Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC] Runtime data spec #259

Open
jialez0 opened this issue Dec 12, 2023 · 2 comments
Open

[RFC] Runtime data spec #259

jialez0 opened this issue Dec 12, 2023 · 2 comments

Comments

@jialez0
Copy link
Member

jialez0 commented Dec 12, 2023

Background

Currently, in many scenarios the runtime data is used to bind some runtime data in Attestation report, for example

The reason for using runtime data is to transmit the data generated or used by the TEE instance during its operation to external consumers through Attestation technology while ensuring integrity.

We can see that more and more information would be together be the so-called runtime data to bind with the TEE evidence.
The simple approach we used before, s.t. naive concatenation and hash would be more difficult to process structured information and difficult to generalize. Thus we propose the specification of runtime data.

The design goal of the runtime data spec is to standardize the runtime data format, calculation digest algorithm and usage process for different types of confidential computing TEE, and provide the best practical.

Runtime Data Spec

Report data support

Currently almost all TEE platforms support report data mechanism. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attester/src/lib.rs#L61

Platform Field name
SGX/TDX REPORTDATA (64bytes)
SNP report_datat(64bytes)
CCA cca-realm-challenge(64bytes)
CSV user_data(64bytes)

Usage of the Runtime Data

  1. TEE instance builds runtime data at runtime and calculate runtime data digest.
  2. TEE instance calls API driver to get attestation report using the runtime data digest as report data.
  3. TEE instance initiates the RA process, and the Attestation Verifier calculates the digest of the runtime data and verifies whether it is consistent with the runtime data digest field in the evidence.

Runtime data spec

{
    "version": a string, specifies version of the runtime data,
    "alg": a string, hash algorithm to calculate the runtime data digest,
    "data": an JSON object, including compound data,
    "digest": a string, digest of "data" in hex derived using "alg"
}

Runtime data digest calculation

Rearrange each layer of the data JSON object in dictionary order by key, then serialize and output it into a compact string, and perform hash calculation on the whole.

The rearrange is important. It can ensure the hash inputs are the same.

How to deliver runtime data

This spec does not define this.

Examples

Usage in KBS protocol

Current RCAR protocol defines the following Attestation request.

{
    /*
     * A JWK-formatted public key, generated by the KBC running in the HW-TEE.
     * It is valid until the next time an attestation is required. Its hash must
     * be included in the HW-TEE evidence and signed by the HW-TEE hardware.
     */
    "tee-pubkey": $pubkey

    /* The attestation evidence. Its format is specified by Attestation-Service. */
    "tee-evidence": {}
}

A typical tdx Attestation request looks like

{
    "tee-pubkey": "AAAAA",
    "tee-evidence": {
        "cc_eventlog": "AAAAA",
        "quote": "BAAC"
    }
}

After applying runtime data spec, it would be

{
	"evidence": {
		"cc_eventlog": "AAAAA",
		"quote": "BAAC"
	},
	"runtime-data": {
		"version": "v0.1.0",
		"alg": "sha384",
		"data": {
			"tee-pubkey": "AAAAA",
			"nonce": "AAAAA",
		},
		"digest": "0a96dc5bbf0b6c0e0db6c83db8f59013e9817ecf47c1c5bf8c1c17e7e3831d00d7180d32f2294ce22a4ba0b39fbf3fbe"
	}
}

The digest is calculated by sha384 the string {"nonce":"AAAAA","tee-pubkey":"AAAAA"}.

@fitzthum
Copy link
Member

This looks good. The layout looks similar to the InitData proposal. Do you think it would make any sense to use the same format for both?

@mythi
Copy link
Contributor

mythi commented Dec 15, 2023

Thanks a lot for triggering this proposal! I have two opens:

  1. how the AS used by KBS gets to provide inputs to this? Related: KBS (protocol) enhancements to reportdata generation #242
  2. with this, we plan to move the report data generation away from the RCAR protocol into attesters?

The digest is calculated by sha384 the string {"nonce":"AAAAA","tee-pubkey":"AAAAA"}.

what would be the way to express: hash( "AAAAA" || "AAAAA") instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants