Attestation Schemes

An attestation scheme describes how an attestation should be verified. Specifically, it defines

• The structure of attestation evidence submitted for verification
• The endorsements and trust anchors needed
• How all of the above is evaluated to produce an attestation result

Veraison supports different attestation schemes via plugins.

Current Schemes

Currently the following schemes are implemented:

• arm-cca Arm Confidential Compute Architecture attestation.
• psa-iot: Arm Platform Security Architecture attestation.
• riot: RIoT based DICE-compatible attestation (note: this does not implement any specific DICE architecture).
• tmp-enacttrust: TPM-based attestation for EnactTrust security cloud.
• parsec-tpm : Parsec TPM based hardware-backed attestation, details here
• parsec-cca : Parsec CCA based hardware-backed attestation, details here

Implementing Attestation Scheme Support

Supporting a new attestation scheme requires defining how to provision endorsements (if any) by implementing IEndorsementHandler, how to process evidence tokens by implementing IEvidenceHandler and how to create and obtain scheme-specific keys used to store and retrieve endorsements and trust anchors by implementing IStoreHandler.

Finally, an executable should be created that registers and serves them.

package main

import (
	"github.com/veraison/services/decoder"
	"github.com/veraison/services/plugin"
)

type MyEvidenceHandler struct {}

// ...
// Implementation of IEvidenceHandler for MyEvidenceHandler
// ...

type MyEndrosementHandler struct {}

// ...
// Implementation of IEndrosementHandler for MyEndrosementHandler
// ...

type MyStoreHandler struct {}

// ...
// Implementation of IStoreHandler for MyStoreHandler
// ...

func main() {
	handler.RegisterEndorsementHandler(&MyEndorsementHandler{})
	handler.RegisterEvidenceHandler(&MyEvidenceHandler{})
	handler.RegisterStoreHandler(&MyStoreHandler{})

	plugin.Serve()
}