Explain unenforced measurements in config (#445)

2025-03-21 06:16:39 -04:00 · 2022-11-07 08:56:57 +01:00 · 2022-11-07 08:56:57 +01:00 · a70161730f
commit a70161730f
parent efa2fb2fd0
1 changed files with 11 additions and 0 deletions
--- a/docs/docs/workflows/verify-cluster.md
+++ b/docs/docs/workflows/verify-cluster.md
@ -15,6 +15,17 @@ This command performs the following steps:
 2. Verify the signature of the measurements. This will use Edgeless Systems' [public key](https://edgeless.systems/es.pub).
 3. Write measurements into configuration file.

+After the command succeeded the configuration file will contain a list of key value pairs (index, hash) under the `measurements` key and a list of indices under `enforcedMeasurements`.
+Not all keys under `measurements` will have a matching index under `enforcedMeasurements`.
+This is because only a subset of the available measurements can be locally reproduced and verified.
+These non-reproducible values typically measure parts of the boot process that are controlled by the CSP.
+You can find a list with descriptions in the [runtime measurements](../architecture/attestation.md#runtime-measurements) section.
+
+During attestation, the validating side (CLI or [join service](../architecture/components.md#joinservice)) will compare each [measurement](../architecture/attestation.md##runtime-measurement) reported by the issuing side (first node or joining node) individually.
+For mismatching measurements that are set under the `measurements` key a warning will be emitted.
+For mismatching measurements that are additionally set under `enforcedMeasurements` an error will be emitted and attestation fails.
+If attestation fails, the new node can't join the cluster.
+
 ## The *verify* command

 :::note