Add design document for 2-phase attestation #68
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Ignition Configuration Fetch Protection with 2-phase Attestation | ||
|
|
||
| ## Overview | ||
|
|
||
| This document describes the security mechanism for protecting the Ignition configuration fetch endpoint using attestation. By requiring attestation before serving the Ignition configuration containing the Clevis pin and UUID, the system prevents arbitrary requests from accessing node-specific configuration and registration endpoints. | ||
|
|
||
| ## Security Challenge | ||
|
|
||
| Without protection, the registration service endpoint that serves Ignition configurations with Clevis pin settings and UUIDs is vulnerable to unauthorized accesses, any client can request and receive Ignition configurations and generates UUIDs and secrets, polluting and overloading the operator. | ||
|
|
||
| ## Protected Fetch Flow | ||
|
|
||
| The solution introduces an attestation-protected fetch mechanism where nodes must prove their authenticity before receiving their Ignition configuration. | ||
|
|
||
|  | ||
|
|
||
| ### Process Flow | ||
|
|
||
| 1. **Remote Attestation Request**: Ignition initiates a remote attestation with the Trustee Attester | ||
| - Uses generic reference values for the image (no UUID) | ||
| - Proves the platform is running in a confidential computing environment | ||
|
|
||
| 2. **Attestation Token Received**: Trustee Attester validates the attestation and returns an attestation token | ||
| - Token confirms the node meets basic confidential computing requirements | ||
|
|
||
| 3. **Protected Ignition Fetch**: Ignition requests its configuration from the Registration Service | ||
| - Includes the attestation token in the request | ||
| - Registration Service validates the token before proceeding | ||
|
|
||
| 4. From now on, the steps are the ones described in the [booting design document](./docs/design/boot-attestation.md). | ||
|
|
||
|
Contributor
There was a problem hiding this comment.
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Trustee validates ... (remove Attester)