Skip to content

Commit

Permalink
doc: Updated documentation
Browse files Browse the repository at this point in the history
Signed-off-by: Simon Ott <[email protected]>
  • Loading branch information
smo4201 committed Jan 8, 2024
1 parent 2ee0311 commit 6bf71f6
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 4 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ on a set of trusted CAs and signed metadata describing the software stack.
## Prerequisites

- A Linux platform
- For TPM attestation, access to ```/dev/tpm0```.
- For TPM attestation, access to `/dev/tpm0`.
- For AMD SEV-SNP an SNP-capable AMD server
- Building the *cmcd* requires *go* (https://golang.org/doc/install)

Expand Down
25 changes: 22 additions & 3 deletions doc/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ RSA4096, EC256, EC384, EC521
`Unix Domain Sockets`
- **logLevel**: The logging level. Possible are trace, debug, info, warn, and error.
- **cache** : An optional folder the *cmcd* uses to cache retrieved metadata. If one or multiple
locations specified via **metadata** cannot be fetched, the *cmcd** additionally uses this cache.
locations specified via **metadata** cannot be fetched, the *cmcd* additionally uses this cache.
File are stored by their sha256 hash as a filename and in case of duplicates, always the newest
version of a metadata item is chosen
- **storage**: An optional local storage path. If provided, the *cmcd* uses this path to store
Expand All @@ -45,7 +45,7 @@ internal data such as downloaded certificates or created key handles
- **signingKey**: The private key of the CA used to sign the device certificates.
- **signingCerts**: The certificate chain of the CA used to sign the device certificates.
- **httpFolder**: The root folder containing metadata (manifests and descriptions) that is served
by the provisioning server to be fetched by the `cmcd`
by the provisioning server to be fetched by the *cmcd*
- **verifyEkCert**: Boolean, specifies if the EK certificate chain should be validated via the
**tpmEkCertDb**
- **tpmEkCertDb**: SQLite database containing intermediate CA and CA certificates from the TPM
Expand Down Expand Up @@ -73,13 +73,32 @@ from (mode verify)
- **ca**: The trust anchor CA(s)
- **policies**: Optional policies files
- **mtls**: Perform mutual TLS in mode dial and listen
- **api**: Selects whether to use the `grpc`, `coap`, or `socket` API
- **api**: Selects whether to use the `grpc`, `coap`, `socket` or `lib` API
- **network**: Only relevant for the `socket` API, selects whether to use `TCP` or
`Unix Domain Sockets`
- **logLevel**: The logging level. Possible are trace, debug, info, warn, and error.
- **interval**: Interval at which dial will be executed. If set to `0s` or less, then dial will only execute once.
The interval format has to be in accordance with the input format of Go's
[`time.Duration`](https://pkg.go.dev/time#ParseDuration).
- **publish**: Optional HTTP address to publish attestation results to

Further configuration options are only relevant if the testtool is operated with the `lib` API,
i.e., standalone without the *cmcd* running as a separate binary:

- **cache** : An optional folder the *cmcd* uses to cache retrieved metadata. If one or multiple
locations specified via **metadata** cannot be fetched, the *cmcd* additionally uses this cache.
File are stored by their sha256 hash as a filename and in case of duplicates, always the newest
version of a metadata item is chosen
- **storage**: An optional local storage path. If provided, the *cmcd* uses this path to store
internal data such as downloaded certificates or created key handles
- **drivers**: Tells the *cmcd* prover which drivers to use, currently
supported are `TPM`, `SNP`, and `SW`. If multiple drivers are used for measurements, always the
first provided driver is used for signing operations
- **metadata**: A list of locations to fetch metadata from. This can be local files, e.g.,
`file://manifest.json`, local folders, e.g., `file:///var/metadata/`, or remote HTTPS URLs,
e.g., `https://localhost:9000/metadata`
- **provServerAddr**: The URL of the provisioning server. The server issues certificates for the
TPM or software keys. In case of the TPM, the TPM *Credential Activation* process is performed.

**The testtool can run the following commands/modes:**
- **cacerts**: Retrieves the CA certificates from the EST server
Expand Down

0 comments on commit 6bf71f6

Please sign in to comment.