Add node ID in resource policy

.gitignore

@@ -1,6 +1,9 @@
 cache/
 coreos.key*
 fcos-cvm.tar*
+coreos/*.qcow2
 *.ign
 *.ociarchive
+secret
 tmp/
+trustee/keys

README.md

@@ -2,6 +2,11 @@
 
 Work in progress documents about Confidential Clusters.
 
+## Generate a key
+```bash
+ssh-keygen -f coreos.key
+```
+
 ## Start fcos VM
 ```bash
 scripts/install_vm.sh  -b config.bu -k "$(cat coreos.key.pub)"
@@ -12,7 +17,7 @@ scripts/install_vm.sh  -b config.bu -k "$(cat coreos.key.pub)"
 scripts/uninstall_vm.sh  -n <vm_name>"
 ```
 
-## Example with local VMs, attestation and disk encryption
+## Example with a local VM, attestation and disk encryption
 
 Currently, ignition does not support encrypting the disk using trustee (see this 
 [RFC](https://github.com/coreos/ignition/issues/2099) for more details). Therefore, we need to build a custom initramfs
@@ -27,25 +32,6 @@ just os=scos build oci-archive osbuild-qemu
 just build oci-archive osbuild-qemu
 ```
 
-In this example, we use 2 VMs, the first for running the trustee server while the second VM has been attested and its
-root disk is encrypted using the secret stored in Trustee.
-
-As already mentioned, the information are hardcoded in the initial script since we lack ignition support. Hence, if the
-entire setup feels rigid and manual, it will improve in the future with the ignition extension.
-
-Both VMs are created from the same image in order to retrieve the PCR registers from the TPM. This step and the VM can
-be avoided once we are able to pre-calculate the PCRs.
-
-The script `create_vms.sh`:
-  1. launches the first VM with Trustee
-  2. waits until Trustee is reachable at port `8080`
-  3. populates the KBS with the reference values, the attestation policy for register 4, 7, and 14, and the secret
-  4. creates the second VM which will perform the attestation in order to encrypt its root disk
-
-```bash
-scripts/create-vms.sh coreos.key.pub 
-```
-
 ### Create local Trustee deployment
 
 Generate the key pair for Trustee:
@@ -70,25 +56,5 @@ scripts/populate-local-kbs.sh
 You can now launch the VM by exposing the trustee IP (for example, using the IP of `virbr0`).
 ```bash
 export TRUSTEE_ADDR=192.168.122.1
-scripts/install_vm.sh  -k <KEY> -b configs/ak.bu  -i $(pwd)/coreos/fcos-qemu.x86_64.qcow2 -n <VM_NAME>
-```
-
-
-### Example with the Confidential Clusters operator and a local VM
-
-If you have deployed Confidential Clusters with Trustee, and its KBS and register server are available at ports `8080` and `8000`, and the VM PCR values are configured with Trustee, you can instead run
-
-```bash
-scripts/create-existing-trustee.sh coreos.key.pub
-```
-
-to only create the test VM, not the Trustee VM.
-This assumes that libvirt's bridge to connect to your host is `virbr0`.
-This bridge may not exist on your system yet, in which case you can simply run the script again.
-If you are using `firewalld`, this may require allowing the respective ports:
-
-```bash
-firewall-cmd --zone=libvirt --add-port=8080/tcp --permanent
-firewall-cmd --zone=libvirt --add-port=8000/tcp --permanent
-firewall-cmd --reload
+scripts/install_vm.sh -k coreos.key.pub -b configs/ak.bu -i $(pwd)/coreos/fcos-qemu.x86_64.qcow2 -n <VM_NAME>
 ```

configs/remote-ign/pin-trustee.bu

@@ -10,7 +10,12 @@ storage:
         custom:
           needs_network: true
           pin: trustee
-          config: '{"servers":[{"url":"http://<IP>:8080","cert":""}],"path":"default/machine/root"}'
+          config: >
+            {
+              "servers":[{"url":"http://<IP>:8080","cert":""}],
+              "path":"default/machine/root",
+              "initdata":"{\"uuid\":\"machine\"}"
+            }
       wipe_volume: true
   filesystems:
     - device: /dev/mapper/root