scheme/

directory
v0.0.2409 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 29, 2024 License: Apache-2.0

README

This directory contains packages implementing support of specific attestation schemes. Currently the following schemes are implemented:

  • arm-cca Arm Confidential Compute Architecture attestation.
  • psa-iot: Arm Platform Security Architecture attestation.
  • riot: RIoT based DICE-compatible attestation (note: this does not implement any specific DICE architecture).
  • tmp-enacttrust: TPM-based attestation for EnactTrust security cloud.
  • parsec-tpm : Parsec TPM based hardware-backed attestation, details here
  • parsec-cca : Parsec CCA based hardware-backed attestation, details here

[!NOTE] When adding (or removing) a scheme, please update ../builtin/scheme.gen.go to include the appropriate entries. This can be done automatically using ../scripts/gen-schemes script (see ../buildin/Makefile) or by manually editing the file. The script takes a long time to execute, so unless multiple schemes are being added/moved/deleted, manual editing may be easier.

Implementing Attestation Scheme Support

Note: If you already have attestation scheme plugins implemented for an earlier version of Veraison, please see the migration guide for how to convert them to the new framework.

Supporting a new attestation scheme requires defining how to provision endorsements (if any) by implementing IEndorsementHandler, how to process evidence tokens by implementing IEvidenceHandler and how to create and obtain scheme-specific keys used to store and retrieve endorsements and trust anchors by implementing IStoreHandler.

Finally, an executable should be created that registers and serves them.

package main

import (
	"github.com/veraison/services/decoder"
	"github.com/veraison/services/plugin"
)

type MyEvidenceHandler struct {}

// ...
// Implementation of IEvidenceHandler for MyEvidenceHandler
// ...

type MyEndrosementHandler struct {}

// ...
// Implementation of IEndrosementHandler for MyEndrosementHandler
// ...

type MyStoreHandler struct {}

// ...
// Implementation of IStoreHandler for MyStoreHandler
// ...

func main() {
	handler.RegisterEndorsementHandler(&MyEndorsementHandler{})
	handler.RegisterEvidenceHandler(&MyEvidenceHandler{})
	handler.RegisterStoreHandler(&MyStoreHandler{})

	plugin.Serve()
}

Debugging

Handler code is a lot easier to debug when it runs as part of the service processes, rather than as a plugin. This can be achieved by using the "builtin" plugin loader.

Attestation scheme loading method is a build-time configuration. Since delve does its own building, it will ignore the normal build configuration. Instead, you will have to configure this when invoking delve:

dlv debug --build-flags "-ldflags '-X github.com/veraison/services/config.SchemeLoader=builtin'"

This will allow you to step into and set break points inside scheme code.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL