feat: add TDX attestation support (#13)

Add optional Intel TDX configuration for quote verification. Creates
tdx-config ConfigMap when kbs.tdx.enabled is true. Disabled by default.

Signed-off-by: Beraldo Leal <[email protected]>

Author: beraldoleal

templates/kbs.yaml

@@ -18,8 +18,10 @@ spec:
   kbsResourcePolicyConfigMapName: resource-policy
 
   # TDX specific configuration (optional)
-  # tdxConfigSpec:
-  #   kbsTdxConfigMapName: tdx-config
+  {{- if .Values.kbs.tdx.enabled }}
+  tdxConfigSpec:
+    kbsTdxConfigMapName: tdx-config
+  {{- end }}
 
   # IBM SE specific configuration (optional)
   # ibmSEConfigSpec:

templates/tdx-config.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.kbs.tdx.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tdx-config
+  namespace: trustee-operator-system
+data:
+  sgx_default_qcnl.conf: |
+    {
+      "collateral_service": "{{ .Values.kbs.tdx.collateralService }}"
+    }
+{{- end }}

values.yaml

@@ -27,3 +27,12 @@ kbs:
     #   key: "secret/data/hub/kbsres1"
     # - name: "passphrase"
     #   key: "secret/data/hub/passphrase"
+
+  # Intel TDX (Trust Domain Extensions) configuration
+  tdx:
+    # Enable TDX attestation support
+    enabled: false
+    # PCCS collateral service URL for quote verification
+    # For Azure: Use https://global.acccache.azure.net/sgx/certification/v4/
+    # For bare metal/Intel: Use https://api.trustedservices.intel.com/sgx/certification/v4/
+    collateralService: "https://api.trustedservices.intel.com/sgx/certification/v4/"