AS: add parsed claims for TDX/SGX and documents #248
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RTMRs are ignored in previous commits because current RTMRs are used to check the integrity of CCEL. In this way all the information that RTMRs include is covered by CCEL. However, in some scenarios, CCEL will not be provided, RTMRs will be useful when doing remote attestation. Signed-off-by: Xynnn007 <[email protected]>
fitzthum
reviewed
Nov 30, 2023
attestation-service/README.md
Outdated
| - `sgx`: Verifier Driver for Intel Software Guard Extensions (Intel SGX). | ||
| - `azsnpvtpm`: Verifier Driver for Azure vTPM based on SNP (Azure SNP vTPM) | ||
| - `cca`: Verifier Driver for Confidential Compute Architecture (Arm CCA). | ||
| - `csa`: Verifier Driver for China Security Virtualization (Hygon CSV). |
There was a problem hiding this comment.
Oh yes. Let me fix this. Thanks.
|
|
||
| All platforms will by default have two fixed claims: | ||
| - `report_data`: report data when generating the evidence. | ||
| - `init_data_hash`: Hostdata when creating the TEE instance. |
There was a problem hiding this comment.
I wonder if it would be better to call this init_data rather than init_data_hash. Usually the report_data will also contain a hash.
There was a problem hiding this comment.
sounds a good idea. And we can then call the plaintexts of init data "init_data_materials"?
Related to confidential-containers#228. This is the implementation for SGX/TDX/Sample Signed-off-by: Xynnn007 <[email protected]>
When generating parsed claims in CoCo-AS, the compound structure of measurements will be flattened into a single layer key value map. During the flattening, every key will be added name of the tee platform as the prefix. There are two special claims: `report_data` and `init_data_hash`. Almost all the platforms have related fields with these two kinds of semantics. We bring them out as separate claims without any prefix. This would help for the consumers of the attestation result to do some check upon the two semantics. Signed-off-by: Xynnn007 <[email protected]>
related to confidential-containers#246. This commit implements SGX/TDX/Sample. Signed-off-by: Xynnn007 <[email protected]>
|
LGTM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Partially resolve #246 and #228
This PR will change the token format in #240