[confcom] Ensure base64 encodings of functionally identical policies are the same #9249
Description
Attestation reports present a SHA256 of the raw security policy that is being enforced. This means changes which are not functional (e.g. arrays being reordered) will result in a different hash and therefore a policy that fails to match, despite actually being a correct policy.
This is a source of instability and should therefore be fixed. Here are the current known possible sources of different hashes from functionally identical policies:
- Ordering of arrays
- Environment variables in container definitions
- Exec processes in container definitions
- Volume Mounts in container definitions
- Includes statements in fragments
- Container definitions
- Fragment definitions
The priority is to fix ones which we change in future work, but ultimately all of these should be addressed