-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.toml
More file actions
80 lines (62 loc) · 2.64 KB
/
config.toml
File metadata and controls
80 lines (62 loc) · 2.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Attestation server configuration
[log]
format = "json" # json, text
level = "info" # debug, info, warn, error
[server]
host = "127.0.0.1"
port = 8187
[paths]
build_info = "/etc/build-info.json"
endorsements = "/etc/endorsements.json"
[report.evidence]
nitronsm = false # at least one must be true; nitronsm and tdx exclude all others
nitrotpm = false
sevsnp = false
sevsnp_vmpl = 0
tdx = false
[tpm]
enabled = false
algorithm = "sha384" # sha1, sha256, sha384, sha512
[report.user_data]
env = [] # optional; environment variable names to include
[revocation]
enabled = true # check TEE endorsement key CRLs; only fetches for enabled evidence types
refresh_interval = "12h" # how often to re-fetch CRLs in the background
[ratelimit]
enabled = false # rate-limit edge requests (no client cert / XFCC)
requests_per_second = 1 # per-IP rate
burst = 1 # burst allowance
stall_timeout = "10s" # max wait time before 429
[secure_boot]
enforce = false
[endorsements]
dnssec = false # require DNSSEC validation for endorsement URL hosts
allowed_domains = [] # empty = unrestricted; non-empty = exact hostname match only
[endorsements.client]
timeout = "10s" # overall fetch timeout with retries
[endorsements.cosign]
verify = true # verify cosign signatures on endorsement documents
url_suffix = ".sig" # suffix appended to endorsement URL to get signature bundle
tuf_cache_path = "" # empty = in-memory only; set writable path for disk cache
[endorsements.cosign.build_signer]
uri = "" # exact match override for BuildSignerURI OID (leave empty for BuildInfo match)
uri_regex = "" # regex match override for BuildSignerURI OID (ignored if uri is set)
[http]
allow_proxy = false # honour HTTP_PROXY/HTTPS_PROXY/NO_PROXY env vars (off by default; needed in Nitro Enclaves with vsock-proxy)
[http.cache]
size = "100MiB" # max memory for shared HTTP fetch cache (endorsements + cosign signatures)
default_ttl = "1h" # default TTL when response has no Cache-Control header (capped at 24h)
[dependencies]
# URLs of dependency attestation servers whose reports are fetched,
# verified, and included in this server's response. HTTPS endpoints
# are verified against the private CA bundle (mTLS); HTTP endpoints
# must be proxied through a local mTLS-enabling proxy.
endpoints = []
[tls.public]
cert_path = ""
key_path = ""
skip_verify = false # skip system/Mozilla root CA chain verification
[tls.private]
cert_path = ""
key_path = ""
ca_path = "" # required; PEM CA bundle — all private certs in the dependency chain must be issued by this CA