AA: Expand AA APIs to support CC trusted APIs #566
Comments
|
Hi, so the whole flow might look like below: cc-api --> grpc/ttrpc (attestation agent api layer one) --> http/https/restful api (attestation agent api layer two), then attestation agent api --> remote (in docker)/local(local binary) attestation service In terms of interfaces, three interfaces are exposed to remote (in docker)/local(local binary) attestation service, 1. get eventlog; 2. get quote; 3, get measurement ; and maybe 4. get report, which equals get quote + replay&verify |
|
I'm not sure I totally understand the proposal. Is the idea to have the AA expose this API to workload containers? That might be a non-starter. We need to be very careful about exposing evidence to containers, which aren't necessarily measured. It can be dangerous to expose valid hw evidence to unknown workloads, especially if the evidence is relatively generic. The pattern for exposing the guest components to the workloads is to use the ASR. I'm not sure how that squares with this. Note that we already have an endpoint to expose attestation reports with this pattern. It is disabled by default. For platforms that support runtime measurement, the report usually contains these fields. Can you be more clear about what we are missing that this proposal would enable? Btw it doesn't seem like this API has been very widely adopted. |
In our proposal, the AA will use the CC Trusted API and the AA can decide what should be exposed to containers. Could you please share what dangerous of hw evidence. Actually, workload can get all of these evidence without this API with proper permission. The evidences include launch time and runtime in a trusted chain according to TCG (Trusted Computing Group)'s requirement.
What is ASR? (Sorry I did not find it in AA code, could you please share a little more)? We will not change any existing pattern, CC trusted API just to expose evidence by following existing AA pattern.
This proposal is used to expose the launch + runtime evidences (aka event log) in unified API and follow TCG (Trust Computing Group) industrial standard. So it can simplify the AA to handle evidence collection and format like (PCClient/Canonical) on different TEEs and vTPM, like CCEL event log or TPM2 event log.
The APIs has been discussed in latest CCC attestation SIG meeting, (xiaosheng shared the video link), and the slide can be found https://github.com/CCC-Attestation/meetings/blob/main/materials/KenLu_CC_API.pdf |
Hello,
Confidential Computing (CC) API group defines unified and vendor agnostic and Trusted Computing Group (TCG) compliant CC trusted APIs, like Intel TDX, AMD SEV SNP, TPM, etc. It helps the diverse applications to access and process the trust states which were represented by integrity measurement, event record, and report/quote in the confidential computing environment.
The key CC trusted APIs include:
More information on these functions can be found here: https://github.com/cc-api/cc-trusted-api/blob/main/common/rust/cctrusted_base/src/api.rs
With these common APIs, the workload can easily get the measurements directly in a common interface in each kind of TEE, furthermore, within an Integrity Measurement Architecture (IMA) enabled system, the measurement can be used as evidence of a trusted chain for all applications. More information can be found in CCC Attestation SIG presentation or CCC TAG presentation.
AA has attestation interfaces for getting evidence, tokens, etc. CC APIs can be added as a trait in the same level as Attestation APIs, here is a proposal to expand AA APIs to support CC trusted APIs.
Comments are welcome!
The text was updated successfully, but these errors were encountered: