-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Leverage external utility(CC Trusted API) to ease the process of confidential environment evidence fetching/verifying #2879
Comments
Hi, Thanks for reaching out and describing your idea. We agree with the goal to handle as much as possible of the TEE-specific tasks with external libraries. CC Trusted API is an interesting project, but we have some concerns around it:
An alternative approach that we currently follow is using TEE-specific, but CSP-agnostic libraries, like https://github.com/google/go-tdx-guest While these are maintained by Google, they also work for AWS and Azure. |
Thanks for the feedback. We are already discussing with several potential users. In the meanwhile, we are working hard to provide Golang support and adding more partners to the community for contribution. Once we have more progress, i will get it updated here and ask for a second round evaluation. |
Updates for CC-API projects:
|
this looks like an interesting presentation on this topic: |
Use case
Constellation, working as the typical confidential cluster that could run on either cloud environment or local machine across platforms, need to fetch measurements/evidence against different type of TEEs/TPM to prove its trustworthiness. Once a new confidential computing environment get supported in CSP's environment or a new technology revealed to the market, Constellation must make addition to the current code space to enable the evidence fetching or replaying function for the platform.
In the meanwhile, different platform or confidential computing technologies varies in use, which requires the Constellation developers to have knowledge and understandings on different architectures. Maintaining these code seems another burden for the project, as efforts are required once there's change in API or Specifications of the underlying technologies.
Describe your solution
Instead of maintaining the code within Constellation, it seems more efficient to leverage an utility which provides the capability for application to do evidence fetching or replaying using a set of simple APIs across all kinds of platforms.
CC Trusted API is a nice approach to streamline the effort that Constellation requires on this side. As a project that aims to collect confidential primitives (i.e., measurement, event log, quote) for zero-trust design, it provides the capability to fulfill this need using some vendor agnostic and TCG compliant APIs in multiple deployment environments (e.g. firmware/VM/cloud native clusters).
By leveraging these APIs, Constellation can perform with evidence fetching on different platforms through a unified API and requires little effort on maintenance of code related to platform features.
Would you be willing to implement this feature?
The text was updated successfully, but these errors were encountered: