Attestation Schemes
An attestation scheme describes how an attestation should be verified. Specifically, it defines
- The structure of attestation evidence submitted for verification
- The endorsements and trust anchors needed
- How all of the above is evaluated to produce an attestation result
Veraison supports different attestation schemes via plugins.
Current Schemes
Currently the following schemes are implemented:
arm-cca
Arm Confidential Compute Architecture attestation.psa-iot
: Arm Platform Security Architecture attestation.riot
: RIoT based DICE-compatible attestation (note: this does not implement any specific DICE architecture).tmp-enacttrust
: TPM-based attestation for EnactTrust security cloud.parsec-tpm
: Parsec TPM based hardware-backed attestation, details hereparsec-cca
: Parsec CCA based hardware-backed attestation, details here
Implementing Attestation Scheme Support
note
If you already have attestation scheme plugins implemented for an earlier version of Veraison, please see the migration guide for how to convert them to the new framework.
Supporting a new attestation scheme requires defining how to provision
endorsements (if any) by implementing IEndorsementHandler
,
how to process evidence tokens by implementing IEvidenceHandler
and
how to create and obtain scheme-specific keys used to store and retrieve endorsements and trust anchors
by implementing IStoreHandler
.
Finally, an executable should be created that registers and serves them.
package main
import (
"github.com/veraison/services/decoder"
"github.com/veraison/services/plugin"
)
type MyEvidenceHandler struct {}
// ...
// Implementation of IEvidenceHandler for MyEvidenceHandler
// ...
type MyEndrosementHandler struct {}
// ...
// Implementation of IEndrosementHandler for MyEndrosementHandler
// ...
type MyStoreHandler struct {}
// ...
// Implementation of IStoreHandler for MyStoreHandler
// ...
func main() {
handler.RegisterEndorsementHandler(&MyEndorsementHandler{})
handler.RegisterEvidenceHandler(&MyEvidenceHandler{})
handler.RegisterStoreHandler(&MyStoreHandler{})
plugin.Serve()
}