...
This will be done on device reboot as well as on at periodic basisintervals, to make sure the EVE node is not compromised.
...
Vault related configuration would be pushed along with other config (by /api/v1/eddgedev/config), and parsed by zedagent. Zedagent would interact with Vault Manager service for implementing file system encryption requirements. Any file system interaction to setup/unlock the vault directory will have to be done by Vault manager according to the security config received, and then signal others that vault directory is now ready for use. Zedmanager will synchronise with Vault Manager to make sure the Vault is ready to use before any edge container that needs this vault is started by domain manager. Other services can listen to Vault Manager to perform any task they need to do on top of the Vault directory(Currently only zedagents/zedagent and zedmanager).
Presence / absence of a Vault configuration below will implicitly drive creation/retainment or, deletion for the Vault.
...
UUID - Unique Id generated by EVC for the Vault
Version of the Configuration - For handling message schema change in the future
Name - String describing User provided name string for the Vault as given by User
Vault Security Policy
Data handling policy will define operational mode of the vault:
...
This is to challenge EVE to provide a requested information, to prove EVE's software/physical location states are untampered. On successful response, further config updates will have Vault section with appropriate Vault config like keys. Failing On failing to provide a satisfiable response, EVC will not send the vault configuration to EVE, and will keep sending Attestation Challenge in place of Vault configuration. Attestation Challenge can be:
a) PCR quote with nonce included
...