Comments (10)
Hi @surajssd , I think it would be great if KBS/AS could support vTPM attestation. CoCo KBS transparently forward the evidence to the Attestation-Service, which is the actual evidence verifier. If we want to support TPM attestation, maybe we can adding a vTPM Verifier Driver to the AS and adding a vTPM Attester Driver to CC-KBC.
from kbs.
That would be nice @surajssd. I guess the generated evidence is documented here: https://learn.microsoft.com/en-us/azure/attestation/claim-sets#outgoing-claims ?
There are two approaches that are possible (and not mutually exclusive; we might want to support both): relying on MAA or the manual route.
The MAA flow would have the TEE fetch a token from MAA, and forward that as evidence to KBS. KBS can then rely on the claims you linked and check that the token is signed.
The manual route fetches the SNP report from the (v)TPM, the TPM holds "an Attestation Key" and can be used to sign a quote with PCRs + user-provided data (nonce + TEE public key). The Attestation Key is linked to the SNP report (and this report is static). We then forward the SNP report and the extra data to KBS. MAA is not involved.
from kbs.
The MAA flow would have the TEE fetch a token from MAA, and forward that as evidence to KBS. KBS can then rely on the claims you linked and check that the token is signed.
And the MAA generated token is composed of the outgoing+property claims documented here: https://learn.microsoft.com/en-us/azure/attestation/claim-sets ?
Yes, here's the contents of an actual MAA token:
{
"exp": 1678728993,
"iat": 1678700193,
"iss": "https://sharedeus2.eus2.attest.azure.net",
"jti": "f0a70be802aecaf4cc66f2259a911ac51bacf645bb236e71fe832112f25d4394",
"nbf": 1678700193,
"secureboot": true,
"x-ms-attestation-type": "azurevm",
"x-ms-azurevm-attestation-protocol-ver": "2.0",
"x-ms-azurevm-attested-pcrs": [
0,
1,
2,
3,
4,
5,
6,
7
],
"x-ms-azurevm-bootdebug-enabled": false,
"x-ms-azurevm-dbvalidated": true,
"x-ms-azurevm-dbxvalidated": true,
"x-ms-azurevm-debuggersdisabled": true,
"x-ms-azurevm-default-securebootkeysvalidated": true,
"x-ms-azurevm-elam-enabled": false,
"x-ms-azurevm-flightsigning-enabled": false,
"x-ms-azurevm-hvci-policy": 0,
"x-ms-azurevm-hypervisordebug-enabled": false,
"x-ms-azurevm-is-windows": false,
"x-ms-azurevm-kerneldebug-enabled": false,
"x-ms-azurevm-osbuild": "NotApplication",
"x-ms-azurevm-osdistro": "Ubuntu",
"x-ms-azurevm-ostype": "Linux",
"x-ms-azurevm-osversion-major": 20,
"x-ms-azurevm-osversion-minor": 4,
"x-ms-azurevm-signingdisabled": true,
"x-ms-azurevm-testsigning-enabled": false,
"x-ms-azurevm-vmid": "BAEFD3E1-184B-4C4C-AB88-0BDAD260505F",
"x-ms-isolation-tee": {
"x-ms-attestation-type": "sevsnpvm",
"x-ms-compliance-status": "azure-compliant-cvm",
"x-ms-runtime": {
"keys": [
{
"e": "AQAB",
"key_ops": [
"encrypt"
],
"kid": "HCLAkPub",
"kty": "RSA",
"n": "tYVBpgABBOedWd2SNiT8o1I7FVCit2pDm2mr6B7b66_NNOlW3u42TrJwaB5nk4VRqXjdpobSVSpXItf-Aisx2DwXPEQ3Ms6cvXEOPllGJ1O6kFEYNFJB0ZfLJtf01C_GcxT0EN3C-7m56PJV9AKIA7F2xCtzjWkyx9QX679tpcmP5FQk5_PxWDd3tVXVwjgk2f9V2wGKuJni2FSyDdtKG1C54UgwnNP_HLIdreuVLXiYne95tHvA_ifkUg-fTeQqD3S6NmyMf9FAyuNMJExhNgCNSwiv3IwR-rLBfOHgzpOwlfnVP0TfatYZjeWlOkj7QKfJdxRfNuAshe94E6VW0Q"
}
],
"vm-configuration": {
"console-enabled": true,
"current-time": 1678652405,
"secure-boot": true,
"tpm-enabled": true,
"vmUniqueId": "BAEFD3E1-184B-4C4C-AB88-0BDAD260505F"
}
},
"x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-bootloader-svn": 3,
"x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",
"x-ms-sevsnpvm-guestsvn": 2,
"x-ms-sevsnpvm-hostdata": "0000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-idkeydigest": "934f68bd8ba01938eec21475c872e3a942b60c59fafc6df9e9a76ee66bc47f2d09c676f61c0315c578da26085fb13a71",
"x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",
"x-ms-sevsnpvm-is-debuggable": false,
"x-ms-sevsnpvm-launchmeasurement": "5a71e4ba7e0b83e44c8e853130a65557db0a7782cdb2d906c54b0bf5878202805ab159bfe0cf7d5749aa6f62b7094508",
"x-ms-sevsnpvm-microcode-svn": 115,
"x-ms-sevsnpvm-migration-allowed": false,
"x-ms-sevsnpvm-reportdata": "1d0a466a9eed975e88f889f7aed4abc1c97e87c4f43e5e3478c9a4a5853cbd7d0000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-reportid": "c6c9131086d237b2b9cfef5e886d1594b10c6d886cbebe25294da0a3577e7a61",
"x-ms-sevsnpvm-smt-allowed": true,
"x-ms-sevsnpvm-snpfw-svn": 8,
"x-ms-sevsnpvm-tee-svn": 0,
"x-ms-sevsnpvm-vmpl": 0
},
"x-ms-policy-hash": "wm9mHlvTU82e8UqoOy1Yj1FBRSNkfe99-69IYDq9eWs",
"x-ms-runtime": {
"client-payload": {
"nonce": ""
},
"keys": [
{
"e": "AQAB",
"key_ops": [
"encrypt"
],
"kid": "TpmEphemeralEncryptionKey",
"kty": "RSA",
"n": "kjtKVgAA3drk_VzSs3_9fPEQqNDGqOGnnyhTKNPrWZVIwUIXvK7kDlcytswDrsOnxOf88dA2dAAGHJBaMggvNgX8bG6pTuahg_6k-65RGwdLvJ_6_3W176Pqk5hmrh1SEr142jUELY2cBLeGjDtmhkMwviQsHQonvhFdmZeD-M8OsXOZog9mvcK5dc7hwyK4Zxvoj5fkyVEgGQ_Q6yzrorYcr0bOojI5Sve8rpiHSifgm7uzfKlvvggHzPrvHPNpq9E53eWOsWDlAtE5i3xog86hMuUSQdKOq2-Ity5oDoYmbrJ0ZT2flwF9tVvIGqBJKtKkD6obGKgmUwsIQsJcFw"
}
]
},
"x-ms-ver": "1.0"
}
the SNP reports reportdata
field has the hash over the .x-ms-isolation-tee.x-ms-runtime
tee field in a different order than above:
$ echo -n '{"keys":[{"kid":"HCLAkPub","key_ops":["encrypt"],"kty":"RSA","e":"AQAB","n":"tYVBpgABBOedWd2SNiT8o1I7FVCit2pDm2mr6B7b66_NNOlW3u42TrJwaB5nk4VRqXjdpobSVSpXItf-Aisx2DwXPEQ3Ms6cvXEOPllGJ1O6kFEYNFJB0ZfLJtf01C_GcxT0EN3C-7m56PJV9AKIA7F2xCtzjWkyx9QX679tpcmP5FQk5_PxWDd3tVXVwjgk2f9V2wGKuJni2FSyDdtKG1C54UgwnNP_HLIdreuVLXiYne95tHvA_ifkUg-fTeQqD3S6NmyMf9FAyuNMJExhNgCNSwiv3IwR-rLBfOHgzpOwlfnVP0TfatYZjeWlOkj7QKfJdxRfNuAshe94E6VW0Q"}],"vm-configuration":{"console-enabled":true,"current-time":1678652405,"secure-boot":true,"tpm-enabled":true,"vmUniqueId":"BAEFD3E1-184B-4C4C-AB88-0BDAD260505F"}}' | sha256sum
1d0a466a9eed975e88f889f7aed4abc1c97e87c4f43e5e3478c9a4a5853cbd7d -
The included key is the TPM Attestation Key that I mentioned, that signs the PCR quote.
The manual route fetches the SNP report from the (v)TPM, the TPM holds "an Attestation Key" and can be used to sign a quote with PCRs + user-provided data (nonce + TEE public key). The Attestation Key is linked to the SNP report (and this report is static). We then forward the SNP report and the extra data to KBS. MAA is not involved.
Is the SNP report static, i.e. it only contains measurements for the HCL+vTPM+UEFI firmware? Then the vTPM PCRS have the actual guest measurements?
Yes and yes. Right now the most reasonable way to use this would be to verify PCR4 (kernel/initrd/cmdline hash) and PCR7 (secureboot state and keys).
from kbs.
cc: @mkulke
from kbs.
That would be nice @surajssd. I guess the generated evidence is documented here: https://learn.microsoft.com/en-us/azure/attestation/claim-sets#outgoing-claims ?
from kbs.
That would be nice @surajssd. I guess the generated evidence is documented here: https://learn.microsoft.com/en-us/azure/attestation/claim-sets#outgoing-claims ?
@sameo According to my understanding, the content in this document is the claims in the Token (RATS passport)?
from kbs.
If we want to support TPM attestation, maybe we can adding a vTPM Verifier Driver to the AS and adding a vTPM Attester Driver to CC-KBC.
yes this is the one approach we're currently looking at. we'll probably open PRs on attestation-agent/attestation-service/kbs-types to gather some feedback. The azure specific parts would be implemented in a dedicated crate, and while the code to agent/service is rather slim, it would extend the Tee enum and "drivers" with CSP-specific entries, so it'll be TDX | SEV-SNP | AZ-vTPM-SNP ...
, so it's not just hw vendors and platfroms but also CSP implementations.
from kbs.
The MAA flow would have the TEE fetch a token from MAA, and forward that as evidence to KBS. KBS can then rely on the claims you linked and check that the token is signed.
And the MAA generated token is composed of the outgoing+property claims documented here: https://learn.microsoft.com/en-us/azure/attestation/claim-sets ?
The manual route fetches the SNP report from the (v)TPM, the TPM holds "an Attestation Key" and can be used to sign a quote with PCRs + user-provided data (nonce + TEE public key). The Attestation Key is linked to the SNP report (and this report is static). We then forward the SNP report and the extra data to KBS. MAA is not involved.
Is the SNP report static, i.e. it only contains measurements for the HCL+vTPM+UEFI firmware? Then the vTPM PCRS have the actual guest measurements?
from kbs.
Is there anything left to be done here?
from kbs.
I think we can close this one.
from kbs.
Related Issues (20)
- Enable e2e tests for real TEEs HOT 9
- attestation: verifier: tdx: Allow kernel parameter values to contain equals signs
- [AS] Return generic report_data & init_data field in Attestation Claim HOT 6
- Attestation-Service: replacing anyhow with explicit error types HOT 1
- Attestation-Service: Add (e2e) test
- Attestation-Service: Add vTPM PCRs to claims in az-snp-vtpm HOT 3
- Attestation-Service: Should the SNP verifier claim set include more than REPORTED_TCB? HOT 4
- e2e tests: include negative test case for invalid evidence
- RVPS limitations HOT 6
- RFC: KBS (protocol) enhancements to reportdata generation HOT 2
- [CoCo AS]: Documentation for parsed-claim measurement
- New name for the CoCo Attestation project HOT 21
- KBS: Abondon the Mutex to promote the concurrency performance
- [RFC] Runtime data spec HOT 2
- Attestation-Service: build error caused by `csv`
- Intel TDX HOT 8
- Use of RPITIT vs async-trait macro in the project HOT 2
- OPA Engine Quirks HOT 10
- KBS does not support multiple attestation policies HOT 2
- Option to use Versioned Loaded Endorsement Key (VLEK) for verifying SNP attestation report in AWS HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kbs.