[Guardian] Verify Nitro enclave attestation + pin PCR0#666
Open
mskd12 wants to merge 8 commits into
Open
Conversation
…ey anchor) `verify_enclave_attestation` now actually verifies the AWS Nitro attestation via fastcrypto's `nitro_attestation` module instead of being a no-op: - parse + verify the COSE_Sign1 signature and the X.509 cert chain to the AWS Nitro root, freshness checked against now (ms). - anchor the document's `public_key` to the session signing pubkey — the enclave binds its signing key into the attestation. Gated behind `non-enclave-dev` (+ cfg(test)) so off-enclave/dev/e2e builds, which run a mock enclave, accept the stub document; the feature propagates from hashi-guardian's existing `non-enclave-dev`. Pins fastcrypto to the `nitro-attestation` branch. TODO(check C): pin the document's PCRs against an expected set. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
`ExpectedPcrs` mandates PCR0 at construction (`ExpectedPcrs::new`), and is threaded from config to `verify_enclave_attestation`, which pins the attestation's PCR0 (the EIF image hash) after the COSE/cert/pubkey checks: - source -> sink: an `expected_pcr0` config field -> `GuardianReader::new` -> `GuardianSessionKeyCache` -> `get_verified_enclave_pubkey`, plus `GetGuardianInfoResponse::verify(&ExpectedPcrs)` for the relay path. - Both the provisioner (`ProvisionerConfig`) and the monitor auditor (`hashi-monitor` `Config`) supply `expected_pcr0`; sample YAMLs + README updated. A single mandatory PCR0 for now; accepting multiple measurements during a software upgrade is a follow-up (TODO on `ExpectedPcrs`). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
mskd12
force-pushed
the
deepakmaram/guardian-attestation-verify
branch
from
0e8ac5e to
293abf5
Compare
mskd12
changed the title
- Drop needless `return` in verify_enclave_attestation dev stub (clippy). - Add expected_pcr0 to the two hashi-monitor test Config literals. - Commit the hex Cargo.lock entry for hashi-monitor (docs is-dirty). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…attestation-verify # Conflicts: # crates/hashi-guardian-init/src/provisioner.rs
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
A build's measurement set is the durable concept; the future commit->PCRs allowlist will be a separate type keyed on untrusted_git_revision. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Turns
verify_enclave_attestationfrom a no-op into real AWS Nitro verification, and pins PCR0 from config.Verify
parse_nitro_attestation→verify_nitro_attestation(fastcryptonitro_attestation): COSE_Sign1 signature + X.509 cert chain to the AWS Nitro root, freshness againstnow_timestamp_ms()(the API takes millis).doc.public_key == signing_pubkey(the enclave binds its signing key into the attestation).nitro-attestationbranch tip (prior rev + that module; safe superset).PCR0 pinning
BuildPcrs— one build's PCR set — mandates PCR0 at construction (BuildPcrs::new(pcr0), no empty/Default), so a pinning policy can't omit it.verify_enclave_attestationpinsdoc.pcr_map[0]against it.expected_pcr0config field →GuardianReader::new→GuardianSessionKeyCache→get_verified_enclave_pubkey, plusGetGuardianInfoResponse::verify(&BuildPcrs)for the relay path. Mandatory for all readers — both the provisioner and the monitor auditor supplyexpected_pcr0(configs + sample YAMLs + README updated).Dev/test
Gated
cfg(any(test, feature = "non-enclave-dev"))→ no-op for the mock enclave; the flag propagates fromhashi-guardian'snon-enclave-devtohashi-types/non-enclave-dev, soe2eneeds no change. Prod enables neither → real verification + PCR0 pinning.Follow-up
BuildPcrsholds a single PCR set, so it doesn't yet accept the two valid measurements that coexist during a software upgrade. The next PR adds acommit → BuildPcrsallowlist keyed onuntrusted_git_revision(TODOs left onBuildPcrsands3_reader).🤖 Generated with Claude Code