ibmse: update attestation-service documents for ibmse

- correct parsed_claims.md base on the latest ibmse codes - add attestation-service policy example for ibmse Signed-off-by: Da Li Liu <[email protected]>
confidential-containers · Jun 23, 2024 · aeb869e · aeb869e
1 parent 1e8a88a
commit aeb869e
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 4 deletions.
diff --git a/attestation-service/docs/grpc-as.md b/attestation-service/docs/grpc-as.md
@@ -12,6 +12,7 @@ Now the following types of evidence are supported:
 - `sample`: A fake platform. Only for test and sample
 - `csv`: Hygon CSV
 - `aztdxvtpm`: Azure TDX vTPM
+- `se`: IBM Secure Execution
 
 ## Quick Start
 

diff --git a/attestation-service/docs/parsed_claims.md b/attestation-service/docs/parsed_claims.md
@@ -96,9 +96,9 @@ Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kern
 ## IBM Secure Execution (SE)
 - `se.version`: The version this quote structure.
 - `se.cuid`: The unique ID of the attested guest (configuration uniqe ID).
-- `se.hdr.tag`: SE header tag.
-- `se.image.phkh`: SE image public host key hash
-- `se.attestation.phkh`: SE attestation public host key hash
+- `se.tag`: SE header tag.
+- `se.image_phkh`: SE image public host key hash
+- `se.attestation_phkh`: SE attestation public host key hash
 - `se.user_data`: Optional custom attestation owner data, could be key:value pairs collected on guest.
 
 ## AMD SEV-SNP

diff --git a/attestation-service/docs/policy.md b/attestation-service/docs/policy.md
@@ -81,4 +81,5 @@ We will introduce the format of policy by providing some examples to show the us
 
 1. The [default policy](../attestation-service/src/policy_engine/opa/default_policy.rego). This policy will check whether each entry in the [parsed claims](./parsed_claims.md) generated by the input evidence matches the reference value obtained from RVPS.
 2. An [SGX policy](../tests/coco-as/policy/example-1.rego). The client want to ensure the `mr_signer` and `mrenclave` are both expected value.
-3. A [TDX policy](../tests/coco-as/policy/example-2.rego). The client want to ensure the TDX module (reflected by `tdx.quote.body.mr_seam`), guest firmware (reflected by `tdx.quote.body.mr_td`), kernel (reflected by `tdx.ccel.kernel`) are all as expected.
+3. A [TDX policy](../tests/coco-as/policy/example-2.rego). The client want to ensure the TDX module (reflected by `tdx.quote.body.mr_seam`), guest firmware (reflected by `tdx.quote.body.mr_td`), kernel (reflected by `tdx.ccel.kernel`) are all as expected.
+4. A [IBM SE policy](../tests/coco-as/policy/example-3.rego). The client want to ensure the `se.version`, `se.tag`, `se.user_data`, `se.image_phkh` and `se.attestation_phkh` are all expected value.
diff --git a/attestation-service/docs/restful-as.md b/attestation-service/docs/restful-as.md
@@ -12,6 +12,7 @@ Now the following types of evidence are supported:
 - `sample`: A fake platform. Only for test and sample
 - `csv`: Hygon CSV
 - `aztdxvtpm`: Azure TDX vTPM
+- `se`: IBM Secure Execution
 
 ## Quick Start
 

diff --git a/attestation-service/tests/coco-as/policy/example-3.rego b/attestation-service/tests/coco-as/policy/example-3.rego
@@ -0,0 +1,13 @@
+package policy
+import rego.v1
+default allow = false
+
+converted_version := sprintf("%v", [input["se.version"]])
+
+allow if {
+	converted_version == "256"
+	input["se.user_data"] == "00"
+	input["se.tag"] == "773780962a7350165054673b6c54235d"
+	input["se.image_phkh"] == "92d0aff6eb86719b6b1ea0cb98d2c99ff2ec693df3efff2158f54112f6961508"
+	input["se.attestation_phkh"] == "92d0aff6eb86719b6b1ea0cb98d2c99ff2ec693df3efff2158f54112f6961508"
+}