-pushed
the
design-ak-registration
branch
from
9466fcb to
34fb1e1
Compare
| - AK is created with TPM-resident private key | ||
| - Public key is extracted and saved to `/var/tpm/ak.pub` | ||
| 3. **Network Requirement**: If registration URL is configured, Ignition ensures network connectivity | ||
| 4. **Registration Request**: Ignition POSTs the public AK to the registration URL |
There was a problem hiding this comment.
In the implementation you made that a PUT which might make more sense anyhow
2 participants
No description provided.