An Ansible role that deploys Trustee server components for confidential computing. Trustee provides attestation and secret delivery services (KBS, AS, RVPS) for workloads running in Trusted Execution Environments (TEEs).
- Trustee Server (Quadlet): Deploys Trustee Key Broker Service(KBS), Attestation Service(AS) and Reference Value Provider Service(RVPS) using Podman Quadlets from a GitHub repository
- Secret Registration Server: HTTPS service that receives attestation-backed registration requests, verifies attestation, creates disk encryption keys, and stores them in Trustee KBS
- Ansible 2.9 or later
- Install collection dependencies:
ansible-galaxy collection install -r meta/collection-requirements.yml- name: Deploy Trustee Server
hosts: all
vars:
trustee_server_trustee: true
trustee_server_secret_registration_enabled: true
trustee_server_secret_registration_listen_port: 8081
roles:
- linux-system-roles.trustee_serverMore examples are in the examples/ directory.
When enabled, the role:
- Downloads the Podman Quadlets from designated repo
- Generates all required certificates of Trustee server components
- Add KBS port 8080 to firewalld
- Enables the services by default
Note that KBS listens on port 8080 which may require additional network security allowance depending on your environment.
When enabled, the secret registration server:
- Listens for
POST /register-encryption-keywithattestation_tokenandclient_id(machine-id) - Verifies the attestation token (Azure TPM-based)
- Creates a disk encryption key and stores it in Trustee KBS
- Appends resource policy to
/etc/trustee/kbs/policy.rego
Clients can then fetch the key from Trustee CDH using attestation.
MIT
Li Tian [email protected]