-
Notifications
You must be signed in to change notification settings - Fork 3
How is RATSd trusted?
The issue of validating the authenticity of RATSd depends on how to connect it to the Root of Trust (ROT). However, most confidential computing solution (e.g. AMD SEV-SNP, Intel TDX) does not measure a userspace program directly, including RATSd. While AMD SEV-SNP allows the user to specify REPORT_DATA, which would be part of the generated attestation report with the signature from the hardware, it does not have enough bit length to supply the entire binary. Such approach also fall short of showing the linkage between the requestor of the report, and the report itself. Anyone knowing the representation of RATSd, such as the checksum, can impersonate RATSd by using the same REPORT_DATA and get an identical attestation report. To get an unbiased measurement of RATSd binary instead of blindly trust the component, the following approaches are considered
.--------------------------------------------.
| Certificate Authority (CA) |
| (Microsoft AD CS / Verifier) |
'--------------------------------------------'
^ | |
1. Request AK Cert | | | 4. Issued AK
(w/ AKpub) | | | Certificate
.-----------------------' | |
| | |
| 2. Credential Challenge | |
| (Encrypted to EKpub) | |
| <--------------------------------------' |
| |
| 3. Challenge Response |
| (Decrypted via TPM/SVSM) |
'--------------------------------------------------------'
^
|
.------------------------------------|---------------------------------------.
| VM / Guest | |
| | |
| .------------------. | .----------------------. |
| | RATSd |<------------' | CMN Collection | |
| | (Orchestrator) |-------------------------->| (JOSE) | |
| '------------------' '----------+-----------' |
| | | |
| .---------|--------------------------------------. | |
| | SVSM / vTPM (Security Boundary) | | |
| | v | | |
| | .------------. .------------. | | |
| | | EK | --------> | AK | | | |
| | '------------' '------------' | | |
| '------------------------------------------------' | |
'------------------------------------------------------------ | -------------'
|
v
.-------------------------------------------------------+--------------.
| Signed Evidence Bundle: |
| - TSM Report (SEV-SNP / OVMF / SVSM) |
| - GPU Attestation Report |
| - Event Log (GRUB -> Kernel -> TPM) |
'----------------------------------------------------------------------'
|
v
.------------------. .--------------.
| Veraison | ----------> | Relying |
| Service | | Party |
'------------------' '--------------'
This approach requires a CA to issue attested CSR to RATSd.