By adding runtime data to the appraisal request and having the reportdata
correctly hashed in the quote, ITA returns it back in the token claims
under attester_runtime_data.
For this to work, the Kata rootfs must be built with a modified
guest-components with sha512 hashing:
--- a/attestation-agent/kbs_protocol/src/client/rcar_client.rs
+++ b/attestation-agent/kbs_protocol/src/client/rcar_client.rs
@@ -13,7 +13,7 @@ use log::{debug, warn};
use resource_uri::ResourceUri;
use serde::Deserialize;
use serde_json::json;
-use sha2::{Digest, Sha384};
+use sha2::{Digest, Sha512};
use crate::{
api::KbsClientCapabilities,
@@ -189,7 +189,7 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
nonce: String,
) -> Result<String> {
debug!("Challenge nonce: {nonce}");
- let mut hasher = Sha384::new();
+ let mut hasher = Sha512::new();
hasher.update(runtime_data);
let ehd = match tee {
Otherwise, ITA responds 400 / bad request.
This change is still safe because ITA AS with KBS get-resource isn't working without this either.
Closes: #151
By adding runtime data to the appraisal request and having the reportdata correctly hashed in the quote, ITA returns it back in the token claims under attester_runtime_data.
For this to work, the Kata rootfs must be built with a modified guest-components with sha512 hashing:
Otherwise, ITA responds 400 / bad request.
This change is still safe because ITA AS with KBS get-resource isn't working without this either.