Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verifier: Rename user_data to report_data in SeAttestationClaims #658

Merged
merged 1 commit into from
Jan 10, 2025
Merged

verifier: Rename user_data to report_data in SeAttestationClaims #658

merged 1 commit into from
Jan 10, 2025

Conversation

BbolroC
Copy link
Member

@BbolroC BbolroC commented Jan 10, 2025
edited
Loading

The EAR token broker does not insert the report_data for SE attestation claim because there is no matching field in SeAttestationClaims. The absence leads to TokenVerifierError(NoTeePubKeyClaimFound) after successful attestation.

As an interim solution, this PR renames the existing user_data to report_data, enabling the token broker to perform its task correctly.

Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com

@BbolroC BbolroC requested a review from a team as a code owner January 10, 2025 15:55
@BbolroC
verifier: Rename user_data to report_data in SeAttestationClaims
4f0bfa4 
The EAR token broker does not insert the `report_data` for SE attestation claim
because there is no matching field in `SeAttestationClaims`.
The absence leads to `TokenVerifierError(NoTeePubKeyClaimFound)`
after successful attestation.

As an interim solution, this commit renames the existing `user_data` to
`report_data`, enabling the token broker to perform its task correctly.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
@BbolroC BbolroC force-pushed the fix-report_data-for-se-verifier branch from 7f40050 to 4f0bfa4 Compare January 10, 2025 15:57
fitzthum
fitzthum approved these changes Jan 10, 2025
View reviewed changes
Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For some context, the EAR tokens will only expose the TEE public key if the verifier returns the report_data claim. This is by design. It means that for verifiers that don't check the binding of the report data, the token isn't very useful.

To work around this, we can add that claim to the output of the SE verifier. This is only a temporary workaround. The SE verifier will need to be improved to actually check the binding.

@fitzthum
Copy link
Member

Also, btw I am preparing a PR to fix a similar issue for SNP, where we don't report report_data even though we do check the binding.

@fitzthum fitzthum merged commit 4cc5575 into confidential-containers:main Jan 10, 2025
20 checks passed
@BbolroC BbolroC deleted the fix-report_data-for-se-verifier branch January 10, 2025 17:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fitzthum fitzthum fitzthum approved these changes

@mkulke mkulke mkulke approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BbolroC @fitzthum @mkulke