Open jialez0 opened 9 months ago
This looks good. The layout looks similar to the InitData proposal. Do you think it would make any sense to use the same format for both?
Thanks a lot for triggering this proposal! I have two opens:
The digest is calculated by sha384 the string
{"nonce":"AAAAA","tee-pubkey":"AAAAA"}
.
what would be the way to express: hash( "AAAAA" || "AAAAA") instead?
Background
Currently, in many scenarios the runtime data is used to bind some runtime data in Attestation report, for example
The reason for using runtime data is to transmit the data generated or used by the TEE instance during its operation to external consumers through Attestation technology while ensuring integrity.
We can see that more and more information would be together be the so-called runtime data to bind with the TEE evidence. The simple approach we used before, s.t. naive concatenation and hash would be more difficult to process structured information and difficult to generalize. Thus we propose the specification of runtime data.
The design goal of the runtime data spec is to standardize the runtime data format, calculation digest algorithm and usage process for different types of confidential computing TEE, and provide the best practical.
Runtime Data Spec
Report data support
Currently almost all TEE platforms support report data mechanism. https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/attester/src/lib.rs#L61
Usage of the Runtime Data
Runtime data spec
Runtime data digest calculation
Rearrange each layer of the data JSON object in dictionary order by key, then serialize and output it into a compact string, and perform hash calculation on the whole.
The rearrange is important. It can ensure the hash inputs are the same.
How to deliver runtime data
This spec does not define this.
Examples
Usage in KBS protocol
Current RCAR protocol defines the following
Attestation
request.A typical tdx
Attestation
request looks likeAfter applying runtime data spec, it would be
The digest is calculated by sha384 the string
{"nonce":"AAAAA","tee-pubkey":"AAAAA"}
.