diff --git a/doc/Architecture.md b/doc/Architecture.md index 65355290..6f4a61cc 100644 --- a/doc/Architecture.md +++ b/doc/Architecture.md @@ -65,6 +65,12 @@ The *snpdriver* interfaces with the AMD SEV-SNP SP. It retrieves SNP measurement an SNP attestation report as well as the certificate chain for this attestation report from the respective AMD servers. Currently, it can only act as *Measurement* interface. +__sgxdriver:__ +The *sgxdriver* interfaces with the Intel SGX CPU. It retrieves SGX measurements in the form of an SGX attestation report signed by the SGX quoting enclave. It implements a small caching mechanism to fetch and store the certificate chain used for report verification from the Intel SGX API. Currently, the driver only acts as a *Measurement* interface. + +__tdxdriver:__ +*Will be implemented as soon as Intel TDX hardware is available.* + __swdriver:__ The *swdriver* simply creates keys in software for testing purposes and can be used as *Signer* interface. **Note**: This should mainly be used for testing purposes. diff --git a/doc/architecture.drawio b/doc/architecture.drawio index 3c265bf6..0601147c 100644 --- a/doc/architecture.drawio +++ b/doc/architecture.drawio @@ -1 +1,139 @@ -7Vvtc6I4GP9rnNn90A4QsfZjq7V7M+tu5+zcXT+mEDC3gXAhvu1ffwkEIYZat6LSujqj5EmIye95f4IdMIiW9wwm0zH1Eek4lr/sgGHHcWzQ7YsvSVnllH7Xzgkhw74aVBIm+CdSREtRZ9hHqTaQU0o4TnSiR+MYeVyjQcboQh8WUKL/agJDZBAmHiQm9W/s86nahWuV9C8Ih9Pil21L9USwGKwI6RT6dFEhgbsOGDBKeX4VLQeISPAKXPL7Ri/0rhfGUMx3ueHb6JElkD/RyXg4jOF0cf/z+4VznU8zh2SmdqxWy1cFBIzOYh/JWawOuF1MMUeTBHqydyGYLmhTHhHRssVlQGOuuGjL4QEmZEAJZdlcwHdR3+8KesoZ/YEqPX3nGfR6osfcl9rqHDGOlhWS2uc9ohHibCWGLHXhUTIHivai5KDTV7RphXsFV6ESmnA9c4mruFDQ/grMznFhDlz5VuMq9PxVB38vezULfwXutVocB277rOC+Pjne1lnhrVuXGvRrjcuaTY3Df2WAjXzhxFSTMj6lIY0huSuptzo7yjFfKU0UE/5FnK8UF+CMU51FaIn5P/L2S1e1nio9w6WaOWusikYstlu5STafqn3lbVmruO9FpqV0xjy0BRpbhR8cshDxLQPdfJwEbqsMMEQgx3M9OqjjqLr1gWKx5lJ2uteX19WXJkp2f0NE8v2pOTakZL2otwtO/7fg7C04vfckODeMwVVlWCIHpFt+1dVtXWH7Ri+Md7pbx4uLfAWNSrFtxrD3KEYMcvTpc8cRk1oTHMbF9V+I4WAlWx9b9jd9aCpEmd/IlEhQPALTFHsFeYRJsUQCnxG5hd6PMNttxYeOXPneT6t2VKpC+5rTqr0crBlOepHn7xfiNBCIOLqyrWO+aiTSq4lEwKECERF7mXHgyEdz8Zmi+UU4Qyn/6Hq3RYGy19tV8+165+yod8Bpld6ZWfPk24MsJjHx06xt+rd2fhX9q0sEDqZ+rgkXDfhCbLE9mNl2y0AD3ZdtFk8iy0Dst7k6uLnq7Wqu7FaZq54hSY8P4/aonmO1TPVss2z0PZa2SkigY0UzWeUnpe0SeYrlwVh8PkviLBXYiVXJ9IPGArZNfAUsXAdRLwvFNEYbtSVFgkTkC1K2BdiCceBWgow9SG5UR4R9P1P1Oq7pfN1UngYYCXZgpO26x+Rk96ObyZ3Z+HoOtGsw1i7jZl8Zygofv05OyXe7wvVSBl7ju8b1UgiazaKPIR6gXfJhButcZHvysFZQP3kECyjMostexwKNOEXNlNYcXR3XJZoZdBXFFDGxtTai2C4YzYrgYCxrf39Ifx5IYASY4Z8Pg7OrAu5hmEDDfkvJjtgQ6KtgZd8iuWtdWteuA/rq80qPk3YrkpfTFgNpEKToICcwtpmzDyGKaJyBAb0pfM4iYCFCMtSVtgDHYUfuZJRrKA5WOcWjUSLCV1XPP89IuK4EanePGgmbSeDdEkZ5HgOThAjwOM74G8EfOedEJiNzmEDyeSova6vLH5iJ7mvO47g8rKti94gE38dzjSm9/2by8a0MlYs0g+VGDLCtZJlhU/SLq1B9k2L8XhONEUxnTBYVLBgLWRllKXMx/TNrZJVi2nyhBjnDQae2Bhp51pcBozt7SmAcfj4NQu8jxNhU7cOeBO56vu78WjRxYV1egeIc6izO3Htbh+tH7kcNbfqGGc0DmMz/MZQIsd4vkWkkcdF52jN9z3GPUJ0659NkttfmR+nAVd2TjCb69sHQNw+DKkdogyLCPkBsRlDAWxeZbWgHqNGO2gdND6cdZrrUrHY0IdPdtgm1mZLk0ZCgPQj3Lv8BcSYCvelb6yT6uKfP5qNF2Znhyd3iBk7OqXEyq8s346EU4MlDC9BqGViHtpIn+VPP5rOlJ7eroOa8n81Snh1LjzCLLors3PoCmZ8HEedhZ50d7KwNjqoTZjay9n1WkFVPwvyh4bwml/OtWl+tJC9Zainzl3Mutdax9KhlusIe1JZas2pqwugc++jAGvhOGFbnlpp6SkQ0yz+y5gWE8u/A4O5/ \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/doc/architecture.drawio.svg b/doc/architecture.drawio.svg index 197e804b..73b8807b 100644 --- a/doc/architecture.drawio.svg +++ b/doc/architecture.drawio.svg @@ -1,4 +1,4 @@ - + -
Generate(), Sign(), Verify()
Generate(), Sign(), Verify()
cmcd
cmcd
/dev/sev-guest
/dev/sev-guest
SNP driver
SNP driver
Software driver
Software driv...
/dev/tpm0
/dev/tpm0
TPM driver
TPM driver
One or multiple drivers can be used at once
One or multiple drivers can be...
aTLS
aTLS
testtool (client)
testtool (client)
testtool (server)
testtool (server)
CMC Interface (gRPC)
CMC Interface (gRPC)
Daemon reachable to attesting / verifying components
Daemon reachable to attesting...
Example application making use of the cmcd
Example application making us...
Measurer and/or
Signer Interface (golang)
Measurer and/or...
attestationreport
attestationreport
Software Component
Software Component
golang Package
golang Package
TPM
TPM
AMD PSP
AMD PSP
Trusted Firm- and Hardware
Trusted Firm- and Hardware
Package for generating and verifying attestation reports
Package for generating and ve...
Example of provided Hardware
Example of provided HardwareText is not SVG - cannot display \ No newline at end of file +
Generate(), Sign(), Verify()
cmcd
/dev/sev-guest
SNP driver
SGX driver
/dev/tpm0
TPM driver
One or multiple drivers can be used at once
aTLS
testtool (client)
testtool (server)
CMC Interface (gRPC)
Daemon reachable to attesting / verifying components
Example application making use of the cmcd
Measurer and/or
Signer Interface (golang)
attestationreport
Software Component
golang Package
TPM
AMD PSP
Trusted Firm- and Hardware
Package for generating and verifying attestation reports
Example of provided Hardware
Intel SGX CPU
Software driver
 \ No newline at end of file diff --git a/doc/attestation_report.drawio b/doc/attestation_report.drawio index 01bfb5cc..a908566d 100644 --- a/doc/attestation_report.drawio +++ b/doc/attestation_report.drawio @@ -1 +1,629 @@ -7V1Zd5s4G/41PmfmIjnsy2XiZmknSd04X9LpzXdkI9s0GBzAcdxfPxKLDZJYbANeQmdOawRi0fNIeje96ojd6ceNC2aTe8eAVkfgjI+O+KUjCJKuob9xwTIs4HWJD0vGrmlEZeuCvvkHpgvnpgG9VJHvOJZvztKFQ8e24dBPlQHXdRbpy0aOFT2UCwtmYJx+IC7oD4FFl76Yhj8JSzU5Uf0WmuNJ/GSei85MQXxxVOBNgOEsEkXiVUfsuo7jh7+mH11o4bYzU294nXF29WIutP0yFYD0ML/p/ZKXxqX3+mTcPbw9u2e8EN7mHVjz6Iujt/WXcRO4ztw2IL4L1xEvFxPTh/0ZGOKzC4Q5Kpv4Uwsd8ejnyLH9rmM5blBX5II/uNy0rLjcgCMwt9BLX9LfEH3WO3R9+JEoir7pBjpT6LtLdEl0VpfEsEpEsDM5xmaxxksXo8+aJLCSImqCiCLj1b3XrYh+RA3JbtSbr/KP7vD9Vr9aeD8fnmfWXf8WNapOterFbIYK7oFtjqDnU23sLcypBWwYtWA/OoNbbjgxLeMOLJ05fm/PB8PX+Ohy4rjmH3Q9iJsfnXb9qBMJSuqKPq4Z3dOFHrqmF7c7TxTdg4/UhXfA8+O3cSwLzDxzELwfrjgF7ti0Lx3fd6bRRUmwEQkMGWqGFLyd67zCxBlNGIiKUg0ReDEGNGaCztFM4GWRZgKv5lAheuAjGl2APUafvXqionGpB0qyTD0vJmPycQiY1NOA5UPXBj68xD3No/i3+tZSlBy8S5MX8Hb5ttDvr750//zz1FfPeE6mKPm0nKFfF6iwgJwIAJ+FnhL8ofEeyfg/VA4sc2yjMguO8A0wliYaWi+iYt/Bg4eHxhLTHt8F13yR1iWPUYvhIgfVHVnB8DkxDQPamJuOD3wwWHWUmWPaftCk8iX6HzV8lzuXOzJ6pS465tfH6H98uYtGKht9FTAD0kHE8gX+froPEqNa+IdJ24IBoZjNyzRHiqhLcqm6QUzkKMY8gCmm/19z23ybw7+ziHISsEv1YSsLe8eWp7B9hq5nOna5zm874VSV6PdR0dFiXx/c8eSyR7hpKe9738M92TI9P7Mft5hvjTnPSc2BzpzxZRrzRziC6FOHeAx/xsUtBeqkgFhS+qyCAo8/775eX90MH+bSoLd8+aH2rMEZr1IUOD8//7RQk0JdjdDLZaU3oabeT8/voYz/BXpD15z5rJn+tHVQALXRkKnFDDU4GFWkg/JSWiVk66AKQynk84aBk9BBRYqTpAaax85WCS2vhOYOCTupoCzm1ibCCAzr5CdXQatBlqWANotsxvS0mQnqBGWUuhBn6aB1Ic6WRaVWFm0AZ6beyQS6LslToXD+At/NQOdshc9ahU9dIWRPjen/YMmep+//ELQc6bMUQz+nALqDwKmUJnCez6NJsYR2217/+PLQips74sr0dzSJK8/RsxKlcbbG0No6NtMD0iwBaFPo936rcNQHOdsB0iTmNOKPT/ct5DVCznR4NKpk0ibGVsmsAWime6NJJVNgzOe+j74ahKI79whxw1DIn7SWOdKGcMjUMgeaLMlsl9cW8ZaElonm1rL9Ph4gNlMzNULN5AX6eQejZtKzTsLJUYairZq5oZopHLSeqQymSwABUjJ+PWtcX7E4xWKYv1fRV9xfzghT5RH91R9O4DRb6Wznr20JsHeFlDFM3KMPn7sIb9x6rSZaF/RNqqLMvk/HYbdqSb2QN6qKMjGnfV+t8aFeyJtURTNiF+iOnvZxt6N8jfiX1lBrszgyYq63dzO12G+AvdagdMc0Q9HIt1aoOtQ4rqwsV5cZSpEoVKExhrFZCTXKxBk7NrCu1qWX6eW062vuHAxhYOv5DX1/GZmXwNx3OqkltgbwJkF9fAA/TP8nvte5ruvR8b/BsaREh19iK1NwsIwPbNQCP5MHYTU5PlxXC46WiZv0oGuiFoRuJyuSOjIrec7cHcI81MPrfOCOYVQ1fzUabt9ccrjQAr75DlPvkWlwunBdsExcEPF+feceLugkFpkKhPlL44ll18U1RJlgXvgWWfUlPV1f4YiBK2zlqF7uq2jECllVl8/l9M1CKKibVWUhU2nLbd8Z+QvEncAmRqxQofrXSVtw97VQWtG5c4GO3WHHqcfa1MnGCql5Ntz+SymatlbcDa24aiVW3EaDmFU6pCyMTm8FvWqR3nu4ukoHhvVvL87keH1CC3Z1YDcZqc58ZY2xTqkXWGjXFvrPJZY041hGKFOeZYaQwA5gFk9dKNFoG/JaKCnmZyuPbCiPrEaBg/Qqs3VpkZHjJ2DGj7njw05X6FxwqBUfnEByRQ/hsF0KNy6bLceLPUHmEVTY45eh6gOOPX5VxIomXc1a//vrv5f33wdfb8xH3v3//S2QWAuvboE3QSXdCWq5TpET4mhJUBukTbqQf9p/Xi7Et183/d/dq1kP/PnfxxNjIXUXozJCuPhwDWyLZ8X+4bzwtd1ETplCqwE78toCfC5pWtoKzHFikR0YH1VoCI6MLklLcC6++zYEryzSq0wPkZaYaX2laqwiJzOrKKqYX6XIeMzz1DMFwhtS3nqsZ0Z+NmQ81nKNx61+Vq9+RuU2YetnkkyPnKdvNNYKjcatelalelaJuZhF1RrVM5oiefbio4W2NghZulTDENIm/wJDcItiGfWpURR1WiMuCME9aemhIaezSoZBlM/OHff7kxUedFquXQsP24SHt6JDie5/kLm42a+c5WluE1PshmyTmbgzJAqBgrbNxF0T2k0m4majzdgYpE3K3CADGk3LzU5RQPvo2uDwOpAunX07R7jcbdKm+3r+qq9Wy9hdy5BFPg5ozs/AzDP0jNPPgsfRecHXisYWaxJbPaNE/98topVB1PoWrTF2DGgVjSqgZYawNgotR1u9WkWjJrSZMaxNoi0won4en+5b1aI+zNmZlxsFXWDklmi1ywYpwNI56qIAW7ukDcmtdlkH0qz8Akyk69Iu+XiEbzZmLCuylrkmOf6dWFicuRyZhooROZa/u11h6NhKvN137JhM+sLUKKotM/aKqqFFKx5KxoGtPNSrJ8a2kI3DwGRyPbJGLr6oLgqMGdFMW8w7gmLFsnyqSyhvcyc+ceYFpMaaLi/MPtYn0a8x/vfasdDQhEYsdMXAcoav8W0HbnyJYbpw6FsYbPRxcOwidd2IL0MfE75AeC3dPW3jAu9Ijo6GFvA8c5juW8QwW6CY8CWp/JG6fCWsUMMXy0QRl23WHViRj2qaMrIgnkvE0FiagLyiF98tg4PU3XRmu8R3cUYjD9ZCYjqGuxxfUgMtkRSiB3xsQgpKhCCAN5zh443rw6Bf49q09kA5RW2Scjq5xB1xZDu66XE6mcw7laWaojIbpH6uMXwO6SUgn8kQ3VCwrKoSEzY7WDZO5ZGyQ5Oj0DHbodmEzIt3yaVma4XOtkLn9/2drNAsmta3Yo02Qve6j9hugRrn9AzQtQHJsjk3CyQzWlbAuvPnWXRYEZgskzILzFgZ3gXMux/fRt9v/4wcRV/0zOX1rQwuYq2rWXND5kyctArkpdkttAnEkQX7NglQC7V0uWBtGF2DLzAiqLqaW6NwMRlphOA5jhBVSitxmiql74WEr/StqrMiMPksHhefpbJ81g+Vz2LlfFZIo9amfKaeSEaAlKazQtO5tqWRTDrvxRpcis756ZGLMz8KB8voKJqmQkZLAhm8tCujpW1zRUoUoxWic9TM6L2sid/Zj7FtWtXtu1LZhfPxIoK99yNyGbwiqwX9iKyhFuVcVcl+sHmNDbO0rnYYXD1xW4MjL8d9dp2ltVnRSN9Hz0tko5BTXae2jlM+5YRyoD2njpQTQryJ3tYpJxTqBoJGZhkuPw2Rm1rzXH2Sld37PVO73cnVFP7zMje/W7OXjzNxL6JVYDuP3T9RHEZQFnlvwo7AcBClHTxHOJ+tYtf2NaMxpHtdIaPKVUHaktEq6QzVRLUUoTceL+hZsCjMYLNZsLIeprQ9rMketpJV9hYxw9JcyA4mbd3BJGICUnVCCaqqg/GkuqYUdTCqhsrL+TXoWKGNazTSiWXapxcHxngzYHdYYTnD0K+FvX7uePAXFyaljP/5OyA5F8TujMDUtJbhpRNovUPsD0icJ2J7EifCh+IztuNOsW96dW4R2c3xSSlKA8lZEAdRnEWuBLom9lCcRf6Ji+D6kZ84Y6JByY7uycVvEpzxXWB7I3Sn+J7BiIN+LRzXSD9vVXEAhq/jYKQ7I9pKwN5d3EzJH1GLGaY3s0DUWqZtmfGTRpYDfOLxZBTUnWm/4ld28F8TGLRVRlwU4kkIbRzwtA6XasFuCGwSvrbPHWGf8yfoeWMc9RCuskLlYIpdnPbAmyVAzehwLdZHhLUdrKfLwJOQgiNv+GJi+rCPPgAXL1wwSwuy5aL2NtjhWyPsT3IsUCWdz2JkJUo5n/XVNjK7+J+tr9/vr5ZPi6nuyeDeupO5r2Zs5jwOo1RtEfD5aSUK5Xn5QALgyS3dizVTugZXZNHV+dwaRXYsVSfUCLm+OHcmWOJePCCrDeUOW4UtvejjMLyHOmmI1dR8LY6qoG7kj9AVQs/UdP5cV3lJ0OTg7y3dgtR9VbW2/eOYK9zouPn+Q6/TJv+tO55ZkgjgN9ichTuhvBpMUtKLrRO5fwvp2cY0Z8c0544BB7k1C/ON6QUYIS0eIW4m9KPdlqXktizVEKLJXVmYb0xHRn/OLTyqgbPsjixVbODBfGM61dfXi34rldQulQj0lhStVLJKBsHliCXF/GzFkg3FkkryfTU6C/F0OrivF0/tRnG7SySVJAhrlgtCK5JUiOfeRRKBxpMCL2lO9OAYTwNJW2JRwoq0rZEYPbtdjuPSxsF9BnbmoVpoG2woTQZDmpEIepTfrIverEkn7lVZFEwTYakiaXjMD0utSoYSaHvjifSiws5Rdp+9xnLIZLBsi75B0Y8vGVNcQd+IYtGq7BtUwFflfeNKOvt9d/HxbIjiSOVd6ef18BcjD1Ns1CJyDlI95qRV38YyXQtkTLKicyv/eyoxHUv9zRM8jk39ZdKTHrlJo3wxUVsdOFsHzh0Tdst5XZPew3xj2neTtynfJ0yZWQ3OzATYTeLMcMHcXpyJGr26p4V6N6iZ2a+bhJqxS3DkhPWBgVqzRbxixNm5r2uC3HoTvj19s7SZpqvX8rfet/FowcwJSqppG+lhCX2L4/WUxnXOCwVKF3NvdHZMoKrondzQKnRA3akwCixTwEzaTtiZiRiL73JTGB2IfigI5NI1hdtyzSliKbVCvbYgJ9UTL5/PHtTFs/Ah/eu8SN/+mewn19IRx7rmjWKfIdRVIdds54a6VsXSvWRQOgC2sbNwHEiOgCboJgnaHui2l2X4xzEoxsrV0bBUplamF+WAoWscJkv3GrN/YGw7lNUmTbBts9UmVbFtL4kTjmNMXO2GdDQ0jRlTnqZ0jcOk6X7W7u2Ui6OxWAUWTQ9Zn2mCpfvRZ7R2MN19MK1JwmSId6SfXCZjZSpLo9QA42sXVnNnvqSPtHffaV34zbjwVY5YaJ/lwI/3EjlZBz6bnfQimbUHvyxPWw/+httWr8aEnVz4LMbWtvGpTC+/aX34dSDNcuI3irRKR2tgL74g04pwC/aOYLPc+M2CTYdslNgHqAV8W8CZXvy6EAfSw/ym90teGpfe65Nx9/D27Jby4idUMmgNnEUq1BoXYBgSUuZu8dccF8dfH0lmzwiaQj1NiNf7HIj/npdInUkhY7LL54yWM9SvGhKAkk9Sc7K0bCEYM7vJFpk26TxkHhrn8N613AB/sTODLvAR69HH28Z2CR5nwDDoFGuhtpUu3DhpIV1l5nhYp8PvPgyXqUHXK5tXLd3li9KrEbohgNqIuUZQGWpwMKpIN5QkcstckTEfxymiql5RxqQdbSzYArd+inZhgtHbF6zQuXMPd60LezjBPOxWlQSRfocxtGG0czMH8DPdue2b5dPy7UKfrZaYbrE6QFPJ1QFMAsn6eZMUYmwIyOCDAd/NeOFxNlZVgtLQnrCx/pQLicCYZGsDhNac04B4zshfoI/G3+4676YBV1MElzEEVznWNmOHE7QyY63cZEfhWesOo9k3HpeuPmYWsJHQ5eCBzxmhv25Qi06wGoN+X1lBXofkpDjIHNIi5SmVHn8zPWqInoUjVClNaop0okA6Z2FfTviuAGSdTAovq7S2I0Q7eqW1nc0zmqJD18FTzlrqw8DcOwbEV/wH \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/doc/attestation_report.drawio.svg b/doc/attestation_report.drawio.svg index d3c53e69..0beeaccb 100644 --- a/doc/attestation_report.drawio.svg +++ b/doc/attestation_report.drawio.svg @@ -1,4 +1,4 @@ - + -App ManifestType: App ManifestName (unique)VersionOSs (list)Reference Values (list)...App DescriptionType: App DescriptionName (unique)App Manifest...Device DescriptionType: Device DescriptionFQDN (unique)App Descriptions (list)OS ManifestRTM Manifest...Attestation ReportType: Attestation ReportVersion (of AR Scheme)Measurements (list)RTM ManifestOS ManifestApp Manifests (list)Device Description...Software Reference ValueType: SW Reference ValueNameSHA-512TPM MeasurementType: TPM MeasurementTPM Quote [Nonce, ...]Hash Chain (list)Certificate ChainSoftware MeasurementType: SW MeasurementNameSHA-512RTM ManifestType: RTM ManifestName (unique)VersionReference Values (list)...OS ManifestType: OS ManifestName (unique)VersionRTMs (list)Reference Values (list)...
Following block
directly integrated
Following...Hash ChainType: Hash ChainPCR (int)SHA256 (list)
Link to the following block
through unique name
Link to the following b...SNP MeasurementType: SNP MeasurementSNP Report [Nonce, ...]Certificate ChainIAS MeasurementType: IAS MeasurementIAT [Nonce, ...]Certificate ChainSNP Reference ValueType: SNP Reference ValueNameSHA-384SNP MetadataTPM Reference ValueType: TPM Reference ValueNameSHA-256PCR (int)
signed by operator and
possibly certifiers
signed by operator and...
Signed by the HW Trust Anchor, generated at runtime
Signed by the HW Trust Anc...
Signed by the device, generated at runtime
Signed by the device...
Signed by software provider and possibly certifiers
Signed by software provide...
Explanation of Graphical Elements
Explanation of Graphical ElementsText is not SVG - cannot display \ No newline at end of file +App ManifestType: App ManifestName (unique)VersionOSs (list)Reference Values (list)...App DescriptionType: App DescriptionName (unique)App Manifest...Device DescriptionType: Device DescriptionFQDN (unique)App Descriptions (list)OS ManifestRTM Manifest...Attestation ReportType: Attestation ReportVersion (of AR Scheme)Measurements (list)RTM ManifestOS ManifestApp Manifests (list)Device Description...Software Reference ValueType: SW Reference ValueNameSHA-512TPM MeasurementType: TPM MeasurementTPM Quote [Nonce, ...]Hash Chain (list)Certificate ChainSoftware MeasurementType: SW MeasurementNameSHA-512RTM ManifestType: RTM ManifestName (unique)VersionReference Values (list)...OS ManifestType: OS ManifestName (unique)VersionRTMs (list)Reference Values (list)...
Following block
directly integrated
Hash ChainType: Hash ChainPCR (int)SHA256 (list)
Link to the following block
through unique name
SNP MeasurementType: SNP MeasurementSNP Report [Nonce, ...]Certificate ChainIAS MeasurementType: IAS MeasurementIAT [Nonce, ...]Certificate ChainSNP Reference ValueType: SNP Reference ValueNameSHA-384SNP MetadataTPM Reference ValueType: TPM Reference ValueNameSHA-256PCR (int)
signed by operator and
possibly certifiers
Signed by the HW Trust Anchor, generated at runtime
Signed by the device, generated at runtime
Signed by software provider and possibly certifiers
Explanation of Graphical Elements
SGX MeasurementType: SGX MeasurementSGX Report [Nonce, ...]Certificate ChainSGX Reference ValueType: SGX Reference ValueNameSHA-256SGX MetadataTDX Reference ValueType: TDX Reference ValueNameSHA-384TDX MetadataTDX MeasurementType: TDX MeasurementTDX Report [Nonce, ...]Certificate Chain \ No newline at end of file diff --git a/doc/build.md b/doc/build.md index 6edaae13..a191aa75 100644 --- a/doc/build.md +++ b/doc/build.md @@ -77,4 +77,19 @@ go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.28 go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.2 cd grpcapi/ make -``` \ No newline at end of file +``` + +### SGX Build + +The SGX integration is build on top of the [EGo Framework](https://github.com/edgelesssys/ego) for the development of confidential apps in Go. +Since SGX enclaves are designed to execute only one process inside an isolated environment, the libapi implementation has to be used for the generation and verification of attestation reports. + +Once you have developed your application and integrated the cmc library following the instructions provided in the [integration documentation](integration.md), compile, sign and run it like this: +``` +CGO_CFLAGS=-D_FORTIFY_SOURCE=0 ego-go build && ego sign testtool +ego run testtool +``` + +Additional information for the enclave such as heapSize, mount points, security version (ISV SVN) and enclave product ID (ISV Prod ID) can be specified in the enclave.json file. + +See https://docs.edgeless.systems/ego/reference/config for more information. diff --git a/doc/manual-setup.md b/doc/manual-setup.md index fd8c72e4..a212582d 100644 --- a/doc/manual-setup.md +++ b/doc/manual-setup.md @@ -149,7 +149,10 @@ tbd ##### Intel SGX Reference Values -tbs +The reference values for Intel SGX consist of a fingerprint of the Intel Root CA certificate, the TCB Info and QE Identity structures, the enclave product ID (ISV Prod ID), the security version of the enclave (ISVSVN), expected enclave attributes (e.g. DEBUG, Mode64Bit, etc.), a hash of the enclave measurement (MRENCLAVE) and a hash of the enclave signing key (MRSIGNER). + +The Root CA certificate, TCB Info and QE Identity structures can be retrieved from the [Intel API](https://api.portal.trustedservices.intel.com/content/documentation.html). ISV SVN and ISV Prod ID are assigned by the enclave author. The EGo framework sets these values to 1 by default. +The MRENCLAVE and MRSIGNER values for an enclave can be retrieved via the EGo CLI tool with the commands ```ego uniqueid $ENCLAVE_PROGRAM``` and ```ego signerid $ENCLAVE_PROGRAM```. ### 4. Sign the metadata diff --git a/doc/overview.drawio b/doc/overview.drawio index bab21c86..959a408e 100644 --- a/doc/overview.drawio +++ b/doc/overview.drawio @@ -1 +1,177 @@ -7VxdU6s4GP41ndm90AFS2nqp1npmR4+dqTt73JudCGlhDYQNqW3Pr98EQvkIp0ULFK11RslLCOR53q+8ofbAtbe+pTBw7omNcM/Q7HUPjHuGoYP+iP8Rkk0sGfX1WLCgri07pYKZ+xNJoSalS9dGYa4jIwQzN8gLLeL7yGI5GaSUrPLd5gTn7xrABVIEMwtiVfqXazNHzsLUUvk35C6c5M66Js94MOksBaEDbbLKiMBND1xTQlh85K2vERbgJbjE101+cXb7YBT5rMoF3yePNIDsiczux2MfOqvbnw9nxkU8zCvESzlj+bRsk0BAydK3kRhF64GrleMyNAugJc6uOOlc5jAP85bOD+fEZ5JFXXSfuxhfE0xoNBawTTSy+1weMkpeUObMyHgGgwE/o85LTvUVUYbWGZGc5y0iHmJ0w7us88ojdQ4k7VXKoDGSMifDXsIqlEqz2I6c4soPJLRvgdloF+a5KX5kv4w8/pTBP4g+9cKfgXtrFu3ArZ8U3BdHx1s7Kbzz3qUE/VLnsqWpdviHCtjI5kFMNgllDlkQH+KbVHqVpyPtc0dIIEn4FzG2kSzAJSN5itDaZT/E5eembD1lzozXcuSosUkaPp9u5iLRfMqeSy+LWsl1Ngyd6Fn1XQyGZEkttAMnXeYiDNIFYjs6mnE/geJOhaAIQ+a+5lOFMnrlpVPi8mdOFal/cX6R/eT0Sh8V9CWenxyjoDLbh3q/Fo2+tKheLRp8JC26pBRuMt0C0SHccVcz7wUTrzj5RX+jv7M/P4ifoFaV1itkt59MyYuRM+Rqyi7FQohLLAzD0LUS8cTFySNi+IzwFbReFtFsM5FzYoqfwyymosEkllWfxRwUVtUk0vIs+7DEpob0w8gb0jbTy+Yfg5L8AzSVfvCM69SsbIe5RJ/3G+L7rcyoaGXA6JSVqSvj2fepKBhRfmvaNWvbhrGMtZUl+40Zm6nCReZsxafYHcx0vWOggf6Xh+qAhxpU9VB6pzzUQFGex+l9d6zN0DpmbbpaDXrwhXviGmho3lIU73HqrvgiQ7Ogz38/C+Ey5NjxpxJrB+Jz2Ir4clhYHsR8tccnPiqUjKQIYnfhC93mYHPiwJUA2bUgvpQnPNe2I1MvYy3Pa9F4aiASVCBSN802mex/djdZmcb9i5yq+Ve3nJs+VIwVPt7Njsm7nmE91YF9vOdYT5Wg3mVyG+oBuqUfan7OUMjEHiyX/mZhl0Px+2FBsAFfqiySjxwS1SVyFsUQUT61LqLYLRi/ynkHOCBQc3ySOsInBEYyKTm0km1q59qFaYCR/D3M50PVKtnpsElHMp+HqJE9E11djo8h8ogfgQEtBz5HmS5XIZHSCpt3/UVPzGQSW6I738QSi3gBT1Nl0f00M96yWqbebzXjVRd7N2voxesVGASYg8fciF8PvsTM8RWLWKvMBc+OOCwtE39iEs19QaJdDj9uObrIToVdmbY3NasWj6VynGnnQ5BsEJzERudgZ/f8PmeroWqkmEUckCJ/RlHAdfywBLSWhDPP6UD1Je3ubRkVnMmnfbMJDMteLFPR1xtDX63bZ3Y7rpOMqYFYi9GcdS7SFqwDlFhH6Xt/zVmHmv7Wax116HS/a0qtppgLgmGUSk55rBcvpJ+IQhdja5lGt7tRqL7zEe31HD0sFnAyjo2TWhW8vB8LBZ5NO4BWx8Bq2kse5TsWxRf6ju5XQck+LV2GLNpOnLjUOxN39UXrG6R2nESchp81KvhZHbRqE+pqZBv7tHm0UbxAPqJQ1sti3rL1ssziJVpaivXLKZfOyihtteyS+IPS0llUHQsoeXVt1LAFfhDCysJSY7v7N/off/7QyMXk8fW/6T+27//ts5L3WxU2kG+rm6IZbvKoVatF7S0dZQAxS3xSIjuwmlTMqfpa/3xYGGXvDkMy1mD/WHFlrY5vb5SSqSZkD4HwjRDHK2Vv6W9L1ycS9AqkgLKvyRkNBb1SjqoUpt9kcF23Mb3MLLT003+fuQ3fNmzDlqfWqO5cfxvzTtL0hu1ZHm+mX6GPKU3/EQG4+R8= \ No newline at end of file + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/doc/overview.drawio.svg b/doc/overview.drawio.svg index 1769c929..8d27fc6a 100644 --- a/doc/overview.drawio.svg +++ b/doc/overview.drawio.svg @@ -1,4 +1,4 @@ - + -
cmcd
cmcd
SNP driver
SNP driver
Software driver
Software driv...
TPM driver
TPM driver
One or multiple drivers can be used at once
One or multiple drivers can be...
aTLS
aTLS
testtool (client)
testtool (client)
testtool (server)
testtool (server)
Daemon reachable to attesting / verifying components
Daemon reachable to attesting...
Example application making use of the cmcd
Example application making us...
attestationreport
attestationreport
Software Component
Software Component
golang Package
golang Package
TPM
TPM
AMD PSP
AMD PSP
Trusted Firm- and Hardware
Trusted Firm- and Hardware
Package for generating and verifying attestation reports
Package for generating and ve...
Example of provided Hardware
Example of provided Hardware
Optional Communication
Optional Communication
Line of Communication
Line of CommunicationText is not SVG - cannot display \ No newline at end of file +
cmcd
SNP driver
SGX driver
Software driver
One or multiple drivers can be used at once
aTLS
testtool (client)
testtool (server)
Daemon reachable to attesting / verifying components
Example application making use of the cmcd
attestationreport
Software Component
golang Package
TPM
AMD PSP
Trusted Firm- and Hardware
Package for generating and verifying attestation reports
Example of provided Hardware
Optional Communication
Line of Communication
Intel SGX CPU
TPM driver
 \ No newline at end of file diff --git a/doc/sgx-reference-value.drawio b/doc/sgx-reference-value.drawio new file mode 100644 index 00000000..b9c9a099 --- /dev/null +++ b/doc/sgx-reference-value.drawio @@ -0,0 +1,111 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/doc/sgx-reference-value.drawio.svg b/doc/sgx-reference-value.drawio.svg new file mode 100644 index 00000000..4924a1bb --- /dev/null +++ b/doc/sgx-reference-value.drawio.svg @@ -0,0 +1,4 @@ + + + +SGX Reference ValueType: SGX Reference ValueNameSHA-256SGX MetadataSGX MetadataVersionCollateralCA FingerprintISV Prod IDMRSIGNERISV SVNAttributesIntel CollateralTEE TypeTCB InfoTCB Info SizeQE IdentityQE Identity SizeSGX AttributesInnitedDebugMode 64 BitProvision KeyEnclave Init TokenKSSLegacyAVX \ No newline at end of file