Skip to content

Add initdata toml plaintext support#828

Merged
Xynnn007 merged 10 commits intoconfidential-containers:mainfrom
Xynnn007:feat-initdata
Jul 10, 2025
Merged

Add initdata toml plaintext support#828
Xynnn007 merged 10 commits intoconfidential-containers:mainfrom
Xynnn007:feat-initdata

Conversation

@Xynnn007
Copy link
Member

@Xynnn007 Xynnn007 commented Jun 20, 2025
edited
Loading

This PR mainly adds the KBS protocol and the AS verification function for initdata toml. The corresponding PR is confidential-containers/guest-components#1031

@Xynnn007 Xynnn007 force-pushed the feat-initdata branch 4 times, most recently from 73c83de to 9e73fd0 Compare June 23, 2025 03:01
@Xynnn007 Xynnn007 changed the title Add initdata plaintext support Add initdata toml plaintext support Jun 23, 2025
@Xynnn007 Xynnn007 marked this pull request as ready for review June 23, 2025 04:16
@Xynnn007 Xynnn007 requested a review from a team as a code owner June 23, 2025 04:16
fitzthum
fitzthum reviewed Jun 30, 2025
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Two comments.

@Xynnn007 Xynnn007 force-pushed the feat-initdata branch 6 times, most recently from b16575e to 967707d Compare July 3, 2025 06:35
fitzthum
fitzthum approved these changes Jul 7, 2025
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Xynnn007 added 9 commits July 10, 2025 14:18
@Xynnn007
chore(deps): update kbs-types version
f23b6bc 
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
AS: add parsing initdata toml
f4905d9 
The original design of initdata and runtime assume both are json. But
now we are using initdata toml thus we need to add some more logic to
handle the initdata toml. AS will bring the `data` field of initdata
toml into parsed claims if the integration check passes.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
AS: fix gRPC binary initdata reading logic
b2d0646 
Now we do not need the initdata hash algorithm, which should be provided
inside the initdata toml itself.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
verifier: fix sample verifier of initdata logic
26cc869 
The sample evidence does not have `initdata` field on the attester side.
Also, it does not support check initdata.

signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
KBS: Add support for runtime data and init data
761779c 
Due to the new change upon kbs protocol, we bring intidata and runtime
field into Attestation message level. This patch handles the runtime
data binding checking and initdata binding checking logic on the KBS
side.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
AS: add initdata support for RESTful AS
10a84e7 
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
docs: update restful AS initdata part
225e524 
Now we support initdata digest and initdata toml as input to Attestation
Service.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
KBS: update KBS protocol version
09d0107 
Now the Attestation message is not compatible with previous versions,
thus we need to bump a new version.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
AS: use json canonical order for runtime data
367553e 
When checking runtime data binding against the evidence, we should have
a determined serialization method from a JSON value into a material that
is used to derive the digest.

serde_json has different behavior between a struct and a
serde_json::Value when serialization, thus causing inconsistant for
runtime data binding check.

In this patch we use canonical json serialization following RFC 8785 to
have a consistent report data.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007
Copy link
Member Author

Xynnn007 commented Jul 10, 2025

blocked by a dependency conflict error. will be fix via veraison/rust-apiclient#24

@Xynnn007
chore(deps): update cca suites
3fb6f57 
The old version of cca dependency suites are using an old version of
serde_with, which will cause dependency conflict. This patch updates the
two suites.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
@Xynnn007 Xynnn007 merged commit 6d77d83 into confidential-containers:main Jul 10, 2025
35 of 36 checks passed
@Xynnn007 Xynnn007 deleted the feat-initdata branch July 10, 2025 07:53
@Jakob-Naucke Jakob-Naucke mentioned this pull request Oct 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkulke mkulke mkulke approved these changes

@fitzthum fitzthum fitzthum approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Xynnn007 @mkulke @fitzthum