README
¶
This directory contains packages implementing arm-cca
(Arm Confidential Compute Architecture) attestation scheme.
Arm CCA attestation scheme is a composite attestation scheme which comprises a CCA Platform Attestation & a Realm Attestation.
Endorsement Store Interface for the CCA Platform and Realm Attesation Scheme is given below.
Endorsement Store Interface
Arm CCA Platform
Reference Value
{
"scheme": "ARM_CCA",
"type": "reference value",
"subType": "platform.sw-component",
"attributes": {
"hw-model": "RoadRunner",
"hw-vendor": "ACME",
"impl-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"measurement-desc": "sha-256",
"measurement-type": "BL",
"measurement-value": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"signer-id": "BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=",
"version": "3.4.2"
}
}
{
"scheme": "ARM_CCA",
"type": "reference value",
"subType": "platform.config",
"attributes": {
"hw-model": "RoadRunner",
"hw-vendor": "ACME",
"impl-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"platform-config-id": "AQID",
"platform-config-label": "cfg v1.0.0"
}
}
Trust Anchor
{
"scheme": "ARM_CCA",
"type": "trust anchor",
"attributes": {
"hw-model": "RoadRunner",
"hw-vendor": "ACME",
"iak-pub": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMKBCTNIcKUSDii11ySs3526iDZ8A\niTo7Tu6KPAqv7D7gS2XpJFbZiItSs3m9+9Ue6GnvHw/GW2ZZaVtszggXIw==\n-----END PUBLIC KEY-----",
"impl-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"inst-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"
}
}
Arm CCA Realm
Reference Value
A Realm instance is uniquely identified by the values of Realm initial measurements and Realm Personalization Value (if provided) used to launch a Realm.
{
"scheme": "ARM_CCA",
"type": "REFERENCE_VALUE",
"subType": "realm.reference-value",
"attributes": {
"vendor": "Workload Client Ltd",
"class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C",
"realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1",
"hash-alg-id": "sha-384",
"realm-personalization-value": "5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==",
"rem0": "IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4",
"rem1": "JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4",
"rem2": "MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4",
"rem3": "NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
}
}
Trust Anchor
Realms have no explicit Trust Anchor to provision, as they are supplied inline in the Realm attestation token.
Documentation
¶
Overview ¶
Copyright 2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Copyright 2022-2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Copyright 2024 Contributors to the Veraison project. SPDX-License-Identifier: Apache-2.0
Index ¶
- Constants
- Variables
- type CorimExtractor
- type EndorsementHandler
- func (o EndorsementHandler) Close() error
- func (o EndorsementHandler) Decode(data []byte) (*handler.EndorsementHandlerResponse, error)
- func (o EndorsementHandler) GetAttestationScheme() string
- func (o EndorsementHandler) GetName() string
- func (o EndorsementHandler) GetSupportedMediaTypes() []string
- func (o EndorsementHandler) Init(params handler.EndorsementHandlerParams) error
- type EvidenceHandler
- func (s EvidenceHandler) AppraiseEvidence(ec *proto.EvidenceContext, endorsementsStrings []string) (*ear.AttestationResult, error)
- func (s EvidenceHandler) ExtractClaims(token *proto.AttestationToken, trustAnchors []string) (map[string]interface{}, error)
- func (s EvidenceHandler) GetAttestationScheme() string
- func (s EvidenceHandler) GetName() string
- func (s EvidenceHandler) GetSupportedMediaTypes() []string
- func (s EvidenceHandler) ValidateEvidenceIntegrity(token *proto.AttestationToken, trustAnchors []string, ...) error
- type StoreHandler
- func (s StoreHandler) GetAttestationScheme() string
- func (s StoreHandler) GetName() string
- func (s StoreHandler) GetRefValueIDs(tenantID string, trustAnchors []string, claims map[string]interface{}) ([]string, error)
- func (s StoreHandler) GetSupportedMediaTypes() []string
- func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error)
- func (s StoreHandler) SynthKeysFromRefValue(tenantID string, refVal *handler.Endorsement) ([]string, error)
- func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error)
Constants ¶
const SchemeName = "ARM_CCA"
Variables ¶
var ( ErrKeyNotFound = errors.New("key not found") ErrValuesMismatch = errors.New("values mismatch") )
var ( EndorsementMediaTypes = []string{ `application/corim-unsigned+cbor; profile="http://arm.com/cca/ssd/1"`, `application/corim-unsigned+cbor; profile="http://arm.com/cca/realm/1"`, } EvidenceMediaTypes = []string{ `application/eat-collection; profile="http://arm.com/CCA-SSD/1.0.0"`, } )
Functions ¶
This section is empty.
Types ¶
type CorimExtractor ¶
type CorimExtractor struct {
Profile string
}
func (CorimExtractor) RefValExtractor ¶
func (o CorimExtractor) RefValExtractor(rvs comid.ValueTriples) ([]*handler.Endorsement, error)
func (*CorimExtractor) SetProfile ¶
func (o *CorimExtractor) SetProfile(profile string)
func (CorimExtractor) TaExtractor ¶
func (o CorimExtractor) TaExtractor(avk comid.KeyTriple) (*handler.Endorsement, error)
type EndorsementHandler ¶
type EndorsementHandler struct{}
func (EndorsementHandler) Close ¶
func (o EndorsementHandler) Close() error
func (EndorsementHandler) Decode ¶
func (o EndorsementHandler) Decode(data []byte) (*handler.EndorsementHandlerResponse, error)
func (EndorsementHandler) GetAttestationScheme ¶
func (o EndorsementHandler) GetAttestationScheme() string
func (EndorsementHandler) GetName ¶
func (o EndorsementHandler) GetName() string
func (EndorsementHandler) GetSupportedMediaTypes ¶
func (o EndorsementHandler) GetSupportedMediaTypes() []string
func (EndorsementHandler) Init ¶
func (o EndorsementHandler) Init(params handler.EndorsementHandlerParams) error
type EvidenceHandler ¶
type EvidenceHandler struct{}
func (EvidenceHandler) AppraiseEvidence ¶
func (s EvidenceHandler) AppraiseEvidence( ec *proto.EvidenceContext, endorsementsStrings []string, ) (*ear.AttestationResult, error)
func (EvidenceHandler) ExtractClaims ¶
func (s EvidenceHandler) ExtractClaims( token *proto.AttestationToken, trustAnchors []string, ) (map[string]interface{}, error)
func (EvidenceHandler) GetAttestationScheme ¶
func (s EvidenceHandler) GetAttestationScheme() string
func (EvidenceHandler) GetName ¶
func (s EvidenceHandler) GetName() string
func (EvidenceHandler) GetSupportedMediaTypes ¶
func (s EvidenceHandler) GetSupportedMediaTypes() []string
func (EvidenceHandler) ValidateEvidenceIntegrity ¶
func (s EvidenceHandler) ValidateEvidenceIntegrity( token *proto.AttestationToken, trustAnchors []string, endorsementsStrings []string, ) error
ValidateEvidenceIntegrity, decodes CCA collection and then invokes Verify API of ccatoken library which verifies the signature on the platform part of CCA collection, using supplied trust anchor and internally verifies the realm part of CCA token using realm public key extracted from realm token.
type StoreHandler ¶
type StoreHandler struct{}
func (StoreHandler) GetAttestationScheme ¶
func (s StoreHandler) GetAttestationScheme() string
func (StoreHandler) GetName ¶
func (s StoreHandler) GetName() string
func (StoreHandler) GetRefValueIDs ¶
func (StoreHandler) GetSupportedMediaTypes ¶
func (s StoreHandler) GetSupportedMediaTypes() []string
func (StoreHandler) GetTrustAnchorIDs ¶
func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error)
func (StoreHandler) SynthKeysFromRefValue ¶
func (s StoreHandler) SynthKeysFromRefValue( tenantID string, refVal *handler.Endorsement, ) ([]string, error)
func (StoreHandler) SynthKeysFromTrustAnchor ¶
func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error)