2024-05-08 CCA - Attestation Verifier

Owned by Joakim Bech
Last updated: May 10, 2024
2 min read

Date and Time: May 8, 2024 14:00 UTC

Calendar invite? Register here and we’ll send you an invite shortly after you’ve registered.

Meeting and connection details

Join Zoom Meeting

https://linaro-org.zoom.us/j/99184594168?pwd=eklPZlBmUDB3VEd6VngxOWpMTXdvZz09

Meeting ID: 991 8459 4168

Passcode: 13371337

Find your local number: https://linaro-org.zoom.us/u/acGNPcsIS9

Attendees

  •  

Agenda

Meeting overview

  • Recording: We’ll record the meeting, if you object, please let us now. Link and password will be added to this page (see sections further down).

  • Goal with today’s meeting: Better understand what needs to be done and when, when it comes to leveraging the Arm Confidential Compute Architecture (CCA) in an Attestation Verifier architecture.

Background

  • Confidential Computing aims to provide users with an additional layer of protection by raising the standards above our traditional platforms. It will accomplish this by utilizing a combination of novel hardware and software features. Within the Arm architecture, this is the Arm Confidential Compute Architecture (CCA).

  • Although we anticipate using the hardware and writing software for it pose challenges, there is more too it. To be able to use this there is a need for an ecosystem around it as well. Imagine that a Cloud Service Provider (CSP) have invested in CCA capable hardware and tell their partners and customers that they can start using this. At that point the partners and customers will obviously ask:

    • How can we know for sure that you have hardware that is capable of this?

    • How can we know for sure that no-one have tampered the hardware?

    • How can we know for sure that the claims you give is in for of evidence are trustworthy?

    • How are we actually going to use this?

      • Are there services ready that we can use? How?

      • Interoperability: Is this working with other CC solutions from other architecture vendors?

    • … and so on.

  • The takeaway is that to be able to fully leverage CCA enabled devices, we will need an ecosystem around it! Working on that as soon as possible would probably make sense so that we have something ready to go whenever CCA enabled devices become widely available.

Remote ATtestation ProcedureS (RATS)

  • The draft-ietf-rats-architecture is a set of specifications for remote attestation that is developed by the IETF Remote ATtestation ProcedureS (RATS) Working Group. Their goal is to establish standard formats for describing evidence and attestation results, as well as the processes and protocols required to send attestation results to a relying party and evidence for evaluation to a verifier. They also want to standardize reference values and endorsement formats.

  • RFC9334 is the RFC release early 2023 that describes the Attestation Verification architecture.

    RATS attestation architecture

Veraison

  • The Veraison project, builds software components for the construction of an Attestation Verification Service.

  • Would this be a good starting point for the work? If not why? Is there anything else that we can (re-)use to avoid having to rewrite everything from scratch?

Files, presentations and recording

Notes

  • In general, please see recording.

Chat

  • Please see recording.