Rebase for 1.1.1

Makefile

@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 1.1.0
+VERSION ?= 1.1.1
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")
@@ -175,8 +175,8 @@ build-installer: manifests generate kustomize ## Generate a consolidated YAML wi
 # Run sample attestation in a kind cluster
 # pre-requirements: kuttl plugin and kind are installed
 # Usage: KBS_IMAGE_NAME=<trustee-image> CLIENT_IMAGE_NAME=<client-image> make test-e2e
-KBS_IMAGE_NAME ?= ghcr.io/confidential-containers/key-broker-service:built-in-as-v0.17.0
-CLIENT_IMAGE_NAME ?= quay.io/confidential-containers/kbs-client:v0.17.0
+KBS_IMAGE_NAME ?= ghcr.io/confidential-containers/key-broker-service:built-in-as-v0.18.0
+CLIENT_IMAGE_NAME ?= quay.io/confidential-containers/kbs-client:v0.18.0
 .PHONY: test-e2e
 test-e2e:
 	./tests/scripts/kind-with-registry.sh

bundle.Dockerfile

@@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
 LABEL operators.operatorframework.io.bundle.package.v1=trustee-operator
 LABEL operators.operatorframework.io.bundle.channels.v1=alpha
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.40.0
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.42.0
 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4
 

bundle/manifests/trustee-operator.clusterserviceversion.yaml

@@ -23,7 +23,7 @@ metadata:
     features.operators.openshift.io/token-auth-gcp: "false"
     operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift Platform Plus"]'
     repository: https://github.com/openshift/trustee-operator
-  name: trustee-operator.v1.1.0
+  name: trustee-operator.v1.1.1
   namespace: placeholder
   labels:
     operatorframework.io/os.linux: supported
@@ -183,7 +183,7 @@ spec:
                 - name: KBS_IMAGE_NAME
                   value: "registry.redhat.io/build-of-trustee/trustee-rhel9@sha256:7c132a71a7a374f594e36e5c9f255e6e0cca7ad456b81ddc9f93b0d5c39dec06"
                 - name: KBS_IMAGE_NAME_MICROSERVICES
-                  value: ghcr.io/confidential-containers/key-broker-service:v0.17.0
+                  value: ghcr.io/confidential-containers/key-broker-service:v0.18.0
                 - name: AS_IMAGE_NAME
                   value: ghcr.io/confidential-containers/staged-images/coco-as-grpc:latest
                 - name: RVPS_IMAGE_NAME
@@ -205,10 +205,10 @@ spec:
                 resources:
                   limits:
                     cpu: 500m
-                    memory: 128Mi
+                    memory: 512Mi
                   requests:
                     cpu: 10m
-                    memory: 64Mi
+                    memory: 256Mi
                 securityContext:
                   allowPrivilegeEscalation: false
                   capabilities:
@@ -279,5 +279,5 @@ spec:
   relatedImages:
   - image: registry.redhat.io/build-of-trustee/trustee-rhel9@sha256:7c132a71a7a374f594e36e5c9f255e6e0cca7ad456b81ddc9f93b0d5c39dec06
     name: trustee
-  replaces: trustee-operator.v1.0.0
-  version: 1.1.0
+  replaces: trustee-operator.v1.1.0
+  version: 1.1.1

config/manager/kustomization.yaml

@@ -5,4 +5,4 @@ kind: Kustomization
 images:
 - name: controller
   newName: quay.io/confidential-containers/trustee-operator
-  newTag: v1.1.0
+  newTag: v1.1.1

config/manager/manager.yaml

@@ -74,7 +74,7 @@ spec:
         args:
         - --leader-elect
         - --health-probe-bind-address=:8081
-        image: quay.io/confidential-containers/trustee-operator:v1.1.0
+        image: quay.io/confidential-containers/trustee-operator:v1.1.1
         name: manager
         # Add the following environment variables to the manager container
         # POD_NAMESPACE
@@ -85,10 +85,10 @@ spec:
               fieldPath: metadata.namespace
         - name: KBS_IMAGE_NAME
           # kbs image for AllInOneDeployment
-          value: ghcr.io/confidential-containers/key-broker-service:built-in-as-v0.17.0
+          value: ghcr.io/confidential-containers/key-broker-service:built-in-as-v0.18.0
           # kbs image for MicroserviceDeployment
         - name: KBS_IMAGE_NAME_MICROSERVICES
-          value: ghcr.io/confidential-containers/key-broker-service:v0.17.0
+          value: ghcr.io/confidential-containers/key-broker-service:v0.18.0
         - name: AS_IMAGE_NAME
           value: ghcr.io/confidential-containers/staged-images/coco-as-grpc:latest
         - name: RVPS_IMAGE_NAME
@@ -115,9 +115,9 @@ spec:
         resources:
           limits:
             cpu: 500m
-            memory: 128Mi
+            memory: 512Mi
           requests:
             cpu: 10m
-            memory: 64Mi
+            memory: 256Mi
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10

config/manifests/bases/trustee-operator.clusterserviceversion.yaml

@@ -5,7 +5,7 @@ metadata:
     alm-examples: '[]'
     capabilities: Basic Install
     categories: Security
-    containerImage: quay.io/confidential-containers/trustee-operator:v1.1.0
+    containerImage: quay.io/confidential-containers/trustee-operator:v1.1.1
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "false"
     features.operators.openshift.io/proxy-aware: "true"
@@ -15,7 +15,7 @@ metadata:
     features.operators.openshift.io/token-auth-gcp: "false"
     operatorframework.io/suggested-namespace: trustee-operator-system
     support: Confidential Containers Community
-  name: trustee-operator.v1.1.0
+  name: trustee-operator.v1.1.1
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -63,5 +63,5 @@ spec:
   provider:
     name: Confidential Containers Community
     url: https://github.com/confidential-containers
-  replaces: trustee-operator.v1.0.0
-  version: 1.1.0
+  replaces: trustee-operator.v1.1.0
+  version: 1.1.1

config/templates/ear_default_attestation_policy_cpu.rego

@@ -176,7 +176,7 @@ hardware := 2 if {
 
   # Check TDX Module hash
   # input.tdx.quote.body.mr_seam in query_reference_value("mr_seam")
-
+  #
   # Check OVMF code hash
   input.tdx.quote.body.mr_td in query_reference_value("mr_td")
 
@@ -240,75 +240,75 @@ tdx_uefi_event_tdvfkernelparams_ok if {
 
 ##### Azure vTPM SNP
 executables := 3 if {
-  input.az_snp_vtpm
-
-  input.az_snp_vtpm.measurement in query_reference_value("measurement")
-  input.az_snp_vtpm.tpm.pcr03 in query_reference_value("snp_pcr03")
-  input.az_snp_vtpm.tpm.pcr08 in query_reference_value("snp_pcr08")
-  input.az_snp_vtpm.tpm.pcr09 in query_reference_value("snp_pcr09")
-  input.az_snp_vtpm.tpm.pcr11 in query_reference_value("snp_pcr11")
-  input.az_snp_vtpm.tpm.pcr12 in query_reference_value("snp_pcr12")
+  input["az-snp-vtpm"]
+
+  input["az-snp-vtpm"].measurement in query_reference_value("measurement")
+  input["az-snp-vtpm"].tpm.pcr03 in query_reference_value("snp_pcr03")
+  input["az-snp-vtpm"].tpm.pcr08 in query_reference_value("snp_pcr08")
+  input["az-snp-vtpm"].tpm.pcr09 in query_reference_value("snp_pcr09")
+  input["az-snp-vtpm"].tpm.pcr11 in query_reference_value("snp_pcr11")
+  input["az-snp-vtpm"].tpm.pcr12 in query_reference_value("snp_pcr12")
 }
 
 hardware := 2 if {
-  input.az_snp_vtpm
+  input["az-snp-vtpm"]
 
   # Check the reported TCB to validate the ASP FW
-  input.az_snp_vtpm.reported_tcb_bootloader in query_reference_value("tcb_bootloader")
-  input.az_snp_vtpm.reported_tcb_microcode in query_reference_value("tcb_microcode")
-  input.az_snp_vtpm.reported_tcb_snp in query_reference_value("tcb_snp")
-  input.az_snp_vtpm.reported_tcb_tee in query_reference_value("tcb_tee")
+  input["az-snp-vtpm"].reported_tcb_bootloader in query_reference_value("tcb_bootloader")
+  input["az-snp-vtpm"].reported_tcb_microcode in query_reference_value("tcb_microcode")
+  input["az-snp-vtpm"].reported_tcb_snp in query_reference_value("tcb_snp")
+  input["az-snp-vtpm"].reported_tcb_tee in query_reference_value("tcb_tee")
 }
 
 # For the 'configuration' trust claim 2 stands for
 # "The configuration is a known and approved config."
 #
 # For this, we compare all the configuration fields.
 configuration := 2 if {
-  input.az_snp_vtpm
-
-  input.az_snp_vtpm.platform_smt_enabled in query_reference_value("smt_enabled")
-  input.az_snp_vtpm.platform_tsme_enabled in query_reference_value("tsme_enabled")
-  input.az_snp_vtpm.policy_abi_major in query_reference_value("abi_major")
-  input.az_snp_vtpm.policy_abi_minor in query_reference_value("abi_minor")
-  input.az_snp_vtpm.policy_single_socket in query_reference_value("single_socket")
-  input.az_snp_vtpm.policy_smt_allowed in query_reference_value("smt_allowed")
+  input["az-snp-vtpm"]
+
+  input["az-snp-vtpm"].platform_smt_enabled in query_reference_value("smt_enabled")
+  input["az-snp-vtpm"].platform_tsme_enabled in query_reference_value("tsme_enabled")
+  input["az-snp-vtpm"].policy_abi_major in query_reference_value("abi_major")
+  input["az-snp-vtpm"].policy_abi_minor in query_reference_value("abi_minor")
+  input["az-snp-vtpm"].policy_single_socket in query_reference_value("single_socket")
+  input["az-snp-vtpm"].policy_smt_allowed in query_reference_value("smt_allowed")
 }
 
 ##### Azure vTPM TDX
 executables := 3 if {
-  input.az_tdx_vtpm
+  input["az-tdx-vtpm"]
 
-  input.az_tdx_vtpm.tpm.pcr03 in query_reference_value("tdx_pcr03")
-  input.az_tdx_vtpm.tpm.pcr08 in query_reference_value("tdx_pcr08")
-  input.az_tdx_vtpm.tpm.pcr09 in query_reference_value("tdx_pcr09")
-  input.az_tdx_vtpm.tpm.pcr11 in query_reference_value("tdx_pcr11")
-  input.az_tdx_vtpm.tpm.pcr12 in query_reference_value("tdx_pcr12")
+  input["az-tdx-vtpm"].tpm.pcr03 in query_reference_value("tdx_pcr03")
+  input["az-tdx-vtpm"].tpm.pcr08 in query_reference_value("tdx_pcr08")
+  input["az-tdx-vtpm"].tpm.pcr09 in query_reference_value("tdx_pcr09")
+  input["az-tdx-vtpm"].tpm.pcr11 in query_reference_value("tdx_pcr11")
+  input["az-tdx-vtpm"].tpm.pcr12 in query_reference_value("tdx_pcr12")
 }
 
 hardware := 2 if {
-  input.az_tdx_vtpm
+  input["az-tdx-vtpm"]
 
   # Check the quote is a TDX quote signed by Intel SGX Quoting Enclave
-  input.az_tdx_vtpm.quote.header.tee_type == "81000000"
-  input.az_tdx_vtpm.quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"
+  input["az-tdx-vtpm"].quote.header.tee_type == "81000000"
+  input["az-tdx-vtpm"].quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607"
 
 # Check TDX Module hash
 # input.tdx.quote.body.mr_seam in query_reference_value("mr_seam")
 #
 # Check OVMF code hash
-input.az_tdx_vtpm.quote.body.mr_td in query_reference_value("mr_td")
+input["az-tdx-vtpm"].quote.body.mr_td in query_reference_value("mr_td")
 
 # Check TCB status (covers quote.body.tcb_svn claim check)
-input.az_tdx_vtpm.tcb_status == "UpToDate"
+input["az-tdx-vtpm"].tcb_status == "UpToDate"
 
 # Check minimum TCB date (See TDX section for details.)
 }
 
 configuration := 2 if {
-  input.az_tdx_vtpm
+  input["az-tdx-vtpm"]
 
-  input.az_tdx_vtpm.quote.body.xfam in query_reference_value("xfam")
+  input["az-tdx-vtpm"].quote.body.xfam in query_reference_value("xfam")
 }
 
 ##### TPM
@@ -326,8 +326,23 @@ configuration := 0 if {
   input.tpm
 }
 
-##### SE TODO
+##### IBM Secure Execution for Linux (SEL)
+# Only field existence is checked. No value check is necessary.
+# The SE verifier performs cryptographic verification including
+# measurements, signatures, and user_data binding.
+# If the field exists, it means the verifaction is successful.
+# This is a 'trust-the-verifier' approach.
+executables := 3 if {
+  input.se
+}
+
+hardware := 2 if {
+  input.se
+}
 
+configuration := 2 if {
+  input.se
+}
 
 #################################
 # EXTENSIONS

go.mod

@@ -1,11 +1,11 @@
 module github.com/confidential-containers/trustee-operator
 
-go 1.24.0
+go 1.25.0
 
-toolchain go1.24.6
+toolchain go1.25.9
 
 require (
-	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/logr v1.4.3
 	github.com/onsi/ginkgo/v2 v2.22.0
 	github.com/onsi/gomega v1.36.1
 	github.com/openshift/api v0.0.0-20251020095937-6a0c921fc0f5
@@ -16,11 +16,11 @@ require (
 )
 
 require (
-	cel.dev/expr v0.24.0 // indirect
+	cel.dev/expr v0.25.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
@@ -41,7 +41,7 @@ require (
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -59,33 +59,33 @@ require (
 	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
-	go.opentelemetry.io/otel/metric v1.35.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/oauth2 v0.27.0 // indirect
-	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/oauth2 v0.35.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/term v0.41.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
-	golang.org/x/tools v0.26.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/grpc v1.80.0 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect