Add DICE evidence proto (project-oak#4203)

This PR adds [DICE](https://trustedcomputinggroup.org/wp-content/uploads/DICE-Layering-Architecture-r19_pub.pdf) evidence protobuf definition.

Ref project-oak#4074

oak_remote_attestation/proto/v1/BUILD

@@ -25,6 +25,21 @@ package(
  licenses = ["notice"],
 )
 
+proto_library(
+ name = "certificate_authority_proto",
+ srcs = ["certificate_authority.proto"],
+)
+
+proto_library(
+ name = "endorsement_proto",
+ srcs = ["endorsement.proto"],
+)
+
+proto_library(
+ name = "evidence_proto",
+ srcs = ["evidence.proto"],
+)
+
 proto_library(
  name = "messages_proto",
  srcs = ["messages.proto"],

oak_remote_attestation/proto/v1/certificate_authority.proto

@@ -0,0 +1,37 @@
+//
+// Copyright 2023 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package oak.remote_attestation.v1;
+
+option java_multiple_files = true;
+option java_package = "com.google.oak.remote_attestation.v1";
+
+// Message for passing embedded certificate authoricy information between layers.
+// Will never appear in the evidence that is sent to the client.
+message CertificateAuthority {
+ // ECA private key that will be used by a layer to sign a certificate for the next layer.
+ //
+ // Represented as a SEC1 encoded point.
+ // <https://www.secg.org/sec1-v2.pdf#page=16>
+ bytes eca_private_key = 1;
+ // Certificate signing next layer's measurements and the ECA key.
+ //
+ // CBOR/COSE/CWT ECA certificate.
+ // <https://www.rfc-editor.org/rfc/rfc8392.html>
+ bytes eca_certificate = 2;
+}

oak_remote_attestation/proto/v1/endorsement.proto

@@ -0,0 +1,67 @@
+//
+// Copyright 2023 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package oak.remote_attestation.v1;
+
+import "oak_remote_attestation/proto/v1/evidence.proto";
+
+option java_multiple_files = true;
+option java_package = "com.google.oak.remote_attestation.v1";
+
+// Endorsement provided by the Transparent Release process.
+// <https://github.com/project-oak/oak/blob/main/docs/release.md>
+message TransparentReleaseEndorsement {
+ // The serialized binary endorsement statement from the transparent release process.
+ bytes endorsement_statement = 1;
+
+ // The serialized Rekor LogEntry as proof of the inclusion of the endorsement statement in Rekor.
+ bytes rekor_log_entry = 2;
+
+ // Public key of rekor at the time of uploading the endorsement statement. This is required for
+ // verifying the log entry.
+ string base64_pem_encoded_rekor_public_key = 3;
+}
+
+// Endorsement contains statements that some entity (e.g., a hardware provider) vouches for the
+// integrity of claims about the TEE or the software running on it.
+//
+// The name is chosen to match the RATS terminology:
+// <https://www.rfc-editor.org/rfc/rfc9334.html#name-endorsements>
+message Endorsement {
+ // The platform providing the attestation report.
+ TeePlatform platform = 1;
+
+ // The serialized TEE certificate(s). The details of the format and how the certificate(s) are
+ // encoded into this byte array are implementation-specific. In case of AMD-SEV-SNP, as described
+ // in https://www.amd.com/system/files/TechDocs/57230.pdf, there are three different certificates
+ // packaged in two different files.
+ bytes tee_certificates = 2;
+
+ // Transparent Release endorsement.
+ repeated TransparentReleaseEndorsement transparent_release_endorsement = 3;
+}
+
+// EndorsedEvidence contains the information that the untrusted launcher provides to the client
+// in response to its request for the enclave's public key(s).
+message EndorsedEvidence {
+ // Attestation evidence from the enclave.
+ Evidence evidence = 1;
+
+ // Supporting evidence required for verifying the integrity of attestation evidence.
+ Endorsement endorsement = 2;
+}

oak_remote_attestation/proto/v1/evidence.proto

@@ -0,0 +1,107 @@
+//
+// Copyright 2023 The Project Oak Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+syntax = "proto3";
+
+package oak.remote_attestation.v1;
+
+option java_multiple_files = true;
+option java_package = "com.google.oak.remote_attestation.v1";
+
+// This proto defines the layered DICE Attestation Evidence.
+//
+// DICE provides a mechanism for combining software measurements and corresponding certificates into
+// a chain, where each element (called "layer") represents a piece of software loaded into the VMs
+// memory. These layers are loaded sequentially, i.e. the previous layer loads the next layer. The
+// previous layer is also responsible for measuring the next layer, generating a private key and a
+// certificate for it.
+//
+// <https://trustedcomputinggroup.org/wp-content/uploads/TCG_DICE_Attestation_Architecture_r22_02dec2020.pdf>
+// <https://trustedcomputinggroup.org/wp-content/uploads/DICE-Layering-Architecture-r19_pub.pdf>
+
+enum TeePlatform {
+ UNSPECIFIED = 0;
+ AMD_SEV_SNP = 1;
+ INTEL_TDX = 2;
+}
+
+// Evidence generated by the Layer0.
+// Since this layer is the initial layer for our architecture and it is measured during boot, its
+// identity is represented by an Attestation Report.
+message RootLayerEvidence {
+ // The platform providing the attestation report.
+ TeePlatform platform = 1;
+
+ // TEE-specific attestation report acting as a non-standard certificate for the
+ // Layer0 ECA public key.
+ bytes remote_attestation_report = 2;
+
+ // Serialised ECA public key for Layer0 that is signed by the Remote Attestation Report.
+ //
+ // Represented as a SEC1 encoded point.
+ // <https://www.secg.org/sec1-v2.pdf#page=16>
+ bytes eca_public_key = 3;
+}
+
+// DICE layer evidence containing a certificate signed by the previous layer.
+message LayerEvidence {
+ // Layer name is unique per enclave application, but it’s not a globally unique identifier.
+ string layer_name = 1;
+
+ // Certificate signing current layer's measurements and the ECA key.
+ //
+ // Represented as a CBOR/COSE/CWT ECA certificate.
+ // <https://www.rfc-editor.org/rfc/rfc8392.html>
+ bytes eca_certificate = 2;
+}
+
+// Keys used by the application to derive encryption session keys and to sign arbitrary data.
+// Each of the certificates contains the final layer's measurement as additional claims.
+message ApplicationKeys {
+ // Certificate signing the encryption public key.
+ //
+ // Represented as a CBOR/COSE/CWT ECA certificate.
+ // <https://www.rfc-editor.org/rfc/rfc8392.html>
+ optional bytes encryption_public_key_certificate = 1;
+
+ // Certificate signing the signing public key.
+ //
+ // Represented as a CBOR/COSE/CWT ECA certificate.
+ // <https://www.rfc-editor.org/rfc/rfc8392.html>
+ optional bytes signing_public_key_certificate = 2;
+}
+
+// Attestation Evidence used by the client to the identity of firmware and software running inside a
+// Trusted Execution Environment.
+//
+// The name is chosen to match the RATS terminology:
+// <https://datatracker.ietf.org/doc/html/rfc9334#name-evidence>
+message Evidence {
+ // Layer0 attestation evidence.
+ RootLayerEvidence root_layer_evidence = 1;
+
+ // Layer1..LayerN-1 attestation evidence.
+ repeated LayerEvidence layer_evidence = 2;
+
+ // Application keys signed by the penultimate layer’s ECA key.
+ //
+ // We are not signing these keys with the last layer's ECA key, because it's the application layer
+ // and the these keys are never shared with it.
+ // The last layer uses an API to the previous layer to:
+ // - Derive session keys from the encryption key
+ // - Sign arbitrary data with the signing key
+ optional ApplicationKeys application_keys = 3;
+}