Defaulting to EAR attestation policy

Signed-off-by: Leonardo Milleri <[email protected]>

README.md

@@ -139,9 +139,13 @@ data:
         "work_dir": "/opt/confidential-containers/attestation-service",
         "policy_engine": "opa",
         "rvps_config": {
-           "remote_addr":"http://127.0.0.1:50003"
+            "type": "BuiltIn",
+            "remote_addr":"http://127.0.0.1:50003"
+        },
+        "attestation_token_broker": {
+          "type": "Ear",
+          "policy_dir": "/opt/confidential-containers/attestation-service/policies"
         },
-        "attestation_token_broker": "Simple",
         "attestation_token_config": {
           "duration_min": 5
         }
@@ -271,7 +275,7 @@ data:
       reference-values.json: |
         [
           {
-            "name": "sample.svn",
+            "name": "svn",
             "expired": "2025-01-01T00:00:00Z",
             "hash-value": [
               {

config/samples/all-in-one/attestation-policy.yaml

@@ -7,67 +7,129 @@ data:
   default.rego: |
     package policy
 
-    import future.keywords.every
-
-    default allow = false
-
-    allow {
-      every k, v in input {
-        # `judge_field`: Traverse each key value pair in the input and make policy judgments on it.
-        #
-        # For each key value pair:
-        #	* If there isn't a corresponding key in the reference:
-        #		It is considered that the current key value pair has passed the verification.
-        #	* If there is a corresponding key in the reference:
-        #		Call `match_value` to further judge the value in input with the value in reference.
-        judge_field(k, v)
-      }
-    }
+    import rego.v1
 
-    judge_field(input_key, input_value) {
-      has_key(data.reference, input_key)
-      reference_value := data.reference[input_key]
-
-      # `match_value`: judge the value in input with the value in reference.
-      #
-      # * If the type of reference value is not array:
-      #		Judge whether input value and reference value are equal。
-      # * If the type of reference value is array:
-      #		Call `array_include` to further judge the input value with the values in the array.
-      match_value(reference_value, input_value)
-    }
+    # This policy validates multiple TEE platforms
+    # The policy is meant to capture the TCB requirements
+    # for confidential containers.
 
-    judge_field(input_key, input_value) {
-      not has_key(data.reference, input_key)
-    }
+    # This policy is used to generate an EAR Appraisal.
+    # Specifically it generates an AR4SI result.
+    # More informatino on AR4SI can be found at
+    # <https://datatracker.ietf.org/doc/draft-ietf-rats-ar4si/>
+
+    # For the `executables` trust claim, the value 33 stands for
+    # "Runtime memory includes executables, scripts, files, and/or
+    #  objects which are not recognized."
+    default sample_executables := 33
+
+    default snp_executables := 33
+
+    default tdx_executables := 33
+
+    default az_snp_executables := 33
+
+    default az_tdx_executables := 33
+
+    default se_executables := 33
+
+    # For the `hardware` trust claim, the value 97 stands for
+    # "A Verifier does not recognize an Attester's hardware or
+    #  firmware, but it should be recognized."
+    default sample_hardware := 97
+
+    default snp_hardware := 97
+
+    default tdx_hardware := 97
+
+    default az_snp_hardware := 97
+
+    default az_tdx_hardware := 97
 
-    match_value(reference_value, input_value) {
-      not is_array(reference_value)
-      input_value == reference_value
+    default se_hardware := 97
+
+    # For the `configuration` trust claim the value 36 stands for
+    # "Elements of the configuration relevant to security are
+    #  unavailable to the Verifier."
+    default sample_configuration := 36
+
+    default snp_configuration := 36
+
+    default tdx_configuration := 36
+
+    default az_snp_configuration := 36
+
+    default az_tdx_configuration := 36
+
+    default se_configuration := 36
+
+    executables := min({sample_executables, snp_executables, tdx_executables, az_snp_executables, az_tdx_executables, se_executables})
+
+    hardware := min({sample_hardware, snp_hardware, tdx_hardware, az_snp_hardware, az_tdx_hardware, se_hardware})
+
+    configuration := min({sample_configuration, snp_configuration, tdx_configuration, az_snp_configuration, az_tdx_configuration, se_configuration})
+
+    ##### Sample
+
+    # For the `executables` trust claim, the value 3 stands for
+    # "Only a recognized genuine set of approved executables have
+    #  been loaded during the boot process."
+    sample_executables := 3 if {
+      # The sample attester does not report any launch digest.
+      # This is an example of how a real platform might validate executables.
+      input.sample.launch_digest in data.reference.launch_digest
     }
 
-    match_value(reference_value, input_value) {
-      is_array(reference_value)
+    # For the `hardware` trust claim, the value 2 stands for
+    # "An Attester has passed its hardware and/or firmware
+    #  verifications needed to demonstrate that these are genuine/
+    #  supported.
+    sample_hardware := 2 if {
+      input.sample.svn in data.reference.svn
+    }
 
-      # `array_include`: judge the input value with the values in the array.
-      #
-      # * If the reference value array is empty:
-      #		It is considered that the current input value has passed the verification.
-      # * If the reference value array is not empty:
-      #		Judge whether there is a value equal to input value in the reference value array.
-      array_include(reference_value, input_value)
+    ##### SNP
+    snp_executables := 3 if {
+      # In the future, we might calculate this measurement here various components
+      input.sample.launch_measurement in data.reference.snp_launch_measurement
     }
 
-    array_include(reference_value_array, input_value) {
-      reference_value_array == []
+    snp_hardware := 2 if {
+      # Check the reported TCB to validate the ASP FW
+      input.snp.reported_tcb_bootloader in data.reference.snp_bootloader
+      input.snp.reported_tcb_microcode in data.reference.snp_microcode
+      input.snp.reported_tcb_snp in data.reference.snp_snp_svn
+      input.snp.reported_tcb_tee in data.reference.snp_tee_svn
     }
 
-    array_include(reference_value_array, input_value) {
-      reference_value_array != []
-      some i
-      reference_value_array[i] == input_value
+    # For the 'configuration' trust claim 2 stands for
+    # "The configuration is a known and approved config."
+    #
+    # For this, we compare all the configuration fields.
+    snp_configuration := 2 if {
+      input.snp.policy_debug_allowed == 0
+      input.snp.policy_migrate_ma == 0
+      input.snp.platform_smt_enabled in data.reference.snp_smt_enabled
+      input.snp.platform_tsme_enabled in data.reference.snp_tsme_enabled
+      input.snp.policy_abi_major in data.reference.snp_guest_abi_major
+      input.snp.policy_abi_minor in data.reference.snp_guest_abi_minor
+      input.snp.policy_single_socket in data.reference.snp_single_socket
+      input.snp.policy_smt_allowed in data.reference.snp_smt_allowed
     }
 
-    has_key(m, k) {
-      _ = m[k]
+    # For the `configuration` trust claim 3 stands for
+    # "The configuration includes or exposes no known
+    #  vulnerabilities."
+    #
+    # In this check, we do not specifically check every
+    # configuration value, but we make sure that some key
+    # configurations (like debug_allowed) are set correctly.
+    else := 3 if {
+      input.snp.policy_debug_allowed == 0
+      input.snp.policy_migrate_ma == 0
     }
+
+    ##### TDX TODO
+    ##### AZ SNP TODO
+    ##### AZ TDX TODO
+    ##### SE TODO

config/samples/all-in-one/kbs-config.yaml

@@ -22,6 +22,7 @@ data:
     policy_engine = "opa"
       [attestation_service.attestation_token_broker]
       type = "Ear"
+      policy_dir = "/opt/confidential-containers/attestation-service/policies"
       [attestation_service.attestation_token_config]
       duration_min = 5
       [attestation_service.rvps_config]

config/samples/all-in-one/resource-policy.yaml

@@ -7,4 +7,8 @@ data:
   policy.rego: |
     package policy
 
-    default allow = true
+    default allow = false
+
+    allow {
+      input["submods"]["cpu"]["ear.status"] != "contraindicated"
+    }

config/samples/all-in-one/rvps-reference-values.yaml

@@ -6,4 +6,14 @@ metadata:
 data:
   reference-values.json: |
     [
+      {
+        "name": "svn",
+        "expiration": "2025-01-01T00:00:00Z",
+        "hash-value": [
+          {
+            "alg": "sha256",
+            "value": "1"
+          }
+        ]
+      }
     ]

config/samples/microservices/as-config.yaml

@@ -13,7 +13,8 @@ data:
             "remote_addr":"http://127.0.0.1:50003"
         },
         "attestation_token_broker": {
-          "type": "Ear"
+          "type": "Ear",
+          "policy_dir": "/opt/confidential-containers/attestation-service/policies"
         },
         "attestation_token_config": {
           "duration_min": 5