Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-12-11 17:04:22 -05:00
Code Issues Packages Projects Releases Wiki Activity
d67f1a035f
constellation/internal/attestation/aws/nitrotpm/nitrotpm.go

30 lines
962 B
Go
Raw Normal View History

attestation: add `awsSEVSNP` as new variant (#1900) * variant: move into internal/attestation * attesation: move aws attesation into subfolder nitrotpm * config: add aws-sev-snp variant * cli: add tf option to enable AWS SNP For now the implementations in aws/nitrotpm and aws/snp are identical. They both contain the aws/nitrotpm impl. A separate commit will add the actual attestation logic.
2023-06-09 09:41:02 -04:00
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
/*
# NitroTPM Attestation.
Uses NitroTPM to enable a TPM based measured boot Constellation deployment.
The origin of the attesation statement can not be verified.
# Issuer
The TPM attestation is signed by the NitroTPM's RSA attestation key.
Additionally to the TPM attestation, we attach a node's [instance identity document] to the attestation document.
# Validator
Currently, the NitroTPM provides no endorsement certificate for its attestation key, nor does AWS offer an alternative way of verifying it.
For now we have to blindly trust the key.
Additionally to verifying the TPM attestation, we also check the instance identity document for consistency.
[instance identity document]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
[NitroTPM]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html
*/
package nitrotpm
Reference in New Issue Copy Permalink