Documentation
¶
Overview ¶
Azure attestation ¶
Constellation supports multiple attestation technologies on Azure.
SEV - Secure Nested Paging (SEV-SNP)
TPM attestation verified using an SEV-SNP attestation statement.
TDX - Trust Domain Extensions
TPM attestation verified using a TDX attestation statement.
Trusted Launch
Basic TPM attestation.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetAttestationKey ¶ added in v2.15.0
func GetAttestationKey(tpm io.ReadWriter) (*tpmclient.Key, error)
GetAttestationKey reads the attestation key put into the TPM during early boot.
Types ¶
type HCLAkValidator ¶ added in v2.15.0
type HCLAkValidator struct{}
HCLAkValidator validates an attestation key issued by the Host Compatibility Layer (HCL). The HCL is written by Azure, and sits between the Hypervisor and CVM OS. The HCL runs in the protected context of the CVM.
func (*HCLAkValidator) Validate ¶ added in v2.15.0
func (a *HCLAkValidator) Validate(runtimeDataRaw []byte, reportData []byte, rsaParameters *tpm2.RSAParams) error
Validate validates that the attestation key from the TPM is trustworthy. The steps are: 1. runtime data read from the TPM has the same sha256 digest as reported in `report_data` of the SNP report or `TdQuoteBody.ReportData` of the TDX report. 2. modulus reported in runtime data matches modulus from key at idx 0x81000003. 3. exponent reported in runtime data matches exponent from key at idx 0x81000003. The function is currently tested manually on a Azure Ubuntu CVM.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
package tdx implements attestation for TDX on Azure.
|
package tdx implements attestation for TDX on Azure. |