linux-system-roles
diff --git a/‎README.md‎
Lines changed: 38 additions & 36 deletions b/‎README.md‎
Lines changed: 38 additions & 36 deletions
diff --git a/‎defaults/main.yml‎
Lines changed: 5 additions & 2 deletions b/‎defaults/main.yml‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎examples/simple.yml‎
Lines changed: 3 additions & 2 deletions b/‎examples/simple.yml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎handlers/main.yml‎
Lines changed: 10 additions & 3 deletions b/‎handlers/main.yml‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎meta/main.yml‎
Lines changed: 2 additions & 0 deletions b/‎meta/main.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎tasks/encrypt_disk.yml‎
Lines changed: 21 additions & 33 deletions b/‎tasks/encrypt_disk.yml‎
Lines changed: 21 additions & 33 deletions
diff --git a/‎tasks/main.yml‎
Lines changed: 15 additions & 4 deletions b/‎tasks/main.yml‎
Lines changed: 15 additions & 4 deletions
diff --git a/‎tasks/secret_registration_client.yml‎
Lines changed: 32 additions & 0 deletions b/‎tasks/secret_registration_client.yml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎tasks/trustee_quadlet.yml‎
Lines changed: 12 additions & 9 deletions b/‎tasks/trustee_quadlet.yml‎
Lines changed: 12 additions & 9 deletions
diff --git a/‎templates/foo.conf.j2‎
Lines changed: 0 additions & 5 deletions b/‎templates/foo.conf.j2‎
Lines changed: 0 additions & 5 deletions
@@ -7,50 +7,28 @@
 Ansible role for deploying Trustee Guest Components using Podman Quadlets for
 confidential virtual machine deployments. The role downloads quadlet files and
 configuration files from a GitHub repository, installs them, and manages them as
-systemd services. The role also supports optional disk encryption functionality for
-securing additional storage devices.
-
-The role will:
-
-1. Install Podman and Git if not already present
-2. Download Trustee Guest Components quadlet files and config files from the
-   specified GitHub repository
-3. Copy quadlet files (`.container`, `.volume`, `.network`, `.kube`) to the
-   install directory (`/etc/containers/systemd` by default)
-4. Copy config files from the repository's `configs` directory to `/etc/trustee-gc/`
-5. Replace `KBS_URL` and `KBS_CERT` placeholders in `/etc/trustee-gc/cdh/config.toml`
-   with the values from `trustee_attestation_client_trustee_kbs_url` and `trustee_attestation_client_trustee_kbs_cert`
-   variables (if provided)
-6. Reload systemd daemon
-7. Enable and start the Trustee Guest Components services
-8. (Optional) If `trustee_attestation_client_encrypt_disk` is `true`:
-   - Find an unpartitioned and unmounted disk
-   - Create a GPT partition table and partition on the disk
-   - Generate an encryption key and encrypt the partition using LUKS
-   - Format the encrypted partition with ext4
-   - Mount the encrypted disk at the specified mount point
-   - Store the encryption key in the `encrypted_disk_key` fact
+systemd services. The role also supports an optional secret registration client
+for disk key registration and optional disk encryption for securing additional
+storage devices.
+
+## Features
+
+- **Trustee Client (Quadlet)**: Deploys Trustee guest components Attestation Agent(AA), Confidential Data Hub(CDH) and API Server REST(ASR) using Podman Quadlets from a Github repository
+- **Secret Registration Client**: Utility script and service which registers to Secret Registration Server on Trustee Server. It acquires the encryption key from Trustee and decrypts the designated disk upon boot
+- **Encrypt Disk**: Does LUKS2 encryption of the found empty data disk. The encryption key is provided by Secret Registration Client.
 
 Example of setting the variables:
 
 ```yaml
 trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
 trustee_attestation_client_quadlet_repo_path: "quadlet"
 trustee_attestation_client_quadlet_repo_branch: "main"
-trustee_attestation_client_trustee_kbs_url: "https://kbs.example.com"
-trustee_attestation_client_trustee_kbs_cert: "/path/to/cert.pem"
+trustee_attestation_client_kbs_url: "https://kbs.example.com"
+trustee_attestation_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+trustee_attestation_client_secret_registration_enabled: true
 trustee_attestation_client_encrypt_disk: true
 ```
 
-## Variables Exported by the Role
-
-### encrypted_disk_key
-
-If disk encryption is enabled (`trustee_attestation_client_encrypt_disk: true`), this fact
-contains the base64-encoded encryption key for the encrypted disk. This key is
-required to mount the encrypted disk after a reboot. The key is automatically
-generated during disk encryption and should be securely stored for future use.
-
 ## Example Playbook
 
 Including an example of how to use your role (for instance, with variables
@@ -63,13 +41,37 @@ passed in as parameters) is always nice for users too:
     trustee_attestation_client_quadlet_repo_url: "https://github.com/litian1992/trustee-gc-quadlet-rhel"
     trustee_attestation_client_quadlet_repo_path: "quadlet"
     trustee_attestation_client_quadlet_repo_branch: "main"
-    trustee_attestation_client_trustee_kbs_url: "https://kbs.example.com"
-    trustee_attestation_client_trustee_kbs_cert: "/path/to/kbs-cert.pem"
+    trustee_attestation_client_kbs_url: "https://kbs.example.com"
+    trustee_attestation_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+    trustee_attestation_client_secret_registration_enabled: true
     trustee_attestation_client_encrypt_disk: true
   roles:
     - linux-system-roles.trustee_attestation_client
 ```
 
+## Trustee Client
+
+The task:
+
+1. Downloads the Podman Quadlets from designated repo
+2. Configures the settings in /etc/trustee-gc/
+3. Enables and starts trustee-gc.pod as a service
+
+## Secret Registration Client
+
+When enabled, this task:
+
+1. Sends registration request to Secret Registration Server via HTTPS to acquire disk encryption keys
+2. Requests above disk encryption key upon boot when Encrypt Disk is enabled to decrypt and mount disk
+
+## Encrypt Disk
+
+When enabled, this task:
+
+1. Finds the first unpartitioned and unmounted disk
+2. Requests disk encryption key from Secret Registration Client
+3. Encrypts the disk using above encryption key and mounts it at the designated path
+
 ## License
 
 Whenever possible, please prefer MIT.
 
@@ -11,8 +11,11 @@ trustee_attestation_client_quadlet_repo_branch: "main"
 trustee_attestation_client_quadlet_install_dir: "/etc/containers/systemd"
 
 # Trustee KBS configuration
-trustee_attestation_client_trustee_kbs_url: ""
-trustee_attestation_client_trustee_kbs_cert: ""
+trustee_attestation_client_kbs_url: ""
+trustee_attestation_client_kbs_cert_content: ""
+
+# Secret registration client configuration
+trustee_attestation_client_secret_registration_enabled: false
 
 # Encrypt disk configuration
 trustee_attestation_client_encrypt_disk: false
 
@@ -8,7 +8,8 @@
     trustee_attestation_client_quadlet_repo_branch: "main"
     trustee_attestation_client_quadlet_install_dir: "/etc/containers/systemd"
     trustee_attestation_client_encrypt_disk: false
-    trustee_attestation_client_trustee_kbs_url: "https://kbs.example.com"
-    trustee_attestation_client_trustee_kbs_cert: "/path/to/kbs-cert.pem"
+    trustee_attestation_client_kbs_url: "https://kbs.example.com"
+    trustee_attestation_client_kbs_cert_content: "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
+    trustee_attestation_client_secret_registration_enabled: false
   roles:
     - linux-system-roles.trustee_attestation_client
@@ -1,7 +1,14 @@
 # SPDX-License-Identifier: MIT
 ---
-- name: Handler for trustee_attestation_client to restart services
-  service:
+- name: Reload systemd daemon for trustee
+  ansible.builtin.systemd:
+    daemon_reload: true
+  listen: "restart trustee services"
+
+- name: Enable and restart trustee services
+  ansible.builtin.systemd:
     name: "{{ item }}"
+    enabled: true
     state: restarted
-  loop: "{{ __trustee_attestation_client_services }}"
+  loop: "{{ __trustee_attestation_client_services | default([]) }}"
+  listen: "restart trustee services"
@@ -14,6 +14,8 @@ galaxy_info:
       versions:
         - "9"
   galaxy_tags:
+    - trustee
+    - attestation
     - el9
     - el10
     - fedora
 
@@ -15,12 +15,16 @@
         }
       }
     '
-  register: unpartitioned_disk
+  register: __trustee_attestation_client_unpartitioned_disk
   changed_when: false
   failed_when: false
 
 - name: Encrypt disk
-  when: unpartitioned_disk.stdout != ""
+  when: __trustee_attestation_client_unpartitioned_disk.stdout != ""
+  vars:
+    __trustee_attestation_client_disk_device: "/dev/{{ __trustee_attestation_client_unpartitioned_disk.stdout }}"
+    __trustee_attestation_client_disk_partition: >-
+      /dev/{{ __trustee_attestation_client_unpartitioned_disk.stdout }}{{ 'p' if 'nvme' in __trustee_attestation_client_unpartitioned_disk.stdout else '' }}1
   block:
     - name: Ensure packages for disk encryption are installed
       ansible.builtin.package:
@@ -29,48 +33,32 @@
         use: "{{ (__trustee_attestation_client_is_ostree | d(false)) |
               ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
 
-    - name: Set fact with disk device path and partition path
-      ansible.builtin.set_fact:
-        disk_device: "/dev/{{ unpartitioned_disk.stdout }}"
-        disk_partition: >-
-          /dev/{{ unpartitioned_disk.stdout }}{{ 'p' if 'nvme' in unpartitioned_disk.stdout else '' }}1
+    - name: Create temporary file for disk encryption key
+      ansible.builtin.tempfile:
+        state: file
+        suffix: .bin
+      register: __trustee_attestation_client_secret_key_tempfile
 
-    - name: Create partition table and partition on disk
+    - name: Acquire disk encryption key from Secret Registration Client service
       ansible.builtin.shell: |
-        parted -s {{ disk_device }} mklabel gpt
-        parted -s {{ disk_device }} mkpart primary ext4 0% 100%
+        /usr/local/bin/secret_registration_client.sh --fetch-key-to {{ __trustee_attestation_client_secret_key_tempfile.path }}
       changed_when: true
+      no_log: true
 
-    - name: Generate a temp file for the key
-      ansible.builtin.tempfile:
-        state: file
-      register: __trustee_attestation_client_tmp_key
-
-    - name: Generate a key and encrypt the partition
+    - name: Encrypt the partition
       ansible.builtin.shell: |
         set -o pipefail
-        head -c 32 /dev/urandom | base64 > {{ __trustee_attestation_client_tmp_key.path }}
-        cryptsetup luksFormat --key-file {{ __trustee_attestation_client_tmp_key.path }} --batch-mode {{ disk_partition }}
-        cryptsetup open --key-file {{ __trustee_attestation_client_tmp_key.path }} {{ disk_partition }} encrypted-disk
+        parted -s {{ __trustee_attestation_client_disk_device }} mklabel gpt
+        parted -s {{ __trustee_attestation_client_disk_device }} mkpart primary ext4 0% 100%
+        cryptsetup luksFormat --key-file {{ __trustee_attestation_client_secret_key_tempfile.path }} --batch-mode {{ __trustee_attestation_client_disk_partition }}
+        cryptsetup open --key-file {{ __trustee_attestation_client_secret_key_tempfile.path }} {{ __trustee_attestation_client_disk_partition }} encrypted-disk
         mkfs.ext4 /dev/mapper/encrypted-disk
         [ -d {{ trustee_attestation_client_encrypt_disk_mount_point }} ] || mkdir -p {{ trustee_attestation_client_encrypt_disk_mount_point }}
         mount /dev/mapper/encrypted-disk {{ trustee_attestation_client_encrypt_disk_mount_point }}
       changed_when: true
       no_log: true
 
-    - name: Read key from remote host
-      ansible.builtin.slurp:
-        src: "{{ __trustee_attestation_client_tmp_key.path }}"
-      register: slurped_key
-      no_log: true
-
-    - name: Set encrypted disk key fact
-      ansible.builtin.set_fact:
-        encrypted_disk_key: "{{ slurped_key.content }}"
-      no_log: true
-
-    - name: Clean up temporary key file
+    - name: Clean up disk encryption key file
       ansible.builtin.file:
-        path: "{{ __trustee_attestation_client_tmp_key.path }}"
+        path: "{{ __trustee_attestation_client_secret_key_tempfile.path }}"
         state: absent
-# TODO: Add a systemd service to mount the encrypted disk at boot
@@ -3,10 +3,21 @@
 - name: Set platform/version specific variables
   include_tasks: tasks/set_vars.yml
 
-- name: Create encrypted disk partition
-  include_tasks: encrypt_disk.yml
-  when: trustee_attestation_client_encrypt_disk | bool
-
 - name: Deploy Trustee Guest Components using Podman Quadlets
   include_tasks: trustee_quadlet.yml
   when: trustee_attestation_client_trustee_gc | bool
+
+- name: Deploy Secret Registration Client Service
+  include_tasks: secret_registration_client.yml
+  when:
+    - trustee_attestation_client_secret_registration_enabled | bool
+    - trustee_attestation_client_trustee_gc | bool
+
+- name: Create encrypted disk partition
+  include_tasks: encrypt_disk.yml
+  when:
+    - trustee_attestation_client_encrypt_disk | bool
+    - trustee_attestation_client_secret_registration_enabled | bool
+
+- name: Flush handlers to ensure services are started
+  ansible.builtin.meta: flush_handlers
@@ -0,0 +1,32 @@
+# SPDX-License-Identifier: MIT
+---
+# Secret registration client: registers with server using attestation,
+# fetches disk encryption key from Trustee KBS.
+# Requires Trustee GC (trustee_attestation_client_trustee_gc).
+
+- name: Ensure secret registration client dependencies are installed
+  ansible.builtin.package:
+    name: "{{ __trustee_attestation_client_secret_registration_client_packages }}"
+    state: present
+    use: "{{ (__trustee_attestation_client_is_ostree | d(false)) |
+          ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
+
+- name: Deploy secret registration client script
+  ansible.builtin.template:
+    src: secret_registration_client.sh.j2
+    dest: "/usr/local/bin/secret_registration_client.sh"
+    mode: "0755"
+  register: __trustee_attestation_client_reg_script
+
+- name: Deploy secret registration client systemd unit
+  ansible.builtin.template:
+    src: secret_registration_client.service.j2
+    dest: /etc/systemd/system/secret_registration_client.service
+    mode: "0644"
+  register: __trustee_attestation_client_service
+
+- name: Append secret_registration_client to services list
+  ansible.builtin.set_fact:
+    __trustee_attestation_client_services: >-
+      {{ __trustee_attestation_client_services | default([]) + ['secret_registration_client'] }}
+  notify: "restart trustee services"
@@ -75,19 +75,19 @@
   loop:
     - path: /etc/trustee-gc/cdh/config.toml
       regexp: KBS_URL
-      replace: "{{ trustee_attestation_client_trustee_kbs_url }}"
+      replace: "{{ trustee_attestation_client_kbs_url }}"
     - path: /etc/trustee-gc/cdh/config.toml
       regexp: KBS_CERT
-      replace: "{{ trustee_attestation_client_trustee_kbs_cert }}"
+      replace: "{{ trustee_attestation_client_kbs_cert_content }}"
     - path: /etc/trustee-gc/aa/config.toml
       regexp: KBS_URL
-      replace: "{{ trustee_attestation_client_trustee_kbs_url }}"
+      replace: "{{ trustee_attestation_client_kbs_url }}"
     - path: /etc/trustee-gc/aa/config.toml
       regexp: KBS_CERT
-      replace: "{{ trustee_attestation_client_trustee_kbs_cert }}"
+      replace: "{{ trustee_attestation_client_kbs_cert_content }}"
   when:
     - __repo_configs_dir.stat.exists
-    - trustee_attestation_client_trustee_kbs_url != "" or trustee_attestation_client_trustee_kbs_cert != ""
+    - trustee_attestation_client_kbs_url != "" or trustee_attestation_client_kbs_cert_content != ""
 
 - name: Stat /dev/sev-guest device
   ansible.builtin.stat:
@@ -101,10 +101,6 @@
     replace: 'AddDevice=/dev/sev-guest'
   when: __sev_guest_device.stat.exists
 
-- name: Reload systemd daemon
-  ansible.builtin.systemd:
-    daemon_reload: true
-
 - name: Get the installed Trustee Guest Components pod name
   ansible.builtin.find:
     paths: "{{ trustee_attestation_client_quadlet_install_dir }}"
@@ -120,6 +116,13 @@
   when: trustee_gc_pod_name.files | length > 0
   failed_when: false
 
+- name: Write KBS certificate to /etc/trustee-gc/server.crt
+  ansible.builtin.copy:
+    content: "{{ trustee_attestation_client_kbs_cert_content }}"
+    dest: /etc/trustee-gc/server.crt
+    mode: "0644"
+  when: trustee_attestation_client_kbs_cert_content | length > 0
+
 - name: Clean up temporary repository directory
   ansible.builtin.file:
     path: "{{ __trustee_attestation_client_quadlet_repo_dir.path }}"