RFE: SCM trust: SpireServer FDO Rendezvous + CaptivePortal

[mmaymann]

Roots of trust:

1. Manufacturer: This RFE = Spire (FDO)
2. SupplyChain: This RFE = Spire (FDO)
3. Network: Spire + SONiC (L2 security + agentless support)
4. Device: Spire + SONiC ((P)NAC/ACL)
5. User: Spire + KeyCloak + Biometric MFA Securitykey
6. Workload: Spire + KeyCloak
7. Data: Spire + KeyCloak

This RFE is regarding 1+2. SCM (SupplyChain&Manufacturer) based root of trust (A below):

A. XIoT onboarding:
-- Manufacturer produces device + forwards ownership to company using Fido Device Onboard (FDO) functionality in Spire Server
-- CaptivePortal Guest/MDM/BYOD registration (Port integration)
B. XIoT attestation: agentless EAP(oL) device (-> AP) -> SONiCSpireAgentEAP(L2) -> SpireServer -> SONiCSpireAgent(P)NAC/ACL
C. Company provisions validated devices to their desired state
D. Day2 operations (Realtime Spire Network+Device+User+Workload+Data attestation)

I have given my free OSS GoldenPath KubernetesNative version of a GitOps Zero-Conf|Trust|Touch XIoT management target architecture - directly from network devices.

Suggestions/enhancements would be highly appreciated :)

Thanks in advance :)

[amartinezfayo]

Thank you @mmaymann for filing this issue.
Similarly to #4281, I think that it would be great if we can discuss this request in the SIG-SPIRE meeting, where we can gather more context and discuss the request in detail.

[mmaymann]

@amartinezfayo awesome :)
Sounds really cool... I will be able to participate earliest 17.8 - I have added it to my calendar and will try to prepare a small presentation for that.
Thanks :)

[evan2645]

Related to: #4281

Closing this out until we have more time to discuss over video