The Manifest
The manifest is the configuration file for the Coordinator, defining your confidential deployment.
It's automatically generated from your deployment by the Contrast CLI and uses JSON format (manifest.json).
Policies
The identities of your Pods, represented by the hashes of their respective initdata documents.
Policies.*.SANs
The Coordinator will add the Subject Alternative Names (SANs) to the workload certificate for the workload with the respective policy hash after verification. Allowed values are:
- IP addresses
- URIs
- DNS names
By default, the Contrast CLI will add two SANs for each workload on generate: The pod name as DNS name under which the pod can be reached inside the cluster, and a wildcard DNS name * to allow the certificate to be used with any other hostname (for example an external load balancer).
As DNS is untrusted in the context of Contrast, issuing a wildcard certificate won't weaken the security of your workload.
To enable IP-based certificate verification, insert the desired IP address into the list of SANs. The change could look like this:
"Policies": {
...
"99dd77cbd7fe2c4e1f29511014c14054a21a376f7d58a48d50e9e036f4522f6b": {
"SANs": [
"web",
- "*"
+ "*",
+ "203.0.113.34"
],
},
Some authentication and authorization schemes rely on URI SANs in X.509 certificates. For example, SPIFFE IDs are URIs and are often found as certificate SANs. The change to add such an URI SAN to the manifest could look like this:
"Policies": {
...
"99dd77cbd7fe2c4e1f29511014c14054a21a376f7d58a48d50e9e036f4522f6b": {
"SANs": [
"web",
- "*"
+ "*",
+ "spiffe://acme.com/billing/payments"
],
},
Policies.*.WorkloadSecretID
The WorkloadSecretID is used in addition to the secret seed to derive the workload secret.
It's a non-interpreted string and defaults to the qualified Kubernetes resource name of the pod.
As long as the WorkloadSecretID remains unchanged, the derived workload secret will remain stable across manifest updates and Coordinator recovery.
See Workload secrets for more information.
Policies.*.Role
Contrast role assigned to the workload.
The only supported value is coordinator, which identifies the Coordinator within the manifest.
Workloads don't set this field.
ReferenceValues
The remote attestation reference values for the confidential micro-VM that's the runtime environment of your Pods. The reference values cover both the platform configuration as well as the guest TCB. They're independent from the workload executed inside the Contrast pod VM and only differ between platforms or Contrast versions.
The reference values are grouped by confidential computing technology, there is a snp and a tdx section.
Each of those sections contains a list of reference value sets.
The Coordinator will accept a workload if its attestation report matches any of the listed reverence value sets exactly.
ReferenceValues.snp.*.ProductName
The product name of your platform.
Milan and Genoa are supported by Contrast.
ReferenceValues.snp.*.TrustedMeasurement
The TrustedMeasurement is a hash over the initial memory contents and state of the confidential VM.
It covers the guest firmware, the initrd and kernel as well as the kernel command line.
The kernel command line contains the dm-verity hash of the root filesystem, which contains all Contrast components that run inside the guest.
It's the (launch) MEASUREMENT from the SNP ATTESTATION_REPORT, according to Table 23 in the SEV ABI Spec.
ReferenceValues.snp.*.MinimumTCB
AMD doesn't provide an accessible way to acquire the latest TCB values for your platform.
Visit the AMD SEV developer portal and download the latest firmware package for your processor family.
Unpack and inspect the contained release notes, which state the SNP firmware SVN (called SPL (security patch level) in that document).
Contact your hardware vendor or BIOS firmware provider for information about the other TCB components
To check the current TCB level of your platform, use snphost:
snphost show tcb
Reported TCB: TCB Version:
Microcode: 72
SNP: 23
TEE: 0
Boot Loader: 9
FMC: None
Platform TCB: TCB Version:
Microcode: 72
SNP: 23
TEE: 0
Boot Loader: 9
FMC: None
The values listed as Reported TCB to should be greater or equal to the MinimumTCB values in manifest.json.
The Platform TCB can be higher than the Reported TCB, in this case, the platform has provisional firmware enrolled.
Contrast relies on the committed TCB values, as provisional firmware can be rolled back anytime by the platform operator.
The TCB values observed on the target platform using snphost might not be trustworthy.
Your channel to the system or the system itself might be compromised.
The deployed firmware could be outdated and vulnerable.
ReferenceValues.snp.*.MinimumTCB.BootloaderVersion
ReferenceValues.snp.*.MinimumTCB.TEEVersion
ReferenceValues.snp.*.MinimumTCB.SNPVersion
ReferenceValues.snp.*.MinimumTCB.MicrocodeVersion
ReferenceValues.snp.*.GuestPolicy
ReferenceValues.snp.*.GuestPolicy.ABIMinor
ReferenceValues.snp.*.GuestPolicy.ABIMajor
ReferenceValues.snp.*.GuestPolicy.SMT
ReferenceValues.snp.*.GuestPolicy.MigrateMA
ReferenceValues.snp.*.GuestPolicy.Debug
ReferenceValues.snp.*.GuestPolicy.SingleSocket
ReferenceValues.snp.*.GuestPolicy.CXLAllowed
ReferenceValues.snp.*.GuestPolicy.MemAES256XTS
ReferenceValues.snp.*.GuestPolicy.RAPLDis
ReferenceValues.snp.*.GuestPolicy.CipherTextHidingDRAM
ReferenceValues.snp.*.GuestPolicy.PageSwapDisable
ReferenceValues.snp.*.PlatformInfo
ReferenceValues.snp.*.PlatformInfo.SMTEnabled
ReferenceValues.snp.*.PlatformInfo.TSMEEnabled
ReferenceValues.snp.*.PlatformInfo.ECCEnabled
ReferenceValues.snp.*.PlatformInfo.RAPLDisabled
ReferenceValues.snp.*.PlatformInfo.CiphertextHidingDRAMEnabled
ReferenceValues.snp.*.PlatformInfo.AliasCheckComplete
ReferenceValues.snp.*.PlatformInfo.TIOEnabled
ReferenceValues.tdx.*.MrTd
ReferenceValues.tdx.*.MrSeam
MrSeam is the SHA384 hash of the TDX module.
You should retrieve the TDX module via a trustworthy channel from Intel, for example by downloading the TDX module from Intel's GitHub repository and hashing the module on a trusted machine.
You can also reproduce the release artifact by following the build instructions linked in the release notes.
You can check the hash of the in-use TDX module by executing
sha384sum /boot/efi/EFI/TDX/TDX-SEAM.so | cut -d' ' -f1
The TDX module hash (MrSeam) observed on the target platform might not be trustworthy.
Your channel to the system or the system itself might be compromised.
Make sure to retrieve or reproduce the value on a trusted machine.
ReferenceValues.tdx.*.Rtmrs[4]
ReferenceValues.tdx.*.TdAttributes
ReferenceValues.tdx.*.Xfam
WorkloadOwnerKeyDigests
A list of workload owner public key digests. Used for authenticating subsequent manifest updates.
By default, the list contains the digest of the key that was passed to the Contrast CLI on contrast generate via the --add-workload-owner-key flag.
If the flag wasn't used, the workload owner key was generated and stored in the workspace as workload-owner.pem.
The Coordinator uses this list to authenticate manifest updates submitted via contrast set.
If multiple workload owner keys are specified, any of the corresponding private keys can be used to set a new manifest.
If the manifest is generated with the --disable-updates flag, the WorkloadOwnerKeyDigests list is empty.
In this case, updates to the manifest are disabled and the deployment is immutable.
SeedshareOwnerKeys
Public keys of seed share owners. Used to authenticate user recovery and permission to handle the secret seed.
Setting a manifest where the WorkloadOwnerKeyDigests has been removed will render the deployment immutable.
Doing the same for the SeedshareOwnerKeys field makes Coordinator recovery and workload secret recovery impossible.
