trustee
trustee copied to clipboard
confidential-containers
[RFC] Runtime data spec
Background
Currently, in many scenarios the runtime data is used to bind some runtime data in Attestation report, for example
- KBS protocol concats tee-pubkey and nonce together and use its hash as report data
- @KB5201314 proposed to embed I/O information https://github.com/confidential-containers/confidential-containers/issues/176
- Data whose integrity needs to be protected in an evidence https://github.com/confidential-containers/kbs/pull/240#pullrequestreview-1759307066
The reason for using runtime data is to transmit the data generated or used by the TEE instance during its operation to external consumers through Attestation technology while ensuring integrity.
We can see that more and more information would be together be the so-called runtime data to bind with the TEE evidence. The simple approach we used before, s.t. naive concatenation and hash would be more difficult to process structured information and difficult to generalize. Thus we propose the specification of runtime data.
The design goal of the runtime data spec is to standardize the runtime data format, calculation digest algorithm and usage process for different types of confidential computing TEE, and provide the best practical.
Runtime Data Spec
Report data support
Currently almost all TEE platforms support report data mechanism. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attester/src/lib.rs#L61
| Platform | Field name |
|---|---|
| SGX/TDX | REPORTDATA (64bytes) |
| SNP | report_datat(64bytes) |
| CCA | cca-realm-challenge(64bytes) |
| CSV | user_data(64bytes) |
Usage of the Runtime Data
- TEE instance builds runtime data at runtime and calculate runtime data digest.
- TEE instance calls API driver to get attestation report using the runtime data digest as report data.
- TEE instance initiates the RA process, and the Attestation Verifier calculates the digest of the runtime data and verifies whether it is consistent with the runtime data digest field in the evidence.
Runtime data spec
{
"version": a string, specifies version of the runtime data,
"alg": a string, hash algorithm to calculate the runtime data digest,
"data": an JSON object, including compound data,
"digest": a string, digest of "data" in hex derived using "alg"
}
Runtime data digest calculation
Rearrange each layer of the data JSON object in dictionary order by key, then serialize and output it into a compact string, and perform hash calculation on the whole.
The rearrange is important. It can ensure the hash inputs are the same.
How to deliver runtime data
This spec does not define this.
Examples
Usage in KBS protocol
Current RCAR protocol defines the following Attestation request.
{
/*
* A JWK-formatted public key, generated by the KBC running in the HW-TEE.
* It is valid until the next time an attestation is required. Its hash must
* be included in the HW-TEE evidence and signed by the HW-TEE hardware.
*/
"tee-pubkey": $pubkey
/* The attestation evidence. Its format is specified by Attestation-Service. */
"tee-evidence": {}
}
A typical tdx Attestation request looks like
{
"tee-pubkey": "AAAAA",
"tee-evidence": {
"cc_eventlog": "AAAAA",
"quote": "BAAC"
}
}
After applying runtime data spec, it would be
{
"evidence": {
"cc_eventlog": "AAAAA",
"quote": "BAAC"
},
"runtime-data": {
"version": "v0.1.0",
"alg": "sha384",
"data": {
"tee-pubkey": "AAAAA",
"nonce": "AAAAA",
},
"digest": "0a96dc5bbf0b6c0e0db6c83db8f59013e9817ecf47c1c5bf8c1c17e7e3831d00d7180d32f2294ce22a4ba0b39fbf3fbe"
}
}
The digest is calculated by sha384 the string {"nonce":"AAAAA","tee-pubkey":"AAAAA"}.
