From 7d8e36a85300ea43d4fd933da9d1f48d163b395c Mon Sep 17 00:00:00 2001 From: Malte Poll Date: Fri, 5 May 2023 11:24:32 +0200 Subject: [PATCH] rfc: define measurements v2 The old measurements.json (v1) was contain one set of measurements and had a path scoped for every CSP. The new version is less structured, allowing for future extensions. --- rfc/image-api.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/rfc/image-api.md b/rfc/image-api.md index d6fc93e23..ff80c56bf 100644 --- a/rfc/image-api.md +++ b/rfc/image-api.md @@ -74,6 +74,11 @@ The following HTTP endpoints are available: - `GET /constellation/v2/ref//stream///image/` - [`info.json` returns the lookup table for the given image version.](#image-lookup-table-v2) + - `measurements.json` contains the measurements for the given image version. + - `measurements.json.sig` returns the signature of the measurements file. + + + - `GET /constellation/v1/ref//stream///image/` - [`info.json` returns the lookup table for the given image version.](#image-lookup-table-v1) - `sbom..json` contains SBOM files for the given image version. The exact formats and file names are TBD. @@ -163,6 +168,31 @@ This document is not signed and can be extended in the future to include more im The same document can be used to identify old images that are no longer used and can be deleted for cost optimization. +## Image measurements (v2) + +The image measurements are a JSON file that contains sets of measurements for the given image version: + +``` +/constellation/v2/ref//stream///image/measurements.json +``` + +```json +{ + "version": "", + "ref": "", + "stream": "", + "list": [ + "csp": "", + "attestationVariant": "", + "measurements": {"": {}} + ] +} +``` + +If required, the fields in the `.list` array can be extended in the future to include additional information while maintaining backwards compatibility. + +This document has a detached signature that can be retrieved from `measurements.json.sig`. + ## Image lookup table (v1) The image lookup table is a JSON file that maps the image name consisting of `ref`, `stream` and `version` to the CSP-specific image references: