From b6427883df8d3ab4b384845ba6acaf0137d792e5 Mon Sep 17 00:00:00 2001 From: flxflx Date: Wed, 26 Feb 2025 14:18:12 +0100 Subject: [PATCH] Introduce Sig-TPM --- dev-docs/security-overview.md | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/dev-docs/security-overview.md b/dev-docs/security-overview.md index f91d6cb71..90393c182 100644 --- a/dev-docs/security-overview.md +++ b/dev-docs/security-overview.md @@ -101,16 +101,26 @@ In this case, the launch digest is the only measurement that's required to verif However, currently, all supported CVM platforms (AWS, Azure, and GCP) inject custom firmware into CVMs. Thus, in practice, Constellation relies on conventional [measured boot](https://docs.edgeless.systems/constellation/architecture/images#measured-boot) to reflect the identity and integrity of nodes. -In measured boot, in general, the software components involved in the boot process of a system are "measured" into the 16 registers of a Trusted Platform Module (TPM). +In measured boot, in general, the software components involved in the boot process of a system are "measured" into the 16 platform configuration registers (PCRs) of a Trusted Platform Module (TPM). The values of these registers are also called "runtime measurements". -All supported CVM platforms provide TPMs to CVMs. -Constellation nodes use these to measure their boot process. -They include the 16 runtime measurements as part of `payload` in `R`. Thus, abstractly, `payload` here has the following format: `payload = | `. -On each CVM platform, runtime measurements are taken differently. -Details on this are given in the [Constellation documentation](https://docs.edgeless.systems/constellation/architecture/attestation#runtime-measurements). +All supported CVM platforms provide TPMs to CVMs. + +With measured boot, Constellation relies on TPM-based remote attestation for nodes. +TPM-based remote attestation is similar to confidential computing-based remote attestation. Instead of the value `R`, the value `R'` is used. + +``` +R' = Sig-TPM(, ) +``` + +The field `auxiliary data` is populated automatically by the TPM and most notably contains the 16 PCRs. +Constellation uses the field `payload` as usual and sets it to the public key of the respective CVM's Bootstrapper. +When verifying `R'`, Constellation compares the 16 PCRs to those given in the attestation config. + +#### Differences between CVM platforms + +Each supported CVM platform populates the 16 PCRs in different ways. Details can be found in the [Constellation documentation](https://docs.edgeless.systems/constellation/architecture/attestation#runtime-measurements). +Sig-TPM itself is also verified differently for each cloud. -With measured boot, Constellation only checks the 16 runtime measurements during the verification of a node's remote-attestation statement. -The launch digest is not considered, because it only covers the firmware injected by the CVM platform and may change whenever the CVM platform is updated. Currently, on AWS and GCP the TPM implementation resides outside the CVM. On Azure, the TPM implementation is part of the injected firmware and resides inside the CVM. More information can be found in the [Constellation documentation](https://docs.edgeless.systems/constellation/overview/clouds).