forked from project-oak/oak
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add DICE evidence proto (project-oak#4203)
This PR adds [DICE](https://trustedcomputinggroup.org/wp-content/uploads/DICE-Layering-Architecture-r19_pub.pdf) evidence protobuf definition. Ref project-oak#4074
- Loading branch information
Showing
4 changed files
with
226 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
37 changes: 37 additions & 0 deletions
37
oak_remote_attestation/proto/v1/certificate_authority.proto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
// | ||
// Copyright 2023 The Project Oak Authors | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
// | ||
|
||
syntax = "proto3"; | ||
|
||
package oak.remote_attestation.v1; | ||
|
||
option java_multiple_files = true; | ||
option java_package = "com.google.oak.remote_attestation.v1"; | ||
|
||
// Message for passing embedded certificate authoricy information between layers. | ||
// Will never appear in the evidence that is sent to the client. | ||
message CertificateAuthority { | ||
// ECA private key that will be used by a layer to sign a certificate for the next layer. | ||
// | ||
// Represented as a SEC1 encoded point. | ||
// <https://www.secg.org/sec1-v2.pdf#page=16> | ||
bytes eca_private_key = 1; | ||
// Certificate signing next layer's measurements and the ECA key. | ||
// | ||
// CBOR/COSE/CWT ECA certificate. | ||
// <https://www.rfc-editor.org/rfc/rfc8392.html> | ||
bytes eca_certificate = 2; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
// | ||
// Copyright 2023 The Project Oak Authors | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
// | ||
|
||
syntax = "proto3"; | ||
|
||
package oak.remote_attestation.v1; | ||
|
||
import "oak_remote_attestation/proto/v1/evidence.proto"; | ||
|
||
option java_multiple_files = true; | ||
option java_package = "com.google.oak.remote_attestation.v1"; | ||
|
||
// Endorsement provided by the Transparent Release process. | ||
// <https://github.com/project-oak/oak/blob/main/docs/release.md> | ||
message TransparentReleaseEndorsement { | ||
// The serialized binary endorsement statement from the transparent release process. | ||
bytes endorsement_statement = 1; | ||
|
||
// The serialized Rekor LogEntry as proof of the inclusion of the endorsement statement in Rekor. | ||
bytes rekor_log_entry = 2; | ||
|
||
// Public key of rekor at the time of uploading the endorsement statement. This is required for | ||
// verifying the log entry. | ||
string base64_pem_encoded_rekor_public_key = 3; | ||
} | ||
|
||
// Endorsement contains statements that some entity (e.g., a hardware provider) vouches for the | ||
// integrity of claims about the TEE or the software running on it. | ||
// | ||
// The name is chosen to match the RATS terminology: | ||
// <https://www.rfc-editor.org/rfc/rfc9334.html#name-endorsements> | ||
message Endorsement { | ||
// The platform providing the attestation report. | ||
TeePlatform platform = 1; | ||
|
||
// The serialized TEE certificate(s). The details of the format and how the certificate(s) are | ||
// encoded into this byte array are implementation-specific. In case of AMD-SEV-SNP, as described | ||
// in https://www.amd.com/system/files/TechDocs/57230.pdf, there are three different certificates | ||
// packaged in two different files. | ||
bytes tee_certificates = 2; | ||
|
||
// Transparent Release endorsement. | ||
repeated TransparentReleaseEndorsement transparent_release_endorsement = 3; | ||
} | ||
|
||
// EndorsedEvidence contains the information that the untrusted launcher provides to the client | ||
// in response to its request for the enclave's public key(s). | ||
message EndorsedEvidence { | ||
// Attestation evidence from the enclave. | ||
Evidence evidence = 1; | ||
|
||
// Supporting evidence required for verifying the integrity of attestation evidence. | ||
Endorsement endorsement = 2; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
// | ||
// Copyright 2023 The Project Oak Authors | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
// | ||
|
||
syntax = "proto3"; | ||
|
||
package oak.remote_attestation.v1; | ||
|
||
option java_multiple_files = true; | ||
option java_package = "com.google.oak.remote_attestation.v1"; | ||
|
||
// This proto defines the layered DICE Attestation Evidence. | ||
// | ||
// DICE provides a mechanism for combining software measurements and corresponding certificates into | ||
// a chain, where each element (called "layer") represents a piece of software loaded into the VMs | ||
// memory. These layers are loaded sequentially, i.e. the previous layer loads the next layer. The | ||
// previous layer is also responsible for measuring the next layer, generating a private key and a | ||
// certificate for it. | ||
// | ||
// <https://trustedcomputinggroup.org/wp-content/uploads/TCG_DICE_Attestation_Architecture_r22_02dec2020.pdf> | ||
// <https://trustedcomputinggroup.org/wp-content/uploads/DICE-Layering-Architecture-r19_pub.pdf> | ||
|
||
enum TeePlatform { | ||
UNSPECIFIED = 0; | ||
AMD_SEV_SNP = 1; | ||
INTEL_TDX = 2; | ||
} | ||
|
||
// Evidence generated by the Layer0. | ||
// Since this layer is the initial layer for our architecture and it is measured during boot, its | ||
// identity is represented by an Attestation Report. | ||
message RootLayerEvidence { | ||
// The platform providing the attestation report. | ||
TeePlatform platform = 1; | ||
|
||
// TEE-specific attestation report acting as a non-standard certificate for the | ||
// Layer0 ECA public key. | ||
bytes remote_attestation_report = 2; | ||
|
||
// Serialised ECA public key for Layer0 that is signed by the Remote Attestation Report. | ||
// | ||
// Represented as a SEC1 encoded point. | ||
// <https://www.secg.org/sec1-v2.pdf#page=16> | ||
bytes eca_public_key = 3; | ||
} | ||
|
||
// DICE layer evidence containing a certificate signed by the previous layer. | ||
message LayerEvidence { | ||
// Layer name is unique per enclave application, but it’s not a globally unique identifier. | ||
string layer_name = 1; | ||
|
||
// Certificate signing current layer's measurements and the ECA key. | ||
// | ||
// Represented as a CBOR/COSE/CWT ECA certificate. | ||
// <https://www.rfc-editor.org/rfc/rfc8392.html> | ||
bytes eca_certificate = 2; | ||
} | ||
|
||
// Keys used by the application to derive encryption session keys and to sign arbitrary data. | ||
// Each of the certificates contains the final layer's measurement as additional claims. | ||
message ApplicationKeys { | ||
// Certificate signing the encryption public key. | ||
// | ||
// Represented as a CBOR/COSE/CWT ECA certificate. | ||
// <https://www.rfc-editor.org/rfc/rfc8392.html> | ||
optional bytes encryption_public_key_certificate = 1; | ||
|
||
// Certificate signing the signing public key. | ||
// | ||
// Represented as a CBOR/COSE/CWT ECA certificate. | ||
// <https://www.rfc-editor.org/rfc/rfc8392.html> | ||
optional bytes signing_public_key_certificate = 2; | ||
} | ||
|
||
// Attestation Evidence used by the client to the identity of firmware and software running inside a | ||
// Trusted Execution Environment. | ||
// | ||
// The name is chosen to match the RATS terminology: | ||
// <https://datatracker.ietf.org/doc/html/rfc9334#name-evidence> | ||
message Evidence { | ||
// Layer0 attestation evidence. | ||
RootLayerEvidence root_layer_evidence = 1; | ||
|
||
// Layer1..LayerN-1 attestation evidence. | ||
repeated LayerEvidence layer_evidence = 2; | ||
|
||
// Application keys signed by the penultimate layer’s ECA key. | ||
// | ||
// We are not signing these keys with the last layer's ECA key, because it's the application layer | ||
// and the these keys are never shared with it. | ||
// The last layer uses an API to the previous layer to: | ||
// - Derive session keys from the encryption key | ||
// - Sign arbitrary data with the signing key | ||
optional ApplicationKeys application_keys = 3; | ||
} |