// Copyright 2023 Ant Group Co., Ltd. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // syntax = "proto3"; package secretflowapis.v2.sdc; /// UnifiedAttestationAttributes collect all attributes information /// of trusted application from UnifiedAttestationReport format report. /// All attributes are optional when used in UnifiedAttestationPolicy. /// The TEE implement decides which attribute is used in the report and policy. message UnifiedAttestationAttributes { // The TEE platform, in case some verifier needs to verify this. string str_tee_platform = 1 [ json_name = "str_tee_platform" ]; // The TEE platform hardware-related identity or version string hex_platform_hw_version = 2 [ json_name = "hex_platform_hw_version" ]; // The TEE platform TCB software-related version string hex_platform_sw_version = 3 [ json_name = "hex_platform_sw_version" ]; // The TEE platform security-related attributes or flags string hex_secure_flags = 4 [ json_name = "hex_secure_flags" ]; // The measurement of TEE implement internal stuff string hex_platform_measurement = 5 [ json_name = "hex_platform_measurement" ]; // The measurement of TEE instance boot time stuff string hex_boot_measurement = 6 [ json_name = "hex_boot_measurement" ]; // The name of this tee instance string str_tee_name = 8 [ json_name = "str_tee_name" ]; // The TEE instance or trust application identity when generating the report string str_tee_identity = 9 [ json_name = "str_tee_identity" ]; // The static measurement of trust application when loading the code string hex_ta_measurement = 10 [ json_name = "hex_ta_measurement" ]; // The dynamical measurement of trust application code, // for example, the real-time measurement of code in secure memory // after the trust application is already run. string hex_ta_dyn_measurement = 11 [ json_name = "hex_ta_dyn_measurement" ]; // The measurement or other identity of the trust application signer string hex_signer = 12 [ json_name = "hex_signer" ]; // The product ID of the TEE instance or trust application string hex_prod_id = 13 [ json_name = "hex_prod_id" ]; // The minimal ISV SVN of the TEE instance or trust application string str_min_isvsvn = 14 [ json_name = "str_min_isvsvn" ]; // The bool string "0" for debuggable, "1" for not debuggable string bool_debug_disabled = 15 [ json_name = "bool_debug_disabled" ]; // The user data for generating the attestation report string hex_user_data = 20 [ json_name = "hex_user_data" ]; // hex string hash or original pem public key string hex_hash_or_pem_pubkey = 21 [ json_name = "hex_hash_or_pem_pubkey" ]; // The independent freshness value besides what is in user data string hex_nonce = 22 [ json_name = "hex_nonce" ]; // The service provider id, e.g. use in sgx1, 64 bytes hex string string hex_spid = 30 [ json_name = "hex_spid" ]; // The report verified time set by verifier if there is trust time string str_verified_time = 40 [ json_name = "str_verified_time" ]; } /// UnifiedAttestationPolicy is used when verifying the attestation report. /// Both main or nested submodule attester support multi-version of instances. message UnifiedAttestationPolicy { // Assume one public key is bound to one report, specify it here. // We can also specify the public key or its hash in the main or submodule // UnifiedAttestationAttributes. Public key verification will happen // in both two places. // NOTE: if there is a submodule attester, we must specify the public key // here to verify the signature of the submodel attestation result. string pem_public_key = 1 [ json_name = "pem_public_key" ]; // For the main attester repeated UnifiedAttestationAttributes main_attributes = 2 [ json_name = "main_attributes" ]; // For submodule attesters UnifiedAttestationNestedPolicies nested_policies = 3 [ json_name = "nested_policies" ]; } /// Match rules for nested reports verification message UnifiedAttestationNestedPolicies { // The group name and id are used for group attestation string str_group_name = 1 [ json_name = "str_group_name" ]; string str_group_id = 2 [ json_name = "str_group_id" ]; repeated UnifiedAttestationNestedPolicy policies = 3 [ json_name = "policies" ]; } /// Match rules for nested report verification message UnifiedAttestationNestedPolicy { repeated UnifiedAttestationAttributes sub_attributes = 3 [ json_name = "sub_attributes" ]; } /// Special Parameters for different TEE platforms, keep consistent with kubetee /// attestation.proto message UnifiedAttestationReportParams { // The identity string for the report instance which is cached inside TEE. // It's optional and usually used in Asynchronous processes. string str_report_identity = 1 [ json_name = "str_report_identity" ]; // The user data in some TEE platforms, Max to 64 Bytes of HEX string. // Users need to convert binary value data to HEX string themselves. string hex_user_data = 2 [ json_name = "hex_user_data" ]; // The JSON serialized string of UnifiedAttestationNestedReports string json_nested_reports = 3 [ json_name = "json_nested_reports" ]; // User specified public key instead of UAK to be put into report_data string pem_public_key = 4 [ json_name = "pem_public_key" ]; // Service Provider ID for SGX1 only string hex_spid = 10 [ json_name = "hex_spid" ]; } message UnifiedAttestationGenerationParams { // For which TEE instance to generate the unified attestation report string tee_identity = 1 [ json_name = "tee_identity" ]; // which type of unified attestation report to be generated string report_type = 2 [ json_name = "report_type" ]; // Provide freshness if necessary. string report_hex_nonce = 3 [ json_name = "report_hex_nonce" ]; UnifiedAttestationReportParams report_params = 4 [ json_name = "report_params" ]; } /// Unified Attestation Report, keep consistent with kubetee attestation.proto message UnifiedAttestationReport { // For compatibility and update later, the current version is "1.0" string str_report_version = 1 [ json_name = "str_report_version" ]; // Valid type string: "BackgroundCheck"|"Passport"|"Uas" string str_report_type = 2 [ json_name = "str_report_type" ]; // The TEE platform name string str_tee_platform = 3 [ json_name = "str_tee_platform" ]; // Different JSON serialized string for each TEE platform // The TEE platforms are in charge of parsing it in their own way. string json_report = 4 [ json_name = "json_report" ]; // The JSON serialized string of UnifiedAttestationNestedReports string json_nested_reports = 9 [ json_name = "json_nested_reports" ]; } /// Unified attestation report with public key authentication message UnifiedAttestationAuthReport { UnifiedAttestationReport report = 1 [ json_name = "report" ]; string pem_public_key = 2 [ json_name = "pem_public_key" ]; } /// UnifiedAttestationReport::json_report for SGX2 DCAP /// Store the quote and PCCS verification collateral for SGX2 DCAP attestation message DcapReport { // For BackgroundCheck type report: Only quote in the report string b64_quote = 1 [ json_name = "b64_quote" ]; // For Passport type report: Quote and collateral in report // The serialized JSON string of the SgxQlQveCollateral string json_collateral = 2 [ json_name = "json_collateral" ]; } /// SGX DCAP quote verification collateral /// Get this after generating the quote and adding it to the report /// In this way, the challenger will don't need to connect PCCS anymore. message SgxQlQveCollateral { // uint32_t, version = 1. PCK Cert chain is in the Quote. int64 version = 1 [ json_name = "version" ]; string pck_crl_issuer_chain = 2 [ json_name = "pck_crl_issuer_chain" ]; string root_ca_crl = 3 [ json_name = "root_ca_crl" ]; string pck_crl = 4 [ json_name = "pck_crl" ]; string tcb_info_issuer_chain = 5 [ json_name = "tcb_info_issuer_chain" ]; string tcb_info = 6 [ json_name = "tcb_info" ]; string qe_identity_issuer_chain = 7 [ json_name = "qe_identity_issuer_chain" ]; string qe_identity = 8 [ json_name = "qe_identity" ]; // < 0x00000000: SGX or 0x00000081: TDX int64 tee_type = 20 [ json_name = "tee_type" ]; } /// UnifiedAttestationReport::json_report for HyperEnclave /// Only a quote is required for HyperEnclave attestation message HyperEnclaveReport { string b64_quote = 1 [ json_name = "b64_quote" ]; } /// UnifiedAttestationReport::json_report for Huawei Kunpeng message KunpengReport { string b64_quote = 1 [ json_name = "b64_quote" ]; int64 int64_version = 2 [ json_name = "int64_version" ]; } /// UnifiedAttestationReport::json_report for Hygon CSV message HygonCsvReport { // For BackgroundCheck type report: Only quote in the report string b64_quote = 1 [ json_name = "b64_quote" ]; // For Passport type report: Quote and collateral in report // The serialized JSON string of the HygonCsvCertChain string json_cert_chain = 2 [ json_name = "json_cert_chain" ]; // Save chip id to avoid to parse it from b64_quote when verify report string str_chip_id = 3 [ json_name = "str_chip_id" ]; } /// UnifiedAttestationReport::json_report for Intel TDX message IntelTdxReport { string b64_quote = 1 [ json_name = "b64_quote" ]; // For Passport type report: Quote and collateral in report // The serialized JSON string of the SgxQlQveCollateral string json_collateral = 2 [ json_name = "json_collateral" ]; } /// Hygon CSV report verification collateral about certificates /// Get this after generating the quote and adding it to the report /// In this way, the challenger will don't need to connect PCCS anymore. message HygonCsvCertChain { // The Base64 string of hygon_root_cert_t string b64_hsk_cert = 1 [ json_name = "b64_hsk_cert" ]; // The Base64 string of csv_cert_t string b64_cek_cert = 2 [ json_name = "b64_cek_cert" ]; }