From c199e0f570c67f55c3acbd0030c81657c7d89e7d Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 28 May 2026 14:17:01 +0900 Subject: [PATCH 1/2] feat: enable firmware reference values in bare metal profiles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wire firmware reference value enforcement into bare metal profiles by enabling kbs.baremetal.enabled and updating to trustee-chart v0.5.*. **Changes:** - values-baremetal.yaml: - Add kbs.baremetal.enabled: "true" override - Update trustee chartVersion: 0.4.* → 0.5.* - values-baremetal-gpu.yaml: - Add kbs.baremetal.enabled: "true" override - Update trustee chartVersion: 0.4.* → 0.5.* **Effect:** When deploying bare metal profiles, trustee-chart will now: 1. Create firmware-refvals-eso ExternalSecret (PR 2B) 2. Sync firmware reference values from Vault to cluster 3. Add firmware values to RVPS ConfigMap (PR 2B) 4. Enforce firmware measurements in attestation policy (PR 2C) **Prerequisites:** - Firmware values must be collected via veritas (PR 2A workflow) - Values must be pushed to Vault: `make push-firmware-refvals REFVALS_FILE=./refvals.json` - trustee-chart v0.5.0 must be released (includes PRs 2B, 2C) **Backwards compatibility:** If firmware values not pushed to Vault, attestation policy falls back to init_data-only verification (no breaking change). Part of Wave 2 (firmware hardening). Final PR to wire all pieces together. --- values-baremetal-gpu.yaml | 4 +++- values-baremetal.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/values-baremetal-gpu.yaml b/values-baremetal-gpu.yaml index ecb54bff..d54040ba 100644 --- a/values-baremetal-gpu.yaml +++ b/values-baremetal-gpu.yaml @@ -117,7 +117,7 @@ clusterGroup: namespace: trustee-operator-system project: trustee chart: trustee - chartVersion: 0.4.* + chartVersion: 0.5.* extraValueFiles: - '/overrides/values-trustee.yaml' overrides: @@ -127,6 +127,8 @@ clusterGroup: value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/" - name: kbs.gpu.enabled value: "true" + - name: kbs.baremetal.enabled + value: "true" storage: name: storage diff --git a/values-baremetal.yaml b/values-baremetal.yaml index f63b1c02..b5ed2a96 100644 --- a/values-baremetal.yaml +++ b/values-baremetal.yaml @@ -107,7 +107,7 @@ clusterGroup: namespace: trustee-operator-system project: trustee chart: trustee - chartVersion: 0.4.* + chartVersion: 0.5.* extraValueFiles: - '/overrides/values-trustee.yaml' overrides: @@ -115,6 +115,8 @@ clusterGroup: value: "true" - name: kbs.tdx.collateralService value: "https://pccs-service.intel-dcap.svc.cluster.local:8042/sgx/certification/v4/" + - name: kbs.baremetal.enabled + value: "true" storage: name: storage From 08fe3c3b347906874dbfdb77026310fb504b01c5 Mon Sep 17 00:00:00 2001 From: Chris Butler Date: Thu, 28 May 2026 20:49:48 +0900 Subject: [PATCH 2/2] feat: update bare metal profiles to trustee-chart v0.6.* Update chartVersion from 0.5.* to 0.6.* to align with trustee-chart PR #30 which introduces BREAKING CHANGE: firmware reference values consumed as single JSON blob instead of multi-key secret. Both profiles already have kbs.baremetal.enabled: "true" set, enabling firmware reference value enforcement when values are present in Vault. Co-Authored-By: Claude Sonnet 4.5 --- values-baremetal-gpu.yaml | 2 +- values-baremetal.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/values-baremetal-gpu.yaml b/values-baremetal-gpu.yaml index d54040ba..1ba318d7 100644 --- a/values-baremetal-gpu.yaml +++ b/values-baremetal-gpu.yaml @@ -117,7 +117,7 @@ clusterGroup: namespace: trustee-operator-system project: trustee chart: trustee - chartVersion: 0.5.* + chartVersion: 0.6.* extraValueFiles: - '/overrides/values-trustee.yaml' overrides: diff --git a/values-baremetal.yaml b/values-baremetal.yaml index b5ed2a96..25a4414e 100644 --- a/values-baremetal.yaml +++ b/values-baremetal.yaml @@ -107,7 +107,7 @@ clusterGroup: namespace: trustee-operator-system project: trustee chart: trustee - chartVersion: 0.5.* + chartVersion: 0.6.* extraValueFiles: - '/overrides/values-trustee.yaml' overrides: