scheme

Oct 16, 2024

7caa4d9 · Oct 16, 2024

Name	Name	Last commit message	Last commit date
parent directory ..
arm-cca	arm-cca	fix! Rebase to latest of CoRIM	Oct 16, 2024
common	common	fix! Rebase to latest of CoRIM	Oct 16, 2024
parsec-cca	parsec-cca	fix! Rebase to latest of CoRIM	Oct 16, 2024
parsec-tpm	parsec-tpm	fix! Rebase to latest of CoRIM	Oct 16, 2024
psa-iot	psa-iot	fix! Rebase to latest of CoRIM	Oct 16, 2024
riot	riot	handler: add GetRefValueIDs to IStoreHandler	Apr 30, 2024
tpm-enacttrust	tpm-enacttrust	fix! Rebase to latest of CoRIM	Oct 16, 2024
MIGRATING.md	MIGRATING.md	plugins: rename decoder -> handler	Feb 8, 2023
Makefile	Makefile	feat(scheme)!: implement CCA realm provisioning and verification	Jun 24, 2024
README.md	README.md	chore: add note to scheme README RE scheme.gen.go	Jun 28, 2024

README.md

This directory contains packages implementing support of specific attestation schemes. Currently the following schemes are implemented:

arm-cca Arm Confidential Compute Architecture attestation.
psa-iot: Arm Platform Security Architecture attestation.
riot: RIoT based DICE-compatible attestation (note: this does not implement any specific DICE architecture).
tmp-enacttrust: TPM-based attestation for EnactTrust security cloud.
parsec-tpm : Parsec TPM based hardware-backed attestation, details here
parsec-cca : Parsec CCA based hardware-backed attestation, details here

Note

When adding (or removing) a scheme, please update ../builtin/scheme.gen.go to include the appropriate entries. This can be done automatically using ../scripts/gen-schemes script (see ../buildin/Makefile) or by manually editing the file. The script takes a long time to execute, so unless multiple schemes are being added/moved/deleted, manual editing may be easier.

Implementing Attestation Scheme Support

Note: If you already have attestation scheme plugins implemented for an earlier version of Veraison, please see the migration guide for how to convert them to the new framework.

Supporting a new attestation scheme requires defining how to provision endorsements (if any) by implementing IEndorsementHandler, how to process evidence tokens by implementing IEvidenceHandler and how to create and obtain scheme-specific keys used to store and retrieve endorsements and trust anchors by implementing IStoreHandler.

Finally, an executable should be created that registers and serves them.

package main

import (
	"github.com/veraison/services/decoder"
	"github.com/veraison/services/plugin"
)

type MyEvidenceHandler struct {}

// ...
// Implementation of IEvidenceHandler for MyEvidenceHandler
// ...

type MyEndrosementHandler struct {}

// ...
// Implementation of IEndrosementHandler for MyEndrosementHandler
// ...

type MyStoreHandler struct {}

// ...
// Implementation of IStoreHandler for MyStoreHandler
// ...

func main() {
	handler.RegisterEndorsementHandler(&MyEndorsementHandler{})
	handler.RegisterEvidenceHandler(&MyEvidenceHandler{})
	handler.RegisterStoreHandler(&MyStoreHandler{})

	plugin.Serve()
}

Debugging

Handler code is a lot easier to debug when it runs as part of the service processes, rather than as a plugin. This can be achieved by using the "builtin" plugin loader.

Attestation scheme loading method is a build-time configuration. Since delve does its own building, it will ignore the normal build configuration. Instead, you will have to configure this when invoking delve:

dlv debug --build-flags "-ldflags '-X github.com/veraison/services/config.SchemeLoader=builtin'"

This will allow you to step into and set break points inside scheme code.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

scheme

scheme

README.md

Implementing Attestation Scheme Support

Debugging

Files

scheme

Directory actions

More options

Directory actions

More options

Latest commit

History

scheme

Folders and files

parent directory

README.md

Implementing Attestation Scheme Support

Debugging