Reference values are used by the attestation service, to generate an attestation token. More specifically the attestation policy specifies how reference values are compared to TCB claims (extracted from the HW evidence by the attesters).
Provisioning Reference Values
There are multiple ways to provision reference values.
RVPS Tool
The RVPS provides a client tool for providing reference values. This is separate form the KBS Client because the reference value provider might be a different party than the administrator of Trustee.
You can build the RVPS Tool alongside the RVPS.
git clone https://github.com/confidential-containers/trustee
cd trustee/rvps
make
The RVPS generally expects reference values to be delivered via signed messages. For testing, you can create a sample message that is not signed.
cat << EOF > sample
{
"test-binary-1": [
"reference-value-1",
"reference-value-2"
],
"test-binary-2": [
"reference-value-3",
"reference-value-4"
]
}
EOF
provenance=$(cat sample | base64 --wrap=0)
cat << EOF > message
{
"version" : "0.1.0",
"type": "sample",
"payload": "$provenance"
}
EOF
You can then provision this message to the RVPS using the RVPS Tool
rvps-tool register --path ./message --addr <address-of-rvps>
If you’ve deployed Trustee via docker compose, the RVPS address should be 127.0.0.1:50003.
You can also query which reference values have been registered.
rvps-tool query --addr <address-of-rvps>
This provisioning flow is being refined.
Operator
If you are using the Trustee operator, you can provision reference values through Kubernetes.
kubectl apply -f - << EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: rvps-reference-values
namespace: kbs-operator-system
data:
reference-values.json: |
[
]
EOF