trustee icon indicating copy to clipboard operation
trustee copied to clipboard

Published 20 hours ago verified publisher icon confidential-containers

Verifier: Add IBM Secure Execution driver framework

Open huoqifeng opened this issue 11 months ago • 20 comments

Fixes: #342 This is kbs side code and related with PR: https://github.com/confidential-containers/guest-components/pull/492/ Depends on:

  • [x] https://github.com/virtee/kbs-types/issues/26

The IBM SE Remote Attestation flow:

image
  • The verifier generate the encrypted attestation-request based on hkd, CA, signing_key, a measurement key and a nonce, the encrypted data is protected by a symmetric attestation request protection key, which is encrypted using the Host-key document
  • Verifier sends the request to attester
  • Firmware on the Attester's system decrypts the request via private host-key and calculates the evidence based on the encrpted part of the request (Measurement key + nonce)
  • Attester send the evidence to verifier
  • Verifier recalculates the evidence based on the Configuration UID, Additional data, user-data, guest image hashes, and nonce. (its a HMAC-SHA512 with the measurement key as secret)
  • if both HMACs, the one from the Firmware and the calculated one from the verifier match -> attestation success

huoqifeng avatar Mar 06 '24 03:03 huoqifeng