Skip to content

attestation-agent

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

attestation-agent

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
attestation-agent
attestation-agent
 
 
attester
attester
 
 
ci
ci
 
 
coco_keyprovider
coco_keyprovider
 
 
deps
deps
 
 
docker
docker
 
 
docs
docs
 
 
hack
hack
 
 
kbc
kbc
 
 
kbs_protocol
kbs_protocol
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

README.md

Attestation Agent

Attestation Agent (AA for short) is a service function set for attestation procedure in Confidential Containers. It provides kinds of service APIs related to attestation.

Current consumers of AA include:

Components

The main body of AA is a rust library crate, which contains KBC modules used to communicate with various KBS. In addition, this project also provides a gRPC service application, which allows callers to call the services provided by AA through gRPC.

Library crate

Import AA in Cargo.toml of your project with all platform supported:

attestation-agent = { git = "https://github.com/confidential-containers/guest-components", features = ["all-attesters"] }

Note: When the version is stable, we will release AA on https://crate.io.

gRPC Application

Here are the steps of building and running gRPC application of AA:

Build

Build and install with default KBC modules:

git clone https://github.com/confidential-containers/guest-components
cd guest-components/attestation-agent
make && make install

or explicitly specify the platform it supports. Taking tdx as example:

make ATTESTER=tdx-attester

with no platform supported

make ATTESTER=none

with all platforms supported

make ATTESTER=all-attesters

Musl

To build and install with musl, just run:

make LIBC=musl && make install

Openssl support

To build and install with openssl support (which is helpful in specific machines like s390x)

make OPENSSL=1 && make install

Run

For help information, just run:

attestation-agent --help

Start AA and specify the endpoint of AA's gRPC service:

attestation-agent --attestation_sock 127.0.0.1:50002

Or start AA with default address (127.0.0.1:50002)

attestation-agent

If you want to see the runtime log:

RUST_LOG=attestation_agent attestation-agent --attestation_sock 127.0.0.1:50002

ttRPC

To build and install ttRPC Attestation Agent, just run:

make ttrpc=true && make install

ttRPC AA now only support Unix Socket, for example:

attestation-agent --attestation_sock unix:///tmp/attestation.sock

Supported Platforms

AA supports different kinds of hardware TEE attesters, now

Attester name Info
tdx-attester Intel TDX
tdx-attester-libtdx Intel TDX (using libtdx-attest for certain non-upstream Linux ioctl()s). Disabled by default.
sgx-attester Intel SGX DCAP
snp-attester AMD SEV-SNP
az-snp-vtpm-attester Azure SEV-SNP CVM
az-tdx-vtpm-attester Azure TDX CVM
cca-attester Arm Confidential Compute Architecture (CCA)
se-attester IBM Secure Execution (SE)

To build AA with all available attesters and install, use

make ATTESTER=all-attesters && make install