File: attest.go

package info (click to toggle)
golang-github-containers-buildah 1.39.3%2Bds1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 7,724 kB
  • sloc: sh: 2,398; makefile: 236; perl: 187; asm: 16; awk: 12; ansic: 1
file content (47 lines) | stat: -rw-r--r-- 2,703 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
package types

// RegistrationRequest is the body of the request which we use for registering
// this confidential workload with the attestation server.
// https://github.com/virtee/reference-kbs/blob/10b2a4c0f8caf78a077210b172863bbae54f66aa/src/main.rs#L83
type RegistrationRequest struct {
	WorkloadID        string `json:"workload_id"`
	LaunchMeasurement string `json:"launch_measurement"`
	Passphrase        string `json:"passphrase"`
	TeeConfig         string `json:"tee_config"` // JSON-encoded teeConfig? or specific to the type of TEE?
}

// TeeConfig contains information about a trusted execution environment.
type TeeConfig struct {
	Flags TeeConfigFlags `json:"flags"` // runtime requirement bits
	MinFW TeeConfigMinFW `json:"minfw"` // minimum platform firmware version
}

// TeeConfigFlags is a bit field containing policy flags specific to the environment.
// https://github.com/virtee/sev/blob/d3e40917fd8531c69f47c2498e9667fe8a5303aa/src/launch/sev.rs#L172
// https://github.com/virtee/sev/blob/d3e40917fd8531c69f47c2498e9667fe8a5303aa/src/launch/snp.rs#L114
type TeeConfigFlags struct {
	Bits TeeConfigFlagBits `json:"bits"`
}

// TeeConfigFlagBits are bits representing run-time expectations.
type TeeConfigFlagBits int

const (
	SEV_CONFIG_NO_DEBUG        TeeConfigFlagBits = 0b00000001 //revive:disable-line:var-naming no debugging of guests
	SEV_CONFIG_NO_KEY_SHARING  TeeConfigFlagBits = 0b00000010 //revive:disable-line:var-naming no sharing keys between guests
	SEV_CONFIG_ENCRYPTED_STATE TeeConfigFlagBits = 0b00000100 //revive:disable-line:var-naming requires SEV-ES
	SEV_CONFIG_NO_SEND         TeeConfigFlagBits = 0b00001000 //revive:disable-line:var-naming no transferring the guest to another platform
	SEV_CONFIG_DOMAIN          TeeConfigFlagBits = 0b00010000 //revive:disable-line:var-naming no transferring the guest out of the domain (?)
	SEV_CONFIG_SEV             TeeConfigFlagBits = 0b00100000 //revive:disable-line:var-naming no transferring the guest to non-SEV platforms
	SNP_CONFIG_SMT             TeeConfigFlagBits = 0b00000001 //revive:disable-line:var-naming SMT is enabled on the host machine
	SNP_CONFIG_MANDATORY       TeeConfigFlagBits = 0b00000010 //revive:disable-line:var-naming reserved bit which should always be set
	SNP_CONFIG_MIGRATE_MA      TeeConfigFlagBits = 0b00000100 //revive:disable-line:var-naming allowed to use a migration agent
	SNP_CONFIG_DEBUG           TeeConfigFlagBits = 0b00001000 //revive:disable-line:var-naming allow debugging
)

// TeeConfigFlagMinFW corresponds to a minimum version of the kernel+initrd
// combination that should be booted.
type TeeConfigMinFW struct {
	Major int `json:"major"`
	Minor int `json:"minor"`
}