docs: add reference for the manifest

Author: katexochen

docs/docs/architecture/attestation/overview.md

@@ -39,26 +39,20 @@ This guarantees that the CVM launches in a well-defined state and enforces only
 
 The Coordinator runs inside a CVM and verifies attestation reports from other pods. It:
 
-- Checks launch measurements and initdata hashes against a trusted **manifest**
+- Checks attestation reports, including the initdata hash, against a trusted [manifest](../components/manifest.md)
 - Issues service mesh certificates to verified pods
-- Functions as the verifier for the full deployment
-
-<!-- TODO(burgerdev): below manifest information should go into a dedicated page -->
-
-The **manifest** is a JSON configuration that defines the trusted state of the deployment. It includes:
-
-- **ReferenceValues**: Expected CVM launch measurements
-- **Policies**: Hashes of permitted initdata documents
-- **WorkloadOwnerKeyDigests**: Public key digests used to authorize future manifest updates
-- **SeedshareOwnerPubKeys**: Used for securely recovering workload secrets and restoring trust
 
 Only pods whose attestation evidence matches the manifest are accepted into the trusted service mesh.
+The Coordinator is verifier for all workloads of a Contrast deployment and issues certificates as attestation result, is therefore the certificate authority for a deployment.
 
 The Contrast Coordinator itself also runs as a confidential pod and is attested using the Contrast CLI.
 The CLI includes embedded reference values for the Coordinator, allowing it to verify the Coordinator's identity and integrity during attestation.
 Because these reference values are part of the CLI build, the CLI effectively serves as the root of trust for the deployment.
 Verifying the CLI’s integrity and authenticity is therefore essential.
 
+The verification of the Coordinator by the CLI enables trust in the Coordinator to verify other workloads based on the manifest.
+The workloads are then _attested transitively_ through the Coordinator.
+
 ### Relying party: Operator and data owner
 
 The Contrast CLI is used by operators or data owners to verify the deployment and establish trust. It:

docs/docs/architecture/components/coordinator.md

@@ -12,22 +12,6 @@ As your app needs to scale, the Coordinator transparently verifies new instances
 To verify your deployment, the Coordinator's remote attestation statement combined with the manifest offers a concise single remote attestation statement for your entire deployment.
 A third party can use this to verify the integrity of your distributed app, making it easy to assure stakeholders of your app's identity and integrity.
 
-## The Manifest
-
-The manifest is the configuration file for the Coordinator, defining your confidential deployment.
-It's automatically generated from your deployment by the Contrast CLI.
-It currently consists of the following parts:
-
-<!-- TODO(burgerdev): explain manifest on separate page. -->
-
-- _Policies_: The identities of your Pods, represented by the hashes of their respective initdata documents.
-- _Reference Values_: The remote attestation reference values for the Kata confidential micro-VM that's the runtime environment of your Pods.
-- _WorkloadOwnerKeyDigest_: The workload owner's public key digest. Used for authenticating subsequent manifest updates.
-- _SeedshareOwnerKeys_: public keys of seed share owners. Used to authenticate user recovery and permission to handle the secret seed.
-
-Setting a manifest where the `WorkloadOwnerKeyDigest` has been removed will render the deployment [immutable](../../howto/immutable-deployments.md).
-Doing the same for the `SeedshareOwnerKeys` field makes Coordinator recovery and workload secret recovery impossible.
-
 ## Manifest history
 
 The Coordinator uses Kubernetes `ConfigMap`s to store the manifest history and associated initdata documents.

docs/docs/architecture/components/manifest.md

@@ -0,0 +1,250 @@
+# The manifest
+
+The manifest is the configuration file for the Coordinator, defining your confidential deployment.
+It's automatically generated from your deployment by the Contrast CLI and uses JSON format (`manifest.json`).
+
+## `Policies`
+
+The identities of your Pods, represented by the hashes of their respective initdata documents.
+
+### `Policies.*.SANs` {#policies-sans}
+
+The Coordinator will add the Subject Alternative Names (SANs) to the workload certificate for the workload with the respective policy hash after verification.
+Allowed values are:
+
+- IP addresses
+- URIs
+- DNS names
+
+By default, the Contrast CLI will add two SANs for each workload on generate: The pod name as DNS name under which the pod can be reached inside the cluster, and a wildcard DNS name `*` to allow the certificate to be used with any other hostname (for example an external load balancer).
+As DNS is untrusted in the context of Contrast, issuing a wildcard certificate won't weaken the security of your workload.
+
+To enable IP-based certificate verification, insert the desired IP address into the list of SANs.
+The change could look like this:
+
+```diff
+   "Policies": {
+     ...
+     "99dd77cbd7fe2c4e1f29511014c14054a21a376f7d58a48d50e9e036f4522f6b": {
+       "SANs": [
+         "web",
+-        "*"
++        "*",
++        "203.0.113.34"
+       ],
+     },
+```
+
+Some authentication and authorization schemes rely on URI SANs in X.509 certificates.
+For example, [SPIFFE IDs] are URIs and are often found as certificate SANs.
+The change to add such an URI SAN to the manifest could look like this:
+
+```diff
+   "Policies": {
+     ...
+     "99dd77cbd7fe2c4e1f29511014c14054a21a376f7d58a48d50e9e036f4522f6b": {
+       "SANs": [
+         "web",
+-        "*"
++        "*",
++        "spiffe://acme.com/billing/payments"
+       ],
+     },
+```
+
+[SPIFFE IDs]: https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-id
+
+### `Policies.*.WorkloadSecretID` {#policies-workload-secret-id}
+
+The `WorkloadSecretID` is used in addition to the secret seed to derive the workload secret.
+It's a non-interpreted string and defaults to the qualified Kubernetes resource name of the pod.
+As long as the `WorkloadSecretID` remains unchanged, the derived workload secret will remain stable across manifest updates and Coordinator recovery.
+
+See [Workload secrets](../secrets.md#workload-secrets) for more information.
+
+### `Policies.*.Role`
+
+Contrast role assigned to the workload.
+The only supported value is `coordinator`, which identifies the Coordinator within the manifest.
+Workloads don't set this field.
+
+## `ReferenceValues`
+
+The remote attestation reference values for the confidential micro-VM that's the runtime environment of your Pods.
+The reference values cover both the platform configuration as well as the guest TCB.
+They're independent from the workload executed inside the Contrast pod VM and only differ between platforms or Contrast versions.
+
+The reference values are grouped by confidential computing technology, there is a `snp` and a `tdx` section.
+Each of those sections contains a list of reference value sets.
+The Coordinator will accept a workload if its attestation report matches _any_ of the listed reverence value sets exactly.
+
+### `ReferenceValues.snp.*.ProductName` {#snp-product-name}
+
+The product name of your platform.
+`Milan` and `Genoa` are supported by Contrast.
+
+### `ReferenceValues.snp.*.TrustedMeasurement` {#snp-trusted-measurement}
+
+The `TrustedMeasurement` is a hash over the initial memory contents and state of the confidential VM.
+It covers the guest firmware, the initrd and kernel as well as the kernel command line.
+The kernel command line contains the dm-verity hash of the root filesystem, which contains all Contrast components that run inside the guest.
+
+It's the (launch) `MEASUREMENT` from the SNP `ATTESTATION_REPORT`, according to Table 23 in the [SEV ABI Spec].
+
+### `ReferenceValues.snp.*.MinimumTCB` {#snp-minimum-tcb}
+
+The `MinimumTCB` defines the minimum secure version numbers (SVNs) for the platform components.
+The Contrast Coordinator compares these value against both the `COMMITTED_TCB` and `LAUNCH_TCB`,
+where the `LAUNCH_TCB` is the TCB that was committed when the VM was first launched,
+and the `COMMITTED_TCB` is the TCB that's currently committed on the platform.
+Provisional firmware isn't considered, as it can be rolled back by a malicious platform operator at any time.
+
+AMD doesn't provide an accessible way to acquire the latest TCB values for your platform.
+Visit the [AMD SEV developer portal](https://www.amd.com/en/developer/sev.html) and download the latest firmware package for your processor family.
+Unpack and inspect the contained release notes, which state the SNP firmware SVN (called `SPL` (security patch level) in that document).
+Contact your hardware vendor or BIOS firmware provider for information about the other TCB components
+
+To check the current TCB level of your platform, use [`snphost`]:
+
+```sh
+snphost show tcb
+```
+```console
+Reported TCB: TCB Version:
+  Microcode:   72
+  SNP:         23
+  TEE:         0
+  Boot Loader: 9
+  FMC:         None
+Platform TCB: TCB Version:
+  Microcode:   72
+  SNP:         23
+  TEE:         0
+  Boot Loader: 9
+  FMC:         None
+```
+
+The values listed as `Reported TCB` to should be greater or equal to the `MinimumTCB` values in `manifest.json`.
+The `Platform TCB` can be higher than the `Reported TCB`, in this case, the platform has provisional firmware enrolled.
+Contrast relies on the committed TCB values, as provisional firmware can be rolled back anytime by the platform operator.
+
+:::warning
+
+The TCB values observed on the target platform using `snphost` might not be trustworthy.
+Your channel to the system or the system itself might be compromised.
+The deployed firmware could be outdated and vulnerable.
+
+:::
+
+#### `ReferenceValues.snp.*.MinimumTCB.BootloaderVersion`
+
+SVN of the bootloader of the secure processor.
+See [SEV ABI Spec], Section 2.2.
+
+#### `ReferenceValues.snp.*.MinimumTCB.TEEVersion`
+
+SVN of the OS of the secure processor.
+See [SEV ABI Spec], Section 2.2.
+
+#### `ReferenceValues.snp.*.MinimumTCB.SNPVersion`
+
+SVN of the SNP firmware.
+See [SEV ABI Spec], Section 2.2.
+
+#### `ReferenceValues.snp.*.MinimumTCB.MicrocodeVersion`
+
+SVN of the CPU microcode.
+See [SEV ABI Spec], Section 2.2.
+
+#### `ReferenceValues.snp.*.MinimumTCB.FMCVersion`
+
+Always `None` for Milan and Genoa platforms.
+
+### `ReferenceValues.snp.*.GuestPolicy` {#snp-guest-policy}
+
+This is the guest policy according to Section 4.3 of the [SEV ABI Spec].
+It's enforced during the launch of the confidential VM.
+
+The guest policy is currently static in Contrast, values can't be changed.
+
+#### `ReferenceValues.snp.*.GuestPolicy.ABIMinor`
+#### `ReferenceValues.snp.*.GuestPolicy.ABIMajor`
+#### `ReferenceValues.snp.*.GuestPolicy.SMT`
+#### `ReferenceValues.snp.*.GuestPolicy.MigrateMA`
+#### `ReferenceValues.snp.*.GuestPolicy.Debug`
+#### `ReferenceValues.snp.*.GuestPolicy.SingleSocket`
+#### `ReferenceValues.snp.*.GuestPolicy.CXLAllowed`
+#### `ReferenceValues.snp.*.GuestPolicy.MemAES256XTS`
+#### `ReferenceValues.snp.*.GuestPolicy.RAPLDis`
+#### `ReferenceValues.snp.*.GuestPolicy.CipherTextHidingDRAM`
+#### `ReferenceValues.snp.*.GuestPolicy.PageSwapDisable`
+
+### `ReferenceValues.snp.*.PlatformInfo` {#snp-platform-info}
+
+The `PLATFORM_INFO` structure according to Table 24 in the [SEV ABI Spec].
+
+This has some overlap with the `GuestPolicy`, but is checked as part of the attestation report.
+
+#### `ReferenceValues.snp.*.PlatformInfo.SMTEnabled`
+#### `ReferenceValues.snp.*.PlatformInfo.TSMEEnabled`
+#### `ReferenceValues.snp.*.PlatformInfo.ECCEnabled`
+#### `ReferenceValues.snp.*.PlatformInfo.RAPLDisabled`
+#### `ReferenceValues.snp.*.PlatformInfo.CiphertextHidingDRAMEnabled`
+#### `ReferenceValues.snp.*.PlatformInfo.AliasCheckComplete`
+#### `ReferenceValues.snp.*.PlatformInfo.TIOEnabled`
+
+### `ReferenceValues.tdx.*.MrTd` {#tdx-mr-td}
+
+### `ReferenceValues.tdx.*.MrSeam` {#tdx-mr-seam}
+
+`MrSeam` is the SHA384 hash of the TDX module.
+You should retrieve the TDX module via a trustworthy channel from Intel, for example by downloading the TDX module from [Intel's GitHub repository] and hashing the module on a trusted machine.
+You can also reproduce the release artifact by following the build instructions linked in the release notes.
+
+You can check the hash of the in-use TDX module by executing
+
+```sh
+sha384sum /boot/efi/EFI/TDX/TDX-SEAM.so | cut -d' ' -f1
+```
+
+:::warning
+
+The TDX module hash (`MrSeam`) observed on the target platform might not be trustworthy.
+Your channel to the system or the system itself might be compromised.
+Make sure to retrieve or reproduce the value on a trusted machine.
+
+:::
+
+[Intel's GitHub repository]: https://github.com/intel/confidential-computing.tdx.tdx-module/releases
+
+### `ReferenceValues.tdx.*.Rtmrs[4]` {#tdx-rtmrs}
+
+### `ReferenceValues.tdx.*.TdAttributes` {#tdx-td-attributes}
+
+### `ReferenceValues.tdx.*.Xfam` {#tdx-xfam}
+
+
+## `WorkloadOwnerKeyDigests` {#workload-owner-key-digests}
+
+A list of workload owner public key digests.
+Used for authenticating subsequent manifest updates.
+
+By default, the list contains the digest of the key that was passed to the Contrast CLI on `contrast generate` via the `--add-workload-owner-key` flag.
+If the flag wasn't used, the workload owner key was generated and stored in the workspace as `workload-owner.pem`.
+
+The Coordinator uses this list to authenticate manifest updates submitted via `contrast set`.
+If multiple workload owner keys are specified, any of the corresponding private keys can be used to set a new manifest.
+
+If the manifest is generated with the `--disable-updates` flag, the `WorkloadOwnerKeyDigests` list is empty.
+In this case, updates to the manifest are disabled and the [deployment is immutable](../../howto/immutable-deployments.md).
+
+## `SeedshareOwnerKeys` {#seedshare-owner-keys}
+
+Public keys of seed share owners.
+Used to authenticate user recovery and permission to handle the secret seed.
+
+Setting a manifest where the `WorkloadOwnerKeyDigests` has been removed will render the deployment [immutable](../../howto/immutable-deployments.md).
+Doing the same for the `SeedshareOwnerKeys` field makes Coordinator recovery and workload secret recovery impossible.
+
+[`snphost`]: https://github.com/virtee/snphost
+[SEV ABI Spec]: https://www.amd.com/content/dam/amd/en/documents/developer/56860.pdf

docs/docs/architecture/secrets.md

@@ -17,7 +17,7 @@ The secret seed and the seed share owner key are highly sensitive.
 
 :::
 
-## Workload Secrets
+## Workload secrets
 
 The Coordinator provides each workload a secret seed during attestation.
 This secret can be used by the workload to derive additional secrets for example to encrypt persistent data.
@@ -95,7 +95,7 @@ In addition to the workload secrets provisioned by the initializer, Contrast wor
 The corresponding HTTP API is compatible with a subset of the [transit secrets API](https://openbao.org/api-docs/secret/transit/) used by [HashiCorp Vault](https://www.hashicorp.com/en/products/vault), and is served on Coordinator port 8200.
 Its primary use case is [auto-unsealing of Vault deployments](../howto/vault.md), which can in turn provide fine-grained secrets management to Contrast workloads.
 
-Workloads can only access the encryption key with the same name as their `workloadSecretID`.
+Workloads can only access the encryption key with the same name as their `WorkloadSecretID`.
 For example, if the workload secret ID in the manifest is `my-secret-id`, they can use the endpoints `/v1/transit/encrypt/my-secret-id` and `/v1/transit/decrypt/my-secret-id`.
 Like the workload secret, the encryption key is stable across manifest updates and subject to the same limitations.
 

docs/docs/getting-started/deployment.md

@@ -464,8 +464,6 @@ Using `openssl`, the certificate of the service can be validated with the `mesh-
 openssl s_client -CAfile verify/mesh-ca.pem -verify_return_error -connect ${frontendIP}:443 < /dev/null
 ```
 
-<!-- TODO(burgerdev): this should be split into an explanatory section in a manifest.md (yet to be written) and a how-to. -->
-
 ## Optional: Updating the certificate SAN and the manifest
 
 By default, mesh certificates are issued with a wildcard DNS Subject Alternative Name (SAN).
@@ -494,32 +492,10 @@ Add the `frontendIP` to the list of SANs:
 +        "*",
 +        "203.0.113.34"
        ],
-       "WorkloadSecretID": "web"
-     },
-```
-
-### Adding a URI SAN to the manifest
-
-Some authentication and authorization schemes rely on URI SANs in X.509 certificates.
-For example, [SPIFFE IDs] are URIs and are often found as certificate SANs.
-The Contrast Coordinator automatically identifies URI SANs in the manifest and adds them to the workload certificates.
-Add the URI to the list of SANs in the relevant manifest entry:
-
-```diff
-   "Policies": {
-     ...
-     "99dd77cbd7fe2c4e1f29511014c14054a21a376f7d58a48d50e9e036f4522f6b": {
-       "SANs": [
-         "web",
--        "*"
-+        "*",
-+        "spiffe://acme.com/billing/payments"
-       ],
-       "WorkloadSecretID": "web"
      },
 ```
 
-[SPIFFE IDs]: https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-id
+To find out more about the `SANs` field in the manifest, see [SANs section in the manifest reference](../architecture/components/manifest.md#policies-sans).
 
 ### Updating the manifest on the coordinator
 

docs/docs/howto/vault.md

@@ -58,9 +58,9 @@ For the Vault application, this process is entirely transparent, and the device
 The LUKS encryption of the block device is primarily a convenience feature, enabling persistent storage at the filesystem level on confidential virtual machines.
 The primary and security-relevant encryption mechanism remains Vault’s own sealing process, which provides cryptographic protection of secrets even if the underlying storage is compromised.
 
-Because the `workload-secret-seed` is derived from the associated `workloadSecretID`, any change to the `workloadSecretID` after the block device has been initialized will result in a different key, making the mounted block device undecryptable.
-Therefore, it's critical to ensure that the `workloadSecretID` is correctly aligned with the intended endpoint specified in Vault’s unsealing configuration before the first `contrast set` is executed.
-In this example, the `workloadSecretID` is set to `vault_unsealing` with an annotation:
+Because the `workload-secret-seed` is derived from the [associated `WorkloadSecretID`](../architecture/components/manifest.md#policies-workload-secret-id), any change to the `WorkloadSecretID` after the block device has been initialized will result in a different key, making the mounted block device undecryptable.
+Therefore, it's critical to ensure that the `WorkloadSecretID` is correctly aligned with the intended endpoint specified in Vault’s unsealing configuration before the first `contrast set` is executed.
+In this example, the `WorkloadSecretID` is set to `vault_unsealing` with an annotation:
 
 ```yaml
 spec:
@@ -109,6 +109,7 @@ kubectl get service vault -o=jsonpath='{.status.loadBalancer.ingress[0].ip}'
 
 If you added SANs in the previous step, these will also be included in the certificate.
 In that case, you can configure your DNS service to resolve the additional SAN to the load balancer IP.
+See the section on [SANs in the manifest reference](../architecture/components/manifest.md#policies-sans) for more information.
 
 Alternatively, configure the system from which you access Vault to resolve `vault` to the load balancer IP.
 On Linux, you can modify `/etc/hosts` for this.