Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-09-20 08:15:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
3a7b829107
constellation/internal/attestation/aws/aws.go

31 lines
1.0 KiB
Go
Raw Normal View History

dev-docs: Go package docs (#958) * Remove unused package * Add Go package docs to most packages Signed-off-by: Daniel Weiße <dw@edgeless.systems> Signed-off-by: Fabian Kammel <fk@edgeless.systems> Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com> Co-authored-by: Fabian Kammel <fk@edgeless.systems>
2023-01-19 14:57:50 +00:00
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
/*
# Amazon Web Services attestation
Attestation for AWS using [NitroTPM].
AWS currently does not support confidential VMs, but offers a TPM 2.0 compliant vTPM integration.
We use this to enable a TPM based measured boot Constellation deployment.
# Issuer
The TPM attestation is signed by the NitroTPM's RSA attestation key.
Additionally to the TPM attestation, we attach a node's [instance identity document] to the attestation document.
# Validator
Currently, the NitroTPM provides no endorsement certificate for its attestation key, nor does AWS offer a secondary of of verifying it.
For now we have to blindly trust the key.
Additionally to verifying the TPM attestation, we also check the instance identity document for consistency.
[NitroTPM]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html
[instance identity document]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
*/
package aws
Reference in New Issue Copy Permalink