You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add a cloud-attestation attestor family that captures hardware-rooted TEE / confidential-compute quotes from the major clouds and binds the cilock build/collection id into the attestation nonce:
AWS Nitro Enclaves — COSE_Sign1 attestation document via /dev/nsm (and NitroTPM on EC2)
GCP Confidential VM — vTPM quote via go-tpm-tools (+ optional Confidential Space token)
Azure Confidential VM — SEV-SNP / SGX report exchanged for a Microsoft Azure Attestation (MAA) JWT
Why — the upgrade from "cloud's word" to "hardware's word"
The existing aws-iid / gcp-iit attestors only verify the cloud-signed instance identity document — they do not prove a hardware-measured boot or TEE isolation. That leaves SLSA Build-Environment L2/L3 unmet for confidential-compute builds:
BuildEnv L2: a signed quote for the build environment's system state, bound to the build id, from a vTPM with Secure Boot.
BuildEnv L3:TPM / confidential computing with a signed quote of the host boot + system state.
This attestor is the cloud-native path to that evidence (where tpm-quote#274 is the bare-metal/vTPM path).
Design — three provider sub-attestors, one pattern
Predicate type https://aflock.ai/attestations/cloud-attestation/v0.1. Each sub-attestor detects its provider, binds nonce = sha256(build_id) and user_data = sha256(build_id‖collection_id), retrieves the signed evidence, and records a per-provider predicate with verification_status.
Sub-attestor
Source
Evidence
Cert root
aws-nitro-quote
/dev/nsm (NSM GetAttestation) / NitroTPM
COSE_Sign1 (CBOR), PCRs 0–8, user_data, nonce
AWS regional → AWS root
gcp-confidential-vm-quote
/dev/tpm0 + GCE metadata
vTPM TPM2_Quote, PCRs (sha256), event log, AK cert
Google Cloud root / Confidential Space JWKS
azure-maa-quote
/dev/sev-guest / SGX → MAA
MAA JWT (x-ms-attestation-type, x-ms-compliance-status, SEV-SNP authorkeydigest / SGX mrenclave)
MAA jku → Azure root
Subjects() exports cloud-account/project/subscription digests (e.g. cloud:aws:instance-id:<id>) so policies can bind to a specific tenant.
Verification (RegoV0 gate)
Per provider: verify the signature (ES384 COSE / vTPM HMAC / RS256 JWT) → validate the cert chain to the provider root → confirm nonce == sha256(build_id) and user_data binding → replay event log to PCRs (GCP) → check freshness (iat/exp, document timestamp) → compare PCRs/measurements to signed reference values. Policy chooses "any provider verified" vs "require N-of-3".
Freshness window (AWS doc timestamp vs GCP/Azure iat/exp up to 1h) — enforce in attestor or leave to policy?
Where do golden PCR/measurement reference values live (policy YAML vs versioned reference DB, per region/AMI/kernel)?
user_data semantics: sha256(build_id‖collection_id) vs sha256(build_id) vs configurable.
Nitro Enclave (/dev/nsm) vs EC2 NitroTPM — one attestor with detect-and-branch (current plan) or two?
Cert rotation / offline verification when run air-gapped.
Part of the hardware-root-of-trust track; cloud-native sibling of #274 (tpm-quote) and consumed by command-run-ima. Spec refs: SLSA Build-Environment track (draft).
Filed by an AI agent at Cole's request; design researched against the SLSA draft + AWS Nitro / GCP CVM / Azure MAA docs.
Summary
Add a
cloud-attestationattestor family that captures hardware-rooted TEE / confidential-compute quotes from the major clouds and binds the cilock build/collection id into the attestation nonce:/dev/nsm(and NitroTPM on EC2)go-tpm-tools(+ optional Confidential Space token)Why — the upgrade from "cloud's word" to "hardware's word"
The existing
aws-iid/gcp-iitattestors only verify the cloud-signed instance identity document — they do not prove a hardware-measured boot or TEE isolation. That leaves SLSA Build-Environment L2/L3 unmet for confidential-compute builds:This attestor is the cloud-native path to that evidence (where
tpm-quote#274 is the bare-metal/vTPM path).Design — three provider sub-attestors, one pattern
Predicate type
https://aflock.ai/attestations/cloud-attestation/v0.1. Each sub-attestor detects its provider, bindsnonce = sha256(build_id)anduser_data = sha256(build_id‖collection_id), retrieves the signed evidence, and records a per-provider predicate withverification_status.aws-nitro-quote/dev/nsm(NSMGetAttestation) / NitroTPMuser_data,noncegcp-confidential-vm-quote/dev/tpm0+ GCE metadataTPM2_Quote, PCRs (sha256), event log, AK certazure-maa-quote/dev/sev-guest/ SGX → MAAx-ms-attestation-type,x-ms-compliance-status, SEV-SNPauthorkeydigest/ SGXmrenclave)jku→ Azure rootSubjects()exports cloud-account/project/subscription digests (e.g.cloud:aws:instance-id:<id>) so policies can bind to a specific tenant.Verification (RegoV0 gate)
Per provider: verify the signature (ES384 COSE / vTPM HMAC / RS256 JWT) → validate the cert chain to the provider root → confirm
nonce == sha256(build_id)anduser_databinding → replay event log to PCRs (GCP) → check freshness (iat/exp, document timestamp) → compare PCRs/measurements to signed reference values. Policy chooses "any provider verified" vs "require N-of-3".Libraries
github.com/hf/nsm(+request),github.com/fxamacker/cbor/v2github.com/google/go-tpm-tools/{client,proto/attest},github.com/google/go-attestation/attestgithub.com/golang-jwt/jwt/v4,crypto/x509crypto/{sha256,ecdsa,rsa,x509},net/http(IMDS/metadata), rookeryattestation+cryptoutilDevices/metadata:
/dev/nsm,/dev/tpm0,/dev/sev-guest, IMDS169.254.169.254,metadata.google.internal.Phased delivery
GetAttestation, CBOR/COSE decode, ES384 + AWS cert-chain verify, nonce/user_data binding, detector + unit tests, RegoV0 gate.go-tpm-toolsquote, HMAC verify, event-log replay, GCE metadata, integration test on a Confidential VM.Open questions
iat/expup to 1h) — enforce in attestor or leave to policy?user_datasemantics:sha256(build_id‖collection_id)vssha256(build_id)vs configurable./dev/nsm) vs EC2 NitroTPM — one attestor with detect-and-branch (current plan) or two?Part of the hardware-root-of-trust track; cloud-native sibling of #274 (
tpm-quote) and consumed bycommand-run-ima. Spec refs: SLSA Build-Environment track (draft).Filed by an AI agent at Cole's request; design researched against the SLSA draft + AWS Nitro / GCP CVM / Azure MAA docs.