arm_cca

package
v0.0.2411 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 21, 2024 License: Apache-2.0 Imports: 19 Imported by: 0

README

This directory contains packages implementing arm-cca (Arm Confidential Compute Architecture) attestation scheme.

Arm CCA attestation scheme is a composite attestation scheme which comprises a CCA Platform Attestation & a Realm Attestation.

Endorsement Store Interface for the CCA Platform and Realm Attesation Scheme is given below.

Endorsement Store Interface

Arm CCA Platform

Reference Value
{
  "scheme": "ARM_CCA",
  "type": "reference value",
  "subType": "platform.sw-component",
  "attributes": {
    "hw-model": "RoadRunner",
    "hw-vendor": "ACME",
    "impl-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
    "measurement-desc": "sha-256",
    "measurement-type": "BL",
    "measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
    "signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
    "version": "3.4.2"
  }
}
{
  "scheme": "ARM_CCA",
  "type": "reference value",
  "subType": "platform.config",
  "attributes": {
    "hw-model": "RoadRunner",
    "hw-vendor": "ACME",
    "impl-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
    "platform-config-id": "AQID",
    "platform-config-label": "cfg v1.0.0"
  }
}
Trust Anchor
{
  "scheme": "ARM_CCA",
  "type": "trust anchor",
  "attributes": {
    "hw-model": "RoadRunner",
    "hw-vendor": "ACME",
    "iak-pub": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKBCTNIcKUSDii11ySs3526iDZ8A\niTo7Tu6KPAqv7D7gS2XpJFbZiItSs3m9+9Ue6GnvHw/GW2ZZaVtszggXIw==\n-----END PUBLIC KEY-----",
    "impl-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
    "inst-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"
  }
}

Arm CCA Realm

Reference Value

A Realm instance is uniquely identified by the values of Realm initial measurements and Realm Personalization Value (if provided) used to launch a Realm.

{
  "scheme": "ARM_CCA",
  "type": "REFERENCE_VALUE",
  "subType": "realm.reference-value",
  "attributes": {
    "vendor": "Workload Client Ltd",
    "class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C",
    "realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1",
    "hash-alg-id": "sha-384",
    "realm-personalization-value": "5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==",
    "rem0": "IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4",
    "rem1": "JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4",
    "rem2": "MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4",
    "rem3": "NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
  }
}
Trust Anchor

Realms have no explicit Trust Anchor to provision, as they are supplied inline in the Realm attestation token.

Documentation

Overview

Copyright 2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2022-2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Copyright 2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0

Index

Constants

View Source
const SchemeName = "ARM_CCA"

Variables

View Source
var (
	ErrKeyNotFound    = errors.New("key not found")
	ErrValuesMismatch = errors.New("values mismatch")
)
View Source
var (
	EndorsementMediaTypes = []string{
		`application/corim-unsigned+cbor; profile="http://arm.com/cca/ssd/1"`,
		`application/corim-unsigned+cbor; profile="http://arm.com/cca/realm/1"`,
	}

	EvidenceMediaTypes = []string{
		`application/eat-collection; profile="http://arm.com/CCA-SSD/1.0.0"`,
	}
)

Functions

This section is empty.

Types

type CorimExtractor

type CorimExtractor struct {
	Profile string
}

func (CorimExtractor) RefValExtractor

func (o CorimExtractor) RefValExtractor(rvs comid.ValueTriples) ([]*handler.Endorsement, error)

func (*CorimExtractor) SetProfile

func (o *CorimExtractor) SetProfile(profile string)

func (CorimExtractor) TaExtractor

func (o CorimExtractor) TaExtractor(avk comid.KeyTriple) (*handler.Endorsement, error)

type EndorsementHandler

type EndorsementHandler struct{}

func (EndorsementHandler) Close

func (o EndorsementHandler) Close() error

func (EndorsementHandler) Decode

func (EndorsementHandler) GetAttestationScheme

func (o EndorsementHandler) GetAttestationScheme() string

func (EndorsementHandler) GetName

func (o EndorsementHandler) GetName() string

func (EndorsementHandler) GetSupportedMediaTypes

func (o EndorsementHandler) GetSupportedMediaTypes() []string

func (EndorsementHandler) Init

type EvidenceHandler

type EvidenceHandler struct{}

func (EvidenceHandler) AppraiseEvidence

func (s EvidenceHandler) AppraiseEvidence(
	ec *proto.EvidenceContext, endorsementsStrings []string,
) (*ear.AttestationResult, error)

func (EvidenceHandler) ExtractClaims

func (s EvidenceHandler) ExtractClaims(
	token *proto.AttestationToken,
	trustAnchors []string,
) (map[string]interface{}, error)

func (EvidenceHandler) GetAttestationScheme

func (s EvidenceHandler) GetAttestationScheme() string

func (EvidenceHandler) GetName

func (s EvidenceHandler) GetName() string

func (EvidenceHandler) GetSupportedMediaTypes

func (s EvidenceHandler) GetSupportedMediaTypes() []string

func (EvidenceHandler) ValidateEvidenceIntegrity

func (s EvidenceHandler) ValidateEvidenceIntegrity(
	token *proto.AttestationToken,
	trustAnchors []string,
	endorsementsStrings []string,
) error

ValidateEvidenceIntegrity, decodes CCA collection and then invokes Verify API of ccatoken library which verifies the signature on the platform part of CCA collection, using supplied trust anchor and internally verifies the realm part of CCA token using realm public key extracted from realm token.

type StoreHandler

type StoreHandler struct{}

func (StoreHandler) GetAttestationScheme

func (s StoreHandler) GetAttestationScheme() string

func (StoreHandler) GetName

func (s StoreHandler) GetName() string

func (StoreHandler) GetRefValueIDs

func (s StoreHandler) GetRefValueIDs(
	tenantID string,
	trustAnchors []string,
	claims map[string]interface{},
) ([]string, error)

func (StoreHandler) GetSupportedMediaTypes

func (s StoreHandler) GetSupportedMediaTypes() []string

func (StoreHandler) GetTrustAnchorIDs

func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error)

func (StoreHandler) SynthKeysFromRefValue

func (s StoreHandler) SynthKeysFromRefValue(
	tenantID string,
	refVal *handler.Endorsement,
) ([]string, error)

func (StoreHandler) SynthKeysFromTrustAnchor

func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error)

Directories

Path Synopsis
plugin

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL