search

ccc-certifier-framework / certifier-framework-for-confidential-computing

The Confidential Computing Certifier Framework consists of a client API called the Certifier-API and server-based policy evaluation called the Certifier Service. It simplifies and unifies programming and operations support for multi-vendor Confidential Computing platforms by providing support for scalable, policy-driven trust management including
Apache License 2.0
56 stars 16 forks source link

Sgx properties #229

Closed jlmucb closed 11 months ago

jlmucb commented 1 year ago

This adds platform property verification to Gramine enclaves.

This puts SGX on parity with SEV.

yelvmw commented 1 year ago

It looks you decided to logically separate Gramine with and without platform evidence. This might be a simplification for now. But the result is that we either have to have platform properties in the policy or not. I don't think this is the right way to go. The choice should be handled given whether platform properties are present in the policies and this alone.

The current code will fail if I don't supply any platform properties. Additionally, I think we might have a bug in constructing the platform properties. If we remove a property from the policy (e.g., remove qeSVN, which should be valid), the verification should just treat it as if the specific property does not matter. However, the current code fails the verification. I'll dig deeper to see what went wrong.