confidential-containers · fitzthum · Jun 24, 2024 · Jun 22, 2024
@@ -12,6 +12,7 @@ Now the following types of evidence are supported:
 - `sample`: A fake platform. Only for test and sample
 - `csv`: Hygon CSV
 - `aztdxvtpm`: Azure TDX vTPM
+- `se`: IBM Secure Execution
 
 ## Quick Start
 

@@ -96,9 +96,9 @@ Note: The TD Report and TD Quote are fetched during early boot in this TEE. Kern
 ## IBM Secure Execution (SE)
 - `se.version`: The version this quote structure.
 - `se.cuid`: The unique ID of the attested guest (configuration uniqe ID).
-- `se.hdr.tag`: SE header tag.
-- `se.image.phkh`: SE image public host key hash
-- `se.attestation.phkh`: SE attestation public host key hash
+- `se.tag`: SE header tag.
+- `se.image_phkh`: SE image public host key hash
+- `se.attestation_phkh`: SE attestation public host key hash
 - `se.user_data`: Optional custom attestation owner data, could be key:value pairs collected on guest.
 
 ## AMD SEV-SNP

@@ -81,4 +81,5 @@ We will introduce the format of policy by providing some examples to show the us
 
 1. The [default policy](../attestation-service/src/policy_engine/opa/default_policy.rego). This policy will check whether each entry in the [parsed claims](./parsed_claims.md) generated by the input evidence matches the reference value obtained from RVPS.
 2. An [SGX policy](../tests/coco-as/policy/example-1.rego). The client want to ensure the `mr_signer` and `mrenclave` are both expected value.
-3. A [TDX policy](../tests/coco-as/policy/example-2.rego). The client want to ensure the TDX module (reflected by `tdx.quote.body.mr_seam`), guest firmware (reflected by `tdx.quote.body.mr_td`), kernel (reflected by `tdx.ccel.kernel`) are all as expected.
+3. A [TDX policy](../tests/coco-as/policy/example-2.rego). The client want to ensure the TDX module (reflected by `tdx.quote.body.mr_seam`), guest firmware (reflected by `tdx.quote.body.mr_td`), kernel (reflected by `tdx.ccel.kernel`) are all as expected.
+4. A [IBM SE policy](../tests/coco-as/policy/example-3.rego). The client want to ensure the `se.version`, `se.tag`, `se.user_data`, `se.image_phkh` and `se.attestation_phkh` are all expected value.
@@ -12,6 +12,7 @@ Now the following types of evidence are supported:
 - `sample`: A fake platform. Only for test and sample
 - `csv`: Hygon CSV
 - `aztdxvtpm`: Azure TDX vTPM
+- `se`: IBM Secure Execution
 
 ## Quick Start
 

@@ -0,0 +1,13 @@
+package policy
+import rego.v1
+default allow = false
+
+converted_version := sprintf("%v", [input["se.version"]])
+
+allow if {
+	converted_version == "256"
+	input["se.user_data"] == "00"
+	input["se.tag"] == "773780962a7350165054673b6c54235d"
+	input["se.image_phkh"] == "92d0aff6eb86719b6b1ea0cb98d2c99ff2ec693df3efff2158f54112f6961508"
+	input["se.attestation_phkh"] == "92d0aff6eb86719b6b1ea0cb98d2c99ff2ec693df3efff2158f54112f6961508"
+}
@@ -130,7 +130,6 @@ services:
       - ./kbs-config.toml:/etc/kbs-config.toml
       - ./data/hkds:/run/confidential-containers/ibmse/hkds
       - ./data/certs:/run/confidential-containers/ibmse/certs
-      - ./data/DigiCertCA.crt:/run/confidential-containers/ibmse/DigiCertCA.crt
       - ./data/crls:/run/confidential-containers/ibmse/crls
       - ./data/hdr.bin:/run/confidential-containers/ibmse/hdr/hdr.bin
       - ./data/rsa/encrypt_key.pem:/run/confidential-containers/ibmse/rsa/encrypt_key.pem
@@ -142,12 +141,12 @@ services:
 ```
 .
 ├── data
-│   ├── DigiCertCA.crt
 │   ├── attestation-service
 │   │   ├── opa
 │   │   │   └── default.rego
 │   ├── certs
-│   │   └── ibm-z-host-key-signing-gen2.crt
+│   │   ├── ibm-z-host-key-signing-gen2.crt
+│   │   └── DigiCertCA.crt
 │   ├── crls
 │   │   └── ibm-z-host-key-gen2.crl
 │   ├── hdr.bin