Initial commit on c10s

Resolves: RHEL-143742

.gitignore

@@ -0,0 +1,3 @@
+/guest-components-0.15.0.tar.gz
+/trustee-0.15.0-vendor.tar.zstd
+/v0.15.0.tar.gz

0001-restrict-workspace-members-to-kbs-only.patch

@@ -0,0 +1,34 @@
+From bc49af2607aee4db40607e77f98b5fa28b4db23e Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 21 Jan 2026 09:48:10 +0100
+Subject: [PATCH] restrict workspace members to kbs only
+
+Remove 'attestation-service', 'rvps', and other members from the cargo
+workspace members list. This change ensures that only the 'kbs'
+component is built, significantly lowering the build footprint by
+excluding the Attestation Service (AS) and Reference Value Provider
+Service (RVPS).
+---
+ Cargo.toml | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index 7cb93b6..31b3e75 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -1,12 +1,6 @@
+ [workspace]
+ members = [
+     "kbs",
+-    "attestation-service",
+-    "rvps",
+-    "tools/kbs-client",
+-    "deps/verifier",
+-    "deps/eventlog",
+-    "integration-tests",
+ ]
+ resolver = "2"
+ 
+-- 
+2.52.0
+

0002-kbs-remove-built-in-attestation-service-for-lightwei.patch

@@ -0,0 +1,74 @@
+From 63be56912a93fc358b6d6d4d3981434d7882141c Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 21 Jan 2026 10:04:09 +0100
+Subject: [PATCH] kbs: remove built-in attestation-service for lightweight
+ broker mode
+
+Decouple the compiled KBS binary from the internal 'attestation-service'
+crate. This includes:
+- Updating 'coco-as-builtin' feature to exclude
+  'attestation-service/default'.
+- Removing architecture-specific 'attestation-service' dependencies
+  (all-verifier, se-verifier, cca-verifier) from Cargo.toml.
+
+This enables a "pure broker" build configuration where the KBS acts
+solely as a resource and secret broker, relying on external entity
+tokens (e.g. from Keylime) rather than verifying hardware evidence
+internally.
+---
+ kbs/Cargo.toml | 18 ++----------------
+ 1 file changed, 2 insertions(+), 16 deletions(-)
+
+diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
+index 7f2dc8b..10c5809 100644
+--- a/kbs/Cargo.toml
++++ b/kbs/Cargo.toml
+@@ -7,7 +7,7 @@ documentation.workspace = true
+ edition.workspace = true
+ 
+ [features]
+-default = ["coco-as-builtin", "coco-as-grpc", "intel-trust-authority-as"]
++default = []
+ 
+ # Support a backend attestation service for KBS
+ as = []
+@@ -16,7 +16,7 @@ as = []
+ coco-as = ["as"]
+ 
+ # Use built-in CoCo-AS as backend attestation service
+-coco-as-builtin = ["coco-as", "attestation-service/default"]
++coco-as-builtin = ["coco-as"]
+ 
+ # Use built-in CoCo-AS as backend attestation service without verifier
+ coco-as-builtin-no-verifier = ["coco-as"]
+@@ -89,27 +89,13 @@ az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true }
+ derivative = "2.2.0"
+ vaultrs = { version = "0.7.4", optional = true }
+ 
+-[target.'cfg(not(any(target_arch = "s390x", target_arch = "aarch64")))'.dependencies]
+-attestation-service = { path = "../attestation-service", default-features = false, features = [
+-    "all-verifier",
+-], optional = true }
+ 
+-[target.'cfg(target_arch = "s390x")'.dependencies]
+-attestation-service = { path = "../attestation-service", default-features = false, features = [
+-    "se-verifier",
+-], optional = true }
+-
+-[target.'cfg(target_arch = "aarch64")'.dependencies]
+-attestation-service = { path = "../attestation-service", default-features = false, features = [
+-    "cca-verifier",
+-], optional = true }
+ 
+ 
+ [dev-dependencies]
+ josekit = "0.10.3"
+ tempfile.workspace = true
+ rstest.workspace = true
+-reference-value-provider-service.path = "../rvps"
+ serial_test = "3.0"
+ toml = "0.9"
+ 
+-- 
+2.52.0
+

0003-kbs-replace-concat-kdf-dependency-with-internal-impl.patch

@@ -0,0 +1,105 @@
+From 933b57d8e8915280d671e4796c8919a06bcbb2fb Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 21 Jan 2026 11:00:08 +0100
+Subject: [PATCH] kbs: replace concat-kdf dependency with internal
+ implementation
+
+Remove the 'concat-kdf' crate dependency and replace it with a local
+implementation of the Single-Step Concatenation Key Derivation Function
+(Concat KDF), using standard 'openssl' primitives.
+
+This change reduces the external dependency footprint while maintaining
+compatibility with the algorithm used by other guest components (based
+on NIST SP 800-56A).
+Inspired by attestation-agent/deps/crypto/src/native/ec.rs
+---
+ kbs/Cargo.toml |  1 -
+ kbs/src/jwe.rs | 46 +++++++++++++++++++++++++++++++++-------------
+ 2 files changed, 33 insertions(+), 14 deletions(-)
+
+diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
+index 52968e2..1bd4adf 100644
+--- a/kbs/Cargo.toml
++++ b/kbs/Cargo.toml
+@@ -52,7 +52,6 @@ base64.workspace = true
+ cfg-if.workspace = true
+ clap = { workspace = true, features = ["derive", "env"] }
+ config.workspace = true
+-concat-kdf = "0.1.0"
+ cryptoki = { version = "0.10.0", optional = true }
+ env_logger.workspace = true
+ hex.workspace = true
+diff --git a/kbs/src/jwe.rs b/kbs/src/jwe.rs
+index 27b4863..6eb25a2 100644
+--- a/kbs/src/jwe.rs
++++ b/kbs/src/jwe.rs
+@@ -19,6 +19,7 @@ use p256::{
+ use rand::{rngs::OsRng, Rng};
+ use rsa::{sha2::Sha256, BigUint, Oaep, Pkcs1v15Encrypt, RsaPublicKey};
+ use serde_json::{json, Map};
++use openssl::hash::{Hasher, MessageDigest};
+ 
+ /// RSA PKCS#1 v1.5
+ const RSA1_5_ALGORITHM: &str = "RSA1_5";
+@@ -41,6 +42,36 @@ const AES_GCM_256_ALGORITHM: &str = "A256GCM";
+ /// AES 256 GCM Key length in bits
+ const AES_GCM_256_KEY_BITS: u32 = 256;
+ 
++// Concat KDF as per NIST SP 800-56A
++// Based on the implementation from attestation-agent/deps/crypto/src/native/ec.rs
++fn concat_kdf(alg: &str, target_length: usize, z: &[u8]) -> Result<Vec<u8>> {
++    let target_length_bytes = ((target_length * 8) as u32).to_be_bytes();
++    let alg_len_bytes = (alg.len() as u32).to_be_bytes();
++
++    let mut output = Vec::new();
++    let md = MessageDigest::sha256();
++    let count = target_length.div_ceil(md.size());
++    for i in 0..count {
++        let mut hasher = Hasher::new(md)?;
++        hasher.update(&((i + 1) as u32).to_be_bytes())?;
++        hasher.update(z)?;
++        hasher.update(&alg_len_bytes)?;
++        hasher.update(alg.as_bytes())?;
++        hasher.update(&0_u32.to_be_bytes())?;
++        hasher.update(&0_u32.to_be_bytes())?;
++        hasher.update(&target_length_bytes)?;
++
++        let digest = hasher.finish()?;
++        output.extend(digest.to_vec());
++    }
++
++    if output.len() > target_length {
++        output.truncate(target_length);
++    }
++
++    Ok(output)
++}
++
+ /// Use RSAv1.5 to encrypt the payload data.
+ /// Warning: This algorithm is deprecated per
+ /// <https://www.ietf.org/archive/id/draft-madden-jose-deprecate-none-rsa15-00.html#section-1.2>
+@@ -167,19 +198,8 @@ fn ecdh_es_a256kw_p256(x: String, y: String, mut payload_data: Vec<u8>) -> Resul
+         .diffie_hellman(&public_key)
+         .raw_secret_bytes()
+         .to_vec();
+-    let mut key_derivation_materials = Vec::new();
+-    key_derivation_materials.extend_from_slice(&(ECDH_ES_A256KW.len() as u32).to_be_bytes());
+-    key_derivation_materials.extend_from_slice(ECDH_ES_A256KW.as_bytes());
+-    key_derivation_materials.extend_from_slice(&(0_u32).to_be_bytes());
+-    key_derivation_materials.extend_from_slice(&(0_u32).to_be_bytes());
+-    key_derivation_materials.extend_from_slice(&AES_GCM_256_KEY_BITS.to_be_bytes());
+-    let mut wrapping_key = vec![0; 32];
+-    concat_kdf::derive_key_into::<rsa::sha2::Sha256>(
+-        &z,
+-        &key_derivation_materials,
+-        &mut wrapping_key,
+-    )
+-    .map_err(|e| anyhow!("failed to do concat KDF: {e:?}"))?;
++    
++    let wrapping_key = concat_kdf(ECDH_ES_A256KW, 32, &z).context("failed to do concat KDF")?;
+     let wrapping_key: [u8; 32] = wrapping_key
+         .try_into()
+         .map_err(|_| anyhow!("invalid bytes length of AES wrapping key"))?;
+-- 
+2.52.0
+

0004-Refactor-kbs-replace-jwt-simple-with-jsonwebtoken-in.patch

@@ -0,0 +1,129 @@
+From 1e9b52cdb513ed5d9b72f1babf3de860f6a30168 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 21 Jan 2026 12:19:54 +0100
+Subject: [PATCH] Refactor(kbs): replace jwt-simple with jsonwebtoken in Admin
+ API
+
+Migrate the KBS Admin API authentication from `jwt-simple` to the
+`jsonwebtoken` library to reduce dependency burden.
+
+Changes details:
+- kbs/admin: Refactor `Admin` struct to store `DecodingKey` instead of
+  `Ed25519PublicKey`.
+- kbs/admin: Update validation logic to use `jsonwebtoken::decode` with
+  EdDSA algorithm validation.
+- kbs/admin: Update error handling to wrap `jsonwebtoken` errors.
+- kbs/Cargo.toml: Remove `jwt-simple` dependency.
+- Cargo.toml: Remove `jwt-simple` from workspace dependencies.
+
+Note: The `kbs-client` tool, which still depends on `jwt-simple`, is
+currently excluded from the workspace `members` list. If we ever decide
+to ship that as well we need to do additional work.
+
+THIS PATCH COULD BE UPSTREAMED
+---
+ Cargo.toml             |  3 ---
+ kbs/Cargo.toml         |  2 +-
+ kbs/src/admin/error.rs |  4 ++--
+ kbs/src/admin/mod.rs   | 16 +++++++---------
+ 4 files changed, 10 insertions(+), 15 deletions(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index 31b3e75..d76a061 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -26,9 +26,6 @@ config = "0.14.1"
+ ear = "0.3.0"
+ env_logger = "0.10.0"
+ hex = "0.4.3"
+-jwt-simple = { version = "0.12", default-features = false, features = [
+-    "pure-rust",
+-] }
+ kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "c35306f", default-features = false }
+ # TODO: Change this to kbs-types release
+ kbs-types = { "git" = "https://github.com/virtee/kbs-types.git", rev = "e3cc706" }
+diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
+index 1bd4adf..93a8061 100644
+--- a/kbs/Cargo.toml
++++ b/kbs/Cargo.toml
+@@ -56,7 +56,7 @@ cryptoki = { version = "0.10.0", optional = true }
+ env_logger.workspace = true
+ hex.workspace = true
+ jsonwebtoken = { workspace = true, default-features = false }
+-jwt-simple.workspace = true
++
+ kbs-types.workspace = true
+ kms = { workspace = true, default-features = false }
+ lazy_static.workspace = true
+diff --git a/kbs/src/admin/error.rs b/kbs/src/admin/error.rs
+index 2c21f63..440851e 100644
+--- a/kbs/src/admin/error.rs
++++ b/kbs/src/admin/error.rs
+@@ -13,14 +13,14 @@ pub enum Error {
+     #[error("Admin Token verification failed")]
+     JwtVerificationFailed {
+         #[source]
+-        source: jwt_simple::Error,
++        source: jsonwebtoken::errors::Error,
+     },
+ 
+     #[error("`auth_public_key` is not set in the config file")]
+     NoPublicKeyGiven,
+ 
+     #[error("Failed to parse admin public key")]
+-    ParsePublicKey(#[from] jwt_simple::Error),
++    ParsePublicKey(#[from] jsonwebtoken::errors::Error),
+ 
+     #[error("Failed to parse HTTP Auth Bearer header")]
+     ParseAuthHeaderFailed(#[from] actix_web::error::ParseError),
+diff --git a/kbs/src/admin/mod.rs b/kbs/src/admin/mod.rs
+index f5a376a..cda7675 100644
+--- a/kbs/src/admin/mod.rs
++++ b/kbs/src/admin/mod.rs
+@@ -5,11 +5,8 @@
+ use actix_web::{http::header::Header, HttpRequest};
+ use actix_web_httpauth::headers::authorization::{Authorization, Bearer};
+ use config::AdminConfig;
+-use jwt_simple::{
+-    claims::NoCustomClaims,
+-    common::VerificationOptions,
+-    prelude::{Ed25519PublicKey, EdDSAPublicKeyLike},
+-};
++use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
++use serde_json::Value;
+ 
+ pub mod config;
+ pub mod error;
+@@ -18,7 +15,7 @@ use log::warn;
+ 
+ #[derive(Default, Clone)]
+ pub struct Admin {
+-    public_key: Option<Ed25519PublicKey>,
++    public_key: Option<DecodingKey>,
+ }
+ 
+ impl TryFrom<AdminConfig> for Admin {
+@@ -32,7 +29,7 @@ impl TryFrom<AdminConfig> for Admin {
+ 
+         let key_path = value.auth_public_key.ok_or(Error::NoPublicKeyGiven)?;
+         let user_public_key_pem = std::fs::read_to_string(key_path)?;
+-        let key = Ed25519PublicKey::from_pem(&user_public_key_pem)?;
++        let key = DecodingKey::from_ed_pem(user_public_key_pem.as_bytes())?;
+         Ok(Self {
+             public_key: Some(key),
+         })
+@@ -49,8 +46,9 @@ impl Admin {
+ 
+         let token = bearer.token();
+ 
+-        let _claims = public_key
+-            .verify_token::<NoCustomClaims>(token, Some(VerificationOptions::default()))
++        let validation = Validation::new(Algorithm::EdDSA);
++
++        let _claims = decode::<Value>(token, public_key, &validation)
+             .map_err(|e| Error::JwtVerificationFailed { source: e })?;
+ 
+         Ok(())
+-- 
+2.52.0
+

0005-Refactor-deps-align-crate-versions-with-Fedora-upstr.patch

@@ -0,0 +1,67 @@
+From 16cdfdd0ee8131b22b3631c5dbcdcdfcfd384d47 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 21 Jan 2026 13:56:36 +0100
+Subject: [PATCH] Refactor(deps): align crate versions with Fedora upstream
+
+Update and adjust project dependencies to match versions currently
+available in Fedora packages.
+
+Depedency changes:
+- Update `config` to 0.15.13
+- Update `rstest` to 0.26
+- Set `josekit` to 0.7
+- Remove `serde_qs` dependency
+---
+ Cargo.toml     | 5 ++---
+ kbs/Cargo.toml | 3 +--
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index d76a061..fdd0e78 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -22,7 +22,7 @@ byteorder = "1.5.0"
+ cfg-if = "1.0.0"
+ chrono = "0.4.41"
+ clap = { version = "4", features = ["derive"] }
+-config = "0.14.1"
++config = "0.15.13"
+ ear = "0.3.0"
+ env_logger = "0.10.0"
+ hex = "0.4.3"
+@@ -45,10 +45,9 @@ regorus = { version = "0.2.6", default-features = false, features = [
+ reqwest = { version = "0.12", default-features = false, features = [
+     "default-tls",
+ ] }
+-rstest = "0.18.1"
++rstest = "0.26"
+ serde = { version = "1.0", features = ["derive"] }
+ serde_json = "1.0.143"
+-serde_qs = "0.13.0"
+ serde_with = { version = "3.14.0", features = ["base64", "hex"] }
+ serial_test = { version = "3.2.0", features = ["async"] }
+ sha2 = "0.10"
+diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
+index db3d892..3fd8963 100644
+--- a/kbs/Cargo.toml
++++ b/kbs/Cargo.toml
+@@ -71,7 +71,6 @@ regorus.workspace = true
+ reqwest = { workspace = true, features = ["json"] }
+ rsa = { version = "0.9.2", features = ["sha2"] }
+ scc = "2"
+-serde_qs.workspace = true
+ semver = "1.0.16"
+ serde = { workspace = true, features = ["derive"] }
+ serde_json.workspace = true
+@@ -92,7 +91,7 @@ vaultrs = { version = "0.7.4", optional = true }
+ 
+ 
+ [dev-dependencies]
+-josekit = "0.10.3"
++josekit = "0.7"
+ tempfile.workspace = true
+ rstest.workspace = true
+ serial_test = "3.0"
+-- 
+2.52.0
+

0006-replace-derivative-with-educe-for-debug-derivation.patch

@@ -0,0 +1,159 @@
+From 23536a5aa38d1197ac554f7cfedd31e4d5138223 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 21 Jan 2026 14:05:45 +0100
+Subject: [PATCH] replace derivative with educe for debug derivation
+
+Although we are not using plugins in the current kbs, this patch can
+come handy in case we decide to do so in the future.
+
+Replace the `derivative` crate with `educe` to manage Debug
+implementations where sensitive fields need to be ignored (e.g. API
+keys, passwords, tokens).  `educe` is a lighter and more maintained
+alternative that is often available in system repositories (like
+Fedora).
+
+Refactored components:
+- Intel Trust Authority (Attestation)
+- PKCS#11 plugin
+- Aliyun KMS plugin
+- Vault KV plugin
+---
+ kbs/Cargo.toml                                         |  1 -
+ kbs/src/attestation/intel_trust_authority/mod.rs       |  8 ++++----
+ kbs/src/plugins/implementations/pkcs11.rs              |  8 ++++----
+ kbs/src/plugins/implementations/resource/aliyun_kms.rs | 10 +++++-----
+ kbs/src/plugins/implementations/resource/vault_kv.rs   |  8 ++++----
+ 5 files changed, 17 insertions(+), 18 deletions(-)
+
+diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
+index 3fd8963..653c759 100644
+--- a/kbs/Cargo.toml
++++ b/kbs/Cargo.toml
+@@ -84,7 +84,6 @@ tonic = { workspace = true, optional = true }
+ uuid = { version = "1.18.0", features = ["serde", "v4"] }
+ openssl.workspace = true
+ az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true }
+-derivative = "2.2.0"
+ vaultrs = { version = "0.7.4", optional = true }
+ 
+ 
+diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs
+index 58c63b2..45565da 100644
+--- a/kbs/src/attestation/intel_trust_authority/mod.rs
++++ b/kbs/src/attestation/intel_trust_authority/mod.rs
+@@ -10,7 +10,7 @@ use anyhow::*;
+ use async_trait::async_trait;
+ use az_cvm_vtpm::hcl::HclReport;
+ use base64::{engine::general_purpose::STANDARD, Engine};
+-use derivative::Derivative;
++use educe::Educe;
+ use kbs_types::{Challenge, HashAlgorithm, Tee};
+ use reqwest::header::{ACCEPT, CONTENT_TYPE, USER_AGENT};
+ use serde::{Deserialize, Serialize};
+@@ -83,11 +83,11 @@ struct ErrorResponse {
+     error: String,
+ }
+ 
+-#[derive(Clone, Derivative, Deserialize, PartialEq, Default)]
+-#[derivative(Debug)]
++[derive(Clone, Educe, Deserialize, PartialEq, Default)]
++#[educe(Debug)]
+ pub struct IntelTrustAuthorityConfig {
+     pub base_url: String,
+-    #[derivative(Debug = "ignore")]
++    #[educe(Debug(ignore))]
+     pub api_key: String,
+     pub certs_file: String,
+     pub allow_unmatched_policy: Option<bool>,
+diff --git a/kbs/src/plugins/implementations/pkcs11.rs b/kbs/src/plugins/implementations/pkcs11.rs
+index d562cbd..0c31f8e 100644
+--- a/kbs/src/plugins/implementations/pkcs11.rs
++++ b/kbs/src/plugins/implementations/pkcs11.rs
+@@ -12,7 +12,7 @@ use cryptoki::{
+     session::{Session, UserType},
+     types::AuthPin,
+ };
+-use derivative::Derivative;
++use educe::Educe;
+ use serde::Deserialize;
+ use std::{path::PathBuf, sync::Arc};
+ use tokio::sync::Mutex;
+@@ -20,8 +20,8 @@ use uuid::Uuid;
+ 
+ use super::super::plugin_manager::ClientPlugin;
+ 
+-#[derive(Derivative, Deserialize, Clone, PartialEq)]
+-#[derivative(Debug)]
++#[derive(Educe, Deserialize, Clone, PartialEq, Default)]
++#[educe(Debug)]
+ pub struct Pkcs11Config {
+     /// Path to the PKCS11 module.
+     module: PathBuf,
+@@ -31,7 +31,7 @@ pub struct Pkcs11Config {
+     slot_index: u8,
+ 
+     /// The user pin for authenticating the session.
+-    #[derivative(Debug = "ignore")]
++    #[educe(Debug(ignore))]
+     pin: String,
+ }
+ 
+diff --git a/kbs/src/plugins/implementations/resource/aliyun_kms.rs b/kbs/src/plugins/implementations/resource/aliyun_kms.rs
+index 8521236..b029bf6 100644
+--- a/kbs/src/plugins/implementations/resource/aliyun_kms.rs
++++ b/kbs/src/plugins/implementations/resource/aliyun_kms.rs
+@@ -4,18 +4,18 @@
+ 
+ use super::backend::{ResourceDesc, StorageBackend};
+ use anyhow::{Context, Result};
+-use derivative::Derivative;
++use educe::Educe;
+ use kms::{plugins::aliyun::AliyunKmsClient, Annotations, Getter};
+ use log::info;
+ use serde::Deserialize;
+ 
+-#[derive(Derivative, Deserialize, Clone, PartialEq)]
+-#[derivative(Debug)]
++#[derive(Educe, Deserialize, Clone, PartialEq)]
++#[educe(Debug)]
+ pub struct AliyunKmsBackendConfig {
+-    #[derivative(Debug = "ignore")]
++    #[educe(Debug(ignore))]
+     client_key: String,
+     kms_instance_id: String,
+-    #[derivative(Debug = "ignore")]
++    #[educe(Debug(ignore))]
+     password: String,
+     cert_pem: String,
+ }
+diff --git a/kbs/src/plugins/implementations/resource/vault_kv.rs b/kbs/src/plugins/implementations/resource/vault_kv.rs
+index ed7733f..812ef98 100644
+--- a/kbs/src/plugins/implementations/resource/vault_kv.rs
++++ b/kbs/src/plugins/implementations/resource/vault_kv.rs
+@@ -4,7 +4,7 @@
+ 
+ use super::backend::{ResourceDesc, StorageBackend};
+ use anyhow::{Context, Result};
+-use derivative::Derivative;
++use educe::Educe;
+ use log::info;
+ use serde::Deserialize;
+ use std::collections::HashMap;
+@@ -28,11 +28,11 @@ pub enum VaultError {
+     VaultApiError { path: String, source: anyhow::Error },
+ }
+ 
+-#[derive(Derivative, Deserialize, Clone, PartialEq)]
+-#[derivative(Debug)]
++#[derive(Educe, Deserialize, Clone, PartialEq)]
++#[educe(Debug)]
+ pub struct VaultKvBackendConfig {
+     pub vault_url: String,
+-    #[derivative(Debug = "ignore")]
++    #[educe(Debug(ignore))]
+     pub token: String,
+     #[serde(default = "default_mount_path")]
+     pub mount_path: String,
+-- 
+2.52.0
+

0007-replace-git-dependencies-with-path-registry-deps-for.patch

@@ -0,0 +1,61 @@
+From f9e01d49a90cadffa9f07851ff25bdf949e9ee77 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Wed, 21 Jan 2026 14:13:55 +0100
+Subject: [PATCH] replace git dependencies with path/registry deps for offline
+ builds
+
+Replace git dependencies with local path or registry dependencies to
+support --offline build environments (like Fedora's build system).
+
+Dependency changes:
+- kbs_protocol: Switch from git to local path
+  'guest-components-0.15.0/attestation-agent/kbs_protocol'
+- kms: Switch from git to local path
+  'guest-components-0.15.0/confidential-data-hub/kms'
+- kbs-types: Switch from git to registry version '0.14.0'
+---
+ Cargo.toml     | 6 ++----
+ kbs/Cargo.toml | 3 +--
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index fdd0e78..66e8172 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -26,10 +26,8 @@ config = "0.15.13"
+ ear = "0.3.0"
+ env_logger = "0.10.0"
+ hex = "0.4.3"
+-kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev = "c35306f", default-features = false }
+-# TODO: Change this to kbs-types release
+-kbs-types = { "git" = "https://github.com/virtee/kbs-types.git", rev = "e3cc706" }
+-kms = { git = "https://github.com/confidential-containers/guest-components.git", rev = "c35306f", default-features = false }
++kbs_protocol = { path = "guest-components-0.15.0/attestation-agent/kbs_protocol", default-features = false }
++kbs-types = { version = "0.14.0" }
+ jsonwebtoken = { version = "9", default-features = false }
+ lazy_static = "1.4.0"
+ log = "0.4.28"
+diff --git a/kbs/Cargo.toml b/kbs/Cargo.toml
+index 653c759..427aa87 100644
+--- a/kbs/Cargo.toml
++++ b/kbs/Cargo.toml
+@@ -28,7 +28,7 @@ coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"]
+ intel-trust-authority-as = ["as", "az-cvm-vtpm"]
+ 
+ # Use aliyun KMS as KBS backend
+-aliyun = ["kms/aliyun"]
++aliyun = []
+ 
+ # Use pkcs11 plugin
+ pkcs11 = ["cryptoki"]
+@@ -58,7 +58,6 @@ hex.workspace = true
+ jsonwebtoken = { workspace = true, default-features = false }
+ 
+ kbs-types.workspace = true
+-kms = { workspace = true, default-features = false }
+ lazy_static.workspace = true
+ log.workspace = true
+ mobc = { version = "0.9.0", optional = true }
+-- 
+2.52.0
+

0008-guard-RVPS-import-in-config-tests.patch

@@ -0,0 +1,28 @@
+From 3847d4061d1f590956a8276b95881a2c944fd973 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Thu, 22 Jan 2026 09:12:02 +0100
+Subject: [PATCH] guard RVPS import in config tests
+
+The reference_value_provider_service import in test code is only needed
+when the coco-as-builtin feature is enabled. Since we've removed support
+for coco-as-builtin to minimize dependencies, gate this import behind
+the feature flag.
+---
+ kbs/src/config.rs | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kbs/src/config.rs b/kbs/src/config.rs
+index 2de2a53..4b7b8cd 100644
+--- a/kbs/src/config.rs
++++ b/kbs/src/config.rs
+@@ -136,6 +136,7 @@ mod tests {
+         token::{simple, AttestationTokenConfig, COCO_AS_ISSUER_NAME, DEFAULT_TOKEN_DURATION},
+     };
+ 
++    #[cfg(feature = "coco-as-builtin")]
+     use reference_value_provider_service::storage::{local_fs, ReferenceValueStorageConfig};
+ 
+     use rstest::rstest;
+-- 
+2.52.0
+

sources

@@ -0,0 +1,3 @@
+SHA512 (guest-components-0.15.0.tar.gz) = be182e5839f1c86dfa4093b1332a0fa4b2c878c5afc447d82688d48796f1c9c87cae0f289242df7e4c885108d1ac07134d777b0ad9073db8042f84034fc38471
+SHA512 (trustee-0.15.0-vendor.tar.zstd) = 9f4e8a31fa6011b6dfa628dcbf37d75a7867bac856bff53bb756ec5645947569a1b0c196aefe62d7fd87a79a6407fd980eedd4e46873300e17dfd70136794038
+SHA512 (v0.15.0.tar.gz) = 175ff47aa3f738a78926636fe9900ad833e8a3cf4cdd0dc69d2f40cb96d737813bfc15888fe4aaecd8a88d446f2bb1648404ebdc40528677020a5f4d9779347b

trustee.spec

@@ -0,0 +1,148 @@
+%bcond check 1
+
+# RHEL lacks individual packaged Rust crates, so we must bundle them (Source2).
+# Fedora has these crates packaged, so we can use system dependencies.
+%if 0%{?rhel}
+%bcond_without bundle_rust_deps
+%else
+%bcond_with bundle_rust_deps
+%endif
+
+Name:           trustee
+Version:        0.15.0
+Release:        %autorelease
+Summary:        Tools and components for attesting confidential guests and providing secrets
+
+### BEGIN LICENSE SUMMARY ###
+# (Apache-2.0 OR MIT) AND BSD-3-Clause
+# (MIT OR Apache-2.0) AND Unicode-DFS-2016
+# 0BSD OR MIT OR Apache-2.0
+# Apache-2.0
+# Apache-2.0 AND ISC AND (MIT OR Apache-2.0)
+# Apache-2.0 OR BSL-1.0
+# Apache-2.0 OR MIT
+# Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT
+# BSD-2-Clause OR Apache-2.0 OR MIT
+# BSD-3-Clause
+# ISC
+# MIT
+# MIT AND Apache-2.0 AND BSD-3-Clause
+# MIT OR Apache-2.0
+# MIT OR Zlib OR Apache-2.0
+# MPL-2.0
+# Unicode-3.0
+# Unlicense OR MIT
+# Zlib
+###  END LICENSE SUMMARY  ###
+
+License:        %{shrink: Apache-2.0 AND
+                         (Apache-2.0 OR BSL-1.0) AND
+                          BSD-2-Clause AND
+                          BSD-3-Clause AND
+                          ISC AND
+                          MIT AND
+                          MPL-2.0 AND
+                          Unicode-DFS-2016 AND
+                          Unicode-3.0 AND
+                          Zlib}
+URL:            https://github.com/confidential-containers/trustee
+Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz
+Source1:        https://github.com/confidential-containers/guest-components/archive/refs/tags/v%{version}/guest-components-%{version}.tar.gz
+# Generated via create_vendor_source.sh script
+Source2:		trustee-%{version}-vendor.tar.zstd
+
+Patch: 0001-restrict-workspace-members-to-kbs-only.patch
+Patch: 0002-kbs-remove-built-in-attestation-service-for-lightwei.patch
+Patch: 0003-kbs-replace-concat-kdf-dependency-with-internal-impl.patch
+Patch: 0004-Refactor-kbs-replace-jwt-simple-with-jsonwebtoken-in.patch
+Patch: 0005-Refactor-deps-align-crate-versions-with-Fedora-upstr.patch
+Patch: 0006-replace-derivative-with-educe-for-debug-derivation.patch
+Patch: 0007-replace-git-dependencies-with-path-registry-deps-for.patch
+Patch: 0008-guard-RVPS-import-in-config-tests.patch
+
+%if %{with bundle_rust_deps}
+BuildRequires:  rust-toolset
+BuildRequires:  pkgconfig(openssl)
+%else
+BuildRequires:  cargo-rpm-macros
+%endif
+BuildRequires:  git-core
+
+%description
+Tools and components for attesting confidential guests and providing secrets to 
+them. Collectively, these components are known as Trustee. Trustee typically
+operates on behalf of the guest owner and interacts remotely with guest
+components, providing the necessary services for Attestation and Secret
+Delivery.
+
+#===============================================================================
+
+%package kbs
+Summary:        Key Broker Service for Confidential Computing
+Requires:       openssl
+
+%description kbs
+The Key Broker Service (KBS) is a key management component for Confidential
+Computing scenarios. It provides secure key distribution for confidential
+containers and virtual machines. KBS supports multiple backend storage
+systems and attestation services.
+
+#===============================================================================
+
+%prep
+%autosetup -n trustee-%{version} -a1 -S git
+
+%if %{with bundle_rust_deps}
+tar xf %{SOURCE2}
+# The vendor tarball may contain files with the executable bit set.
+# If these files start with an inner attribute like `#![no_std]`,
+# rpmbuild's dependency generator interprets the `#!` as a shebang
+# and fails because the path is invalid. Removing the executable bit
+# prevents this check.
+find vendor -type f -exec chmod -x {} +
+%cargo_prep -v vendor
+%else
+%cargo_prep
+%generate_buildrequires
+%cargo_generate_buildrequires
+%endif
+
+# Force openssl-sys to use system OpenSSL instead of building from source.
+# 1. Check if OPENSSL_NO_VENDOR is already defined (skips if true).
+# 2. Check if [env] section exists. If not, append it.
+# 3. Insert the variable definition after the [env] header.
+if ! grep -q "OPENSSL_NO_VENDOR" .cargo/config.toml; then
+  grep -q "^\[env\]" .cargo/config.toml || printf "\n[env]\n" >> .cargo/config.toml
+  sed -i '/^\[env\]/a OPENSSL_NO_VENDOR = "1"' .cargo/config.toml
+fi
+
+%build
+%cargo_build
+
+%if %{with bundle_rust_deps}
+%cargo_vendor_manifest
+%endif
+
+%cargo_license_summary
+%{cargo_license} > LICENSE.dependencies
+
+%install
+# Install KBS
+install -D -m 755 target/rpm/kbs %{buildroot}%{_bindir}/kbs
+
+%if %{with check}
+%check
+%cargo_test
+%endif
+
+%files kbs
+%license LICENSE
+%license LICENSE.dependencies
+%if %{with bundle_rust_deps}
+%license cargo-vendor.txt
+%endif
+%doc README.md
+%{_bindir}/kbs
+
+%changelog
+%autochangelog