Skip to content

feat: enable firmware reference values in bare metal profiles#90

Merged
butler54 merged 2 commits into
validatedpatterns:mainfrom
butler54:feat/wire-firmware-to-baremetal
May 28, 2026
Merged

feat: enable firmware reference values in bare metal profiles#90
butler54 merged 2 commits into
validatedpatterns:mainfrom
butler54:feat/wire-firmware-to-baremetal

Conversation

@butler54
Copy link
Copy Markdown
Collaborator

@butler54 butler54 commented May 28, 2026
edited
Loading

Overview

Wire firmware reference value enforcement into bare metal profiles by updating to trustee-chart v0.6.*.

This is PR 2D (final) of Wave 2 (firmware hardening) from the bare metal attestation hardening plan.

Changes

values-baremetal.yaml

  • ✅ Update trustee chartVersion: 0.5.*0.6.*
  • ✅ Already has kbs.baremetal.enabled: "true" override

values-baremetal-gpu.yaml

  • ✅ Update trustee chartVersion: 0.5.*0.6.*
  • ✅ Already has kbs.baremetal.enabled: "true" override

Effect

When deploying bare metal profiles, trustee-chart v0.6.0 will now:

  1. Create firmware-refvals-eso ExternalSecret

    • Pulls from secret/data/hub/firmwareReferenceValues in Vault
    • Syncs to firmware-reference-values secret in cluster

  2. Add firmware values to RVPS

    • Reads firmware-reference-values secret (single JSON blob with 'json' key)
    • Appends mr_td, rtmr_1, rtmr_2, snp_launch_measurement, xfam to RVPS ConfigMap

  3. Enforce firmware measurements

    • Attestation policy checks firmware against RVPS values
    • Blocks pods with mismatched firmware
    • Enforces debug=false

Collection Workflow (PR 2A)

# On bare metal cluster with kata pod running:
make collect-firmware-refvals

# Review collected values
cat ~/.coco-pattern/firmware-reference-values.json

# Uncomment firmwareReferenceValues in ~/values-secret-coco-pattern.yaml
# Then load to Vault:
make load-secrets

Backwards Compatibility

Fully backwards compatible:

If firmware values NOT pushed to Vault:

  • firmware-refvals-eso created but secret empty
  • RVPS block skips (no firmware values to append)
  • Attestation policy uses fallback rules
  • Behavior identical to v0.4.0 (init_data-only)

If firmware values pushed to Vault:

  • Firmware verification enforced
  • Debug mode blocked
  • Stronger security posture

Testing Plan

After all Wave 2 PRs merge and v0.6.0 releases:

  1. Deploy bare metal cluster with clusterGroupName: baremetal
  2. Collect firmware values: make collect-firmware-refvals
  3. Load to Vault: make load-secrets
  4. Verify attestation enforces firmware checks
  5. Test backwards compat: deploy without firmware values, verify init_data-only still works

Dependencies

Related

Part of Wave 2 (firmware hardening) from the bare metal attestation hardening roadmap.

Wave 2 PR sequence:

After this merges, Wave 2 is complete and ready for E2E testing.

@butler54
feat: enable firmware reference values in bare metal profiles
c199e0f 
Wire firmware reference value enforcement into bare metal profiles by
enabling kbs.baremetal.enabled and updating to trustee-chart v0.5.*.

**Changes:**
- values-baremetal.yaml:
  - Add kbs.baremetal.enabled: "true" override
  - Update trustee chartVersion: 0.4.* → 0.5.*

- values-baremetal-gpu.yaml:
  - Add kbs.baremetal.enabled: "true" override
  - Update trustee chartVersion: 0.4.* → 0.5.*

**Effect:**
When deploying bare metal profiles, trustee-chart will now:
1. Create firmware-refvals-eso ExternalSecret (PR 2B)
2. Sync firmware reference values from Vault to cluster
3. Add firmware values to RVPS ConfigMap (PR 2B)
4. Enforce firmware measurements in attestation policy (PR 2C)

**Prerequisites:**
- Firmware values must be collected via veritas (PR 2A workflow)
- Values must be pushed to Vault: `make push-firmware-refvals REFVALS_FILE=./refvals.json`
- trustee-chart v0.5.0 must be released (includes PRs 2B, 2C)

**Backwards compatibility:**
If firmware values not pushed to Vault, attestation policy falls back to
init_data-only verification (no breaking change).

Part of Wave 2 (firmware hardening). Final PR to wire all pieces together.
@butler54 butler54 requested a review from a team May 28, 2026 05:20
@butler54 @claude
feat: update bare metal profiles to trustee-chart v0.6.*
08fe3c3 
Update chartVersion from 0.5.* to 0.6.* to align with trustee-chart
PR validatedpatterns#30 which introduces BREAKING CHANGE: firmware reference values
consumed as single JSON blob instead of multi-key secret.

Both profiles already have kbs.baremetal.enabled: "true" set, enabling
firmware reference value enforcement when values are present in Vault.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@butler54 butler54 merged commit 5fb705e into validatedpatterns:main May 28, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@butler54