From 4d245d1cc67f7b73a13c3dcea6cc5f65222df4a4 Mon Sep 17 00:00:00 2001 From: Ivan Petrov Date: Wed, 30 Aug 2023 11:06:42 +0100 Subject: [PATCH] Add DICE evidence proto (#4203) This PR adds [DICE](https://trustedcomputinggroup.org/wp-content/uploads/DICE-Layering-Architecture-r19_pub.pdf) evidence protobuf definition. Ref https://github.com/project-oak/oak/issues/4074 --- oak_remote_attestation/proto/v1/BUILD | 15 +++ .../proto/v1/certificate_authority.proto | 37 ++++++ .../proto/v1/endorsement.proto | 67 +++++++++++ .../proto/v1/evidence.proto | 107 ++++++++++++++++++ 4 files changed, 226 insertions(+) create mode 100644 oak_remote_attestation/proto/v1/certificate_authority.proto create mode 100644 oak_remote_attestation/proto/v1/endorsement.proto create mode 100644 oak_remote_attestation/proto/v1/evidence.proto diff --git a/oak_remote_attestation/proto/v1/BUILD b/oak_remote_attestation/proto/v1/BUILD index 7c09ef6fc5c..2ca6bf8e7b9 100644 --- a/oak_remote_attestation/proto/v1/BUILD +++ b/oak_remote_attestation/proto/v1/BUILD @@ -25,6 +25,21 @@ package( licenses = ["notice"], ) +proto_library( + name = "certificate_authority_proto", + srcs = ["certificate_authority.proto"], +) + +proto_library( + name = "endorsement_proto", + srcs = ["endorsement.proto"], +) + +proto_library( + name = "evidence_proto", + srcs = ["evidence.proto"], +) + proto_library( name = "messages_proto", srcs = ["messages.proto"], diff --git a/oak_remote_attestation/proto/v1/certificate_authority.proto b/oak_remote_attestation/proto/v1/certificate_authority.proto new file mode 100644 index 00000000000..91e80cd3167 --- /dev/null +++ b/oak_remote_attestation/proto/v1/certificate_authority.proto @@ -0,0 +1,37 @@ +// +// Copyright 2023 The Project Oak Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +syntax = "proto3"; + +package oak.remote_attestation.v1; + +option java_multiple_files = true; +option java_package = "com.google.oak.remote_attestation.v1"; + +// Message for passing embedded certificate authoricy information between layers. +// Will never appear in the evidence that is sent to the client. +message CertificateAuthority { + // ECA private key that will be used by a layer to sign a certificate for the next layer. + // + // Represented as a SEC1 encoded point. + // + bytes eca_private_key = 1; + // Certificate signing next layer's measurements and the ECA key. + // + // CBOR/COSE/CWT ECA certificate. + // + bytes eca_certificate = 2; +} diff --git a/oak_remote_attestation/proto/v1/endorsement.proto b/oak_remote_attestation/proto/v1/endorsement.proto new file mode 100644 index 00000000000..0ecf567cbdc --- /dev/null +++ b/oak_remote_attestation/proto/v1/endorsement.proto @@ -0,0 +1,67 @@ +// +// Copyright 2023 The Project Oak Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +syntax = "proto3"; + +package oak.remote_attestation.v1; + +import "oak_remote_attestation/proto/v1/evidence.proto"; + +option java_multiple_files = true; +option java_package = "com.google.oak.remote_attestation.v1"; + +// Endorsement provided by the Transparent Release process. +// +message TransparentReleaseEndorsement { + // The serialized binary endorsement statement from the transparent release process. + bytes endorsement_statement = 1; + + // The serialized Rekor LogEntry as proof of the inclusion of the endorsement statement in Rekor. + bytes rekor_log_entry = 2; + + // Public key of rekor at the time of uploading the endorsement statement. This is required for + // verifying the log entry. + string base64_pem_encoded_rekor_public_key = 3; +} + +// Endorsement contains statements that some entity (e.g., a hardware provider) vouches for the +// integrity of claims about the TEE or the software running on it. +// +// The name is chosen to match the RATS terminology: +// +message Endorsement { + // The platform providing the attestation report. + TeePlatform platform = 1; + + // The serialized TEE certificate(s). The details of the format and how the certificate(s) are + // encoded into this byte array are implementation-specific. In case of AMD-SEV-SNP, as described + // in https://www.amd.com/system/files/TechDocs/57230.pdf, there are three different certificates + // packaged in two different files. + bytes tee_certificates = 2; + + // Transparent Release endorsement. + repeated TransparentReleaseEndorsement transparent_release_endorsement = 3; +} + +// EndorsedEvidence contains the information that the untrusted launcher provides to the client +// in response to its request for the enclave's public key(s). +message EndorsedEvidence { + // Attestation evidence from the enclave. + Evidence evidence = 1; + + // Supporting evidence required for verifying the integrity of attestation evidence. + Endorsement endorsement = 2; +} diff --git a/oak_remote_attestation/proto/v1/evidence.proto b/oak_remote_attestation/proto/v1/evidence.proto new file mode 100644 index 00000000000..657658be0fc --- /dev/null +++ b/oak_remote_attestation/proto/v1/evidence.proto @@ -0,0 +1,107 @@ +// +// Copyright 2023 The Project Oak Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +syntax = "proto3"; + +package oak.remote_attestation.v1; + +option java_multiple_files = true; +option java_package = "com.google.oak.remote_attestation.v1"; + +// This proto defines the layered DICE Attestation Evidence. +// +// DICE provides a mechanism for combining software measurements and corresponding certificates into +// a chain, where each element (called "layer") represents a piece of software loaded into the VMs +// memory. These layers are loaded sequentially, i.e. the previous layer loads the next layer. The +// previous layer is also responsible for measuring the next layer, generating a private key and a +// certificate for it. +// +// +// + +enum TeePlatform { + UNSPECIFIED = 0; + AMD_SEV_SNP = 1; + INTEL_TDX = 2; +} + +// Evidence generated by the Layer0. +// Since this layer is the initial layer for our architecture and it is measured during boot, its +// identity is represented by an Attestation Report. +message RootLayerEvidence { + // The platform providing the attestation report. + TeePlatform platform = 1; + + // TEE-specific attestation report acting as a non-standard certificate for the + // Layer0 ECA public key. + bytes remote_attestation_report = 2; + + // Serialised ECA public key for Layer0 that is signed by the Remote Attestation Report. + // + // Represented as a SEC1 encoded point. + // + bytes eca_public_key = 3; +} + +// DICE layer evidence containing a certificate signed by the previous layer. +message LayerEvidence { + // Layer name is unique per enclave application, but it’s not a globally unique identifier. + string layer_name = 1; + + // Certificate signing current layer's measurements and the ECA key. + // + // Represented as a CBOR/COSE/CWT ECA certificate. + // + bytes eca_certificate = 2; +} + +// Keys used by the application to derive encryption session keys and to sign arbitrary data. +// Each of the certificates contains the final layer's measurement as additional claims. +message ApplicationKeys { + // Certificate signing the encryption public key. + // + // Represented as a CBOR/COSE/CWT ECA certificate. + // + optional bytes encryption_public_key_certificate = 1; + + // Certificate signing the signing public key. + // + // Represented as a CBOR/COSE/CWT ECA certificate. + // + optional bytes signing_public_key_certificate = 2; +} + +// Attestation Evidence used by the client to the identity of firmware and software running inside a +// Trusted Execution Environment. +// +// The name is chosen to match the RATS terminology: +// +message Evidence { + // Layer0 attestation evidence. + RootLayerEvidence root_layer_evidence = 1; + + // Layer1..LayerN-1 attestation evidence. + repeated LayerEvidence layer_evidence = 2; + + // Application keys signed by the penultimate layer’s ECA key. + // + // We are not signing these keys with the last layer's ECA key, because it's the application layer + // and the these keys are never shared with it. + // The last layer uses an API to the previous layer to: + // - Derive session keys from the encryption key + // - Sign arbitrary data with the signing key + optional ApplicationKeys application_keys = 3; +}