You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The reason for using runtime data is to transmit the data generated or used by the TEE instance during its operation to external consumers through Attestation technology while ensuring integrity.
We can see that more and more information would be together be the so-called runtime data to bind with the TEE evidence.
The simple approach we used before, s.t. naive concatenation and hash would be more difficult to process structured information and difficult to generalize. Thus we propose the specification of runtime data.
The design goal of the runtime data spec is to standardize the runtime data format, calculation digest algorithm and usage process for different types of confidential computing TEE, and provide the best practical.
TEE instance builds runtime data at runtime and calculate runtime data digest.
TEE instance calls API driver to get attestation report using the runtime data digest as report data.
TEE instance initiates the RA process, and the Attestation Verifier calculates the digest of the runtime data and verifies whether it is consistent with the runtime data digest field in the evidence.
Runtime data spec
{
"version": a string, specifies version of the runtime data,"alg": a string, hash algorithm to calculate the runtime data digest,"data": an JSON object, including compound data,"digest": a string, digest of "data" in hex derived using "alg"
}
Runtime data digest calculation
Rearrange each layer of the data JSON object in dictionary order by key, then serialize and output it into a compact string, and perform hash calculation on the whole.
The rearrange is important. It can ensure the hash inputs are the same.
How to deliver runtime data
This spec does not define this.
Examples
Usage in KBS protocol
Current RCAR protocol defines the following Attestation request.
{
/** A JWK-formatted public key, generated by the KBC running in the HW-TEE.* It is valid until the next time an attestation is required. Its hash must* be included in the HW-TEE evidence and signed by the HW-TEE hardware.*/"tee-pubkey": $pubkey/* The attestation evidence. Its format is specified by Attestation-Service. */"tee-evidence": {}
}
Background
Currently, in many scenarios the runtime data is used to bind some runtime data in Attestation report, for example
The reason for using runtime data is to transmit the data generated or used by the TEE instance during its operation to external consumers through Attestation technology while ensuring integrity.
We can see that more and more information would be together be the so-called runtime data to bind with the TEE evidence.
The simple approach we used before, s.t. naive concatenation and hash would be more difficult to process structured information and difficult to generalize. Thus we propose the specification of runtime data.
The design goal of the runtime data spec is to standardize the runtime data format, calculation digest algorithm and usage process for different types of confidential computing TEE, and provide the best practical.
Runtime Data Spec
Report data support
Currently almost all TEE platforms support report data mechanism. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attester/src/lib.rs#L61
Usage of the Runtime Data
Runtime data spec
Runtime data digest calculation
Rearrange each layer of the data JSON object in dictionary order by key, then serialize and output it into a compact string, and perform hash calculation on the whole.
The rearrange is important. It can ensure the hash inputs are the same.
How to deliver runtime data
This spec does not define this.
Examples
Usage in KBS protocol
Current RCAR protocol defines the following
Attestation
request.A typical tdx
Attestation
request looks likeAfter applying runtime data spec, it would be
The digest is calculated by sha384 the string
{"nonce":"AAAAA","tee-pubkey":"AAAAA"}
.The text was updated successfully, but these errors were encountered: