Skip to content

feat(attestor): cloud-attestation — hardware-rooted TEE quotes (AWS Nitro, GCP Confidential VM, Azure MAA) #275

Description

@colek42

Summary

Add a cloud-attestation attestor family that captures hardware-rooted TEE / confidential-compute quotes from the major clouds and binds the cilock build/collection id into the attestation nonce:

  • AWS Nitro Enclaves — COSE_Sign1 attestation document via /dev/nsm (and NitroTPM on EC2)
  • GCP Confidential VM — vTPM quote via go-tpm-tools (+ optional Confidential Space token)
  • Azure Confidential VM — SEV-SNP / SGX report exchanged for a Microsoft Azure Attestation (MAA) JWT

Why — the upgrade from "cloud's word" to "hardware's word"

The existing aws-iid / gcp-iit attestors only verify the cloud-signed instance identity document — they do not prove a hardware-measured boot or TEE isolation. That leaves SLSA Build-Environment L2/L3 unmet for confidential-compute builds:

  • BuildEnv L2: a signed quote for the build environment's system state, bound to the build id, from a vTPM with Secure Boot.
  • BuildEnv L3: TPM / confidential computing with a signed quote of the host boot + system state.

This attestor is the cloud-native path to that evidence (where tpm-quote #274 is the bare-metal/vTPM path).

Design — three provider sub-attestors, one pattern

Predicate type https://aflock.ai/attestations/cloud-attestation/v0.1. Each sub-attestor detects its provider, binds nonce = sha256(build_id) and user_data = sha256(build_id‖collection_id), retrieves the signed evidence, and records a per-provider predicate with verification_status.

Sub-attestor Source Evidence Cert root
aws-nitro-quote /dev/nsm (NSM GetAttestation) / NitroTPM COSE_Sign1 (CBOR), PCRs 0–8, user_data, nonce AWS regional → AWS root
gcp-confidential-vm-quote /dev/tpm0 + GCE metadata vTPM TPM2_Quote, PCRs (sha256), event log, AK cert Google Cloud root / Confidential Space JWKS
azure-maa-quote /dev/sev-guest / SGX → MAA MAA JWT (x-ms-attestation-type, x-ms-compliance-status, SEV-SNP authorkeydigest / SGX mrenclave) MAA jku → Azure root

Subjects() exports cloud-account/project/subscription digests (e.g. cloud:aws:instance-id:<id>) so policies can bind to a specific tenant.

Verification (RegoV0 gate)

Per provider: verify the signature (ES384 COSE / vTPM HMAC / RS256 JWT) → validate the cert chain to the provider root → confirm nonce == sha256(build_id) and user_data binding → replay event log to PCRs (GCP) → check freshness (iat/exp, document timestamp) → compare PCRs/measurements to signed reference values. Policy chooses "any provider verified" vs "require N-of-3".

Libraries

  • AWS: github.com/hf/nsm (+ request), github.com/fxamacker/cbor/v2
  • GCP: github.com/google/go-tpm-tools/{client,proto/attest}, github.com/google/go-attestation/attest
  • Azure: github.com/golang-jwt/jwt/v4, crypto/x509
  • Shared: crypto/{sha256,ecdsa,rsa,x509}, net/http (IMDS/metadata), rookery attestation + cryptoutil

Devices/metadata: /dev/nsm, /dev/tpm0, /dev/sev-guest, IMDS 169.254.169.254, metadata.google.internal.

Phased delivery

  • MVP — AWS Nitro: NSM GetAttestation, CBOR/COSE decode, ES384 + AWS cert-chain verify, nonce/user_data binding, detector + unit tests, RegoV0 gate.
  • P2 — GCP Confidential VM: go-tpm-tools quote, HMAC verify, event-log replay, GCE metadata, integration test on a Confidential VM.
  • P3 — Azure: SEV-SNP/SGX report → MAA JWT, JWKS signature verify, Azure root chain, IMDS context.
  • P4: unified gate (all three) with PCR reference validation + freshness; SLSA L3 mapping doc; e2e per cloud.
  • P5 (opt): GCP Confidential Space tokens; Intel TDX; offline golden-PCR reference DB; N-of-3 multi-cloud policy.

Open questions

  • Freshness window (AWS doc timestamp vs GCP/Azure iat/exp up to 1h) — enforce in attestor or leave to policy?
  • Where do golden PCR/measurement reference values live (policy YAML vs versioned reference DB, per region/AMI/kernel)?
  • user_data semantics: sha256(build_id‖collection_id) vs sha256(build_id) vs configurable.
  • Nitro Enclave (/dev/nsm) vs EC2 NitroTPM — one attestor with detect-and-branch (current plan) or two?
  • Cert rotation / offline verification when run air-gapped.

Part of the hardware-root-of-trust track; cloud-native sibling of #274 (tpm-quote) and consumed by command-run-ima. Spec refs: SLSA Build-Environment track (draft).

Filed by an AI agent at Cole's request; design researched against the SLSA draft + AWS Nitro / GCP CVM / Azure MAA docs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-agentAuthored or edited by an AI agentenhancementNew feature or requestrelease-hardeningSupply-chain integrity hardening for cilock releasessecuritySecurity hardening / vulnerability mitigation

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions