virtee / kbs-types Goto Github PK
View Code? Open in Web Editor NEWRust (de)serializable types for KBS
License: Apache License 2.0
Rust (de)serializable types for KBS
License: Apache License 2.0
Version 0.5.3 includes a commit bumping the version of sev
from 1.x
to 2.x
. Since those two versions of that crate are not compatible, users consuming both crates (which should be pretty common) will get a broken build after updating from 0.5.2
to 0.5.3
(which may happen automatically). I'd suggest reverting this release and making it a 0.6.0
instead.
Example how to request the attestation
With the changes introduced with 8d3a0, 46b82, and ac893, it would probably be a good idea to cut a release, as they introduce breaking changes to an enum.
I was wondering if I could raise a PR to add a new TEE type named Se
like #20, even if the TEE is not specified at https://virtee.io/.
@slp I figured we could take this discussion here while I work on the SEV-SNP KBS implementation.
If we look here at AMD's attestation notes, We see that in order for a SEV-SNP guest to attest correctly, all we really need is:
The document also mentions "The hash of the public keys included in the attestation report matches the expected value." I would assume by "the public keys" it is speaking of the ID key digest and Author key digest?
If so, I am proposing the following protocol for SEV-SNP attestation:
1. Register certificate chain, ID key, and Author key for a specific workload.
1. -> POST /kbs/v0/auth [Payload: Request]
SNP_LAUNCH_FINISH
, and is described by the AMD firmware spec as the following: Opaque host-supplied data to describe the guest. The firmware does not interpret this value
. Could the identifier be the workload_id provided on register_workload?2. <- Response [Set-Cookie: <session-id>] [Payload: Challenge]
The Challenge to the SEV-SNP would require the following:
With all of this information, the server will be able to fully attest the integrity of the system.
3. -> POST /kbs/v0/attest [Cookie: <session-id>] [Payload: Attestation]
The Payload here would contain the Signature, ID key digest, and Author key digest for the server to attest.
4. <- Response [Set-Cookie: <session-id>]
Depending on the results here, the server would then be able to obtain the key from the server via the resource access phase.
What do you think about this design?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.