Add initdata toml plaintext support #828
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Xynnn007
force-pushed
the
feat-initdata
branch
4 times, most recently
from
73c83de to
9e73fd0
Compare
Xynnn007
changed the title
Xynnn007
force-pushed
the
feat-initdata
branch
6 times, most recently
from
b16575e to
967707d
Compare
mkulke
approved these changes
Jul 3, 2025
Signed-off-by: Xynnn007 <[email protected]>
The original design of initdata and runtime assume both are json. But now we are using initdata toml thus we need to add some more logic to handle the initdata toml. AS will bring the `data` field of initdata toml into parsed claims if the integration check passes. Signed-off-by: Xynnn007 <[email protected]>
Now we do not need the initdata hash algorithm, which should be provided inside the initdata toml itself. Signed-off-by: Xynnn007 <[email protected]>
The sample evidence does not have `initdata` field on the attester side. Also, it does not support check initdata. signed-off-by: Xynnn007 <[email protected]>
Due to the new change upon kbs protocol, we bring intidata and runtime field into Attestation message level. This patch handles the runtime data binding checking and initdata binding checking logic on the KBS side. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Now we support initdata digest and initdata toml as input to Attestation Service. Signed-off-by: Xynnn007 <[email protected]>
Now the Attestation message is not compatible with previous versions, thus we need to bump a new version. Signed-off-by: Xynnn007 <[email protected]>
When checking runtime data binding against the evidence, we should have a determined serialization method from a JSON value into a material that is used to derive the digest. serde_json has different behavior between a struct and a serde_json::Value when serialization, thus causing inconsistant for runtime data binding check. In this patch we use canonical json serialization following RFC 8785 to have a consistent report data. Signed-off-by: Xynnn007 <[email protected]>
Member
Author
|
blocked by a dependency conflict error. will be fix via veraison/rust-apiclient#24 |
The old version of cca dependency suites are using an old version of serde_with, which will cause dependency conflict. This patch updates the two suites. Signed-off-by: Xynnn007 <[email protected]>
Xynnn007
merged commit 6d77d83
into
confidential-containers:main
35 of 36 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR mainly adds the KBS protocol and the AS verification function for initdata toml. The corresponding PR is confidential-containers/guest-components#1031