Attestation Libraries for Confidential Computing: Veraison and SPDM Tools

Author:  Sal Kimmich

In the realm of confidential computing, ensuring trust and security in computing environments is paramount. Attestation libraries and tools provide essential components to build systems that can produce and verify evidence of trustworthiness. This blog explores the concept of attestation in confidential computing and highlights two significant projects within the Confidential Computing Consortium (CCC): Veraison and SPDM Tools.

What is Attestation in Confidential Computing?

Attestation is the process by which the hardware provides evidence about itself and the software running under its protection. Any other party can use this evidence to evaluate the trustworthiness of the Trusted Execution Environment. This process is critical in confidential computing to establish and maintain trust in computing environments, ensuring that sensitive data and operations are protected from unauthorized access and tampering.

Key Components of Attestation

1. Evidence Generation:
   • The hardware (e.g., a device or CPU) generates evidence about its state, such as cryptographic measurements and signatures.
2. Evidence Verification:
   • The verifier evaluates the provided evidence against a set of policies or reference values to determine the entity’s trustworthiness.
3. Trust Anchors:
   • Cryptographic roots of trust (e.g., certificates) used to validate the identity.

Veraison: A Comprehensive Attestation Verification Service

Project Veraison builds software components to facilitate the creation of an Attestation Verification Service. Here’s how Veraison operates and its significance:

Overview

• Purpose: Veraison aims to simplify the development of attestation verification services by providing reusable software components. These components include verification and provisioning pipelines that can be extended with plugins to support specific attestation technologies.
• Flexibility: The project’s core components are designed to adapt to various deployment environments through abstractions, allowing for custom service creation without the need for extensive bespoke development.

Key Features

1. Verification Pipelines:
   • Core structures for verifying attestation evidence, ensuring that it meets established trust policies.
2. Provisioning Pipelines:
   • Components that manage the provisioning of data required for evidence appraisal, sourced from authoritative sources.
3. Extensibility:
   • Support for plugins allows the service to handle various attestation technologies, making it versatile and adaptable to different use cases.
4. Community and Collaboration:
   • Veraison is a collaborative project with active community involvement, including regular public meetings and contributions from multiple organizations.

Use Case: Veraison in Action

Veraison provides reference implementations to demonstrate integration principles, offering a convenient basis for developing substantive attestation verification services. These reference implementations showcase how the core components and plugins work together to create a robust verification system. 

Veraison also supports REST APIs to assist in end-to-end integration with attestation scemes, or can be used as verification components within a custom deployment. A great example of this is a key broker service, where successful attestation verification a key released to a Trusted Execution Environment. 

SPDM Tools: Enhancing Security with Attestation Protocols

SPDM (Security Protocol and Data Model) Tools offer libraries and utilities to implement the SPDM protocol, a standardized framework for secure communication and attestation between devices.

Overview

• Purpose: SPDM Tools provide essential functionality for implementing the SPDM protocol, ensuring secure communication and attestation across various platforms.
• Interoperability: The tools ensure interoperability between different devices and platforms, promoting a unified approach to security and attestation.

Key Features

1. Protocol Implementation:
   • Comprehensive support for the SPDM protocol, enabling secure communication and attestation across various platforms.
2. Utilities and Libraries:
   • A suite of tools and libraries that simplify the implementation and management of SPDM-based attestation solutions.
3. Standardization:
   • By adhering to the SPDM standard, the tools promote consistency and reliability in attestation processes across different devices and environments.

Use Case: SPDM Tools in Secure Device Communication

SPDM Tools can establish secure communication channels between devices, ensuring that each device can verify the trustworthiness of the other before exchanging sensitive information. This capability is crucial in scenarios such as building a trusted channel between an accelerator device like a GPU and a Confidential Virtual Machine (CVM)..

SPDM-RS: A Rust Implementation for SPDM Protocols

SPDM-RS is a project within the CCC that provides a Rust language implementation of the SPDM, IDE_KM, and TDISP protocols. These protocols facilitate direct device assignment for Trusted Execution Environment I/O (TEE-I/O) in Confidential Computing.

Key Features

1. SPDM Protocol Implementation:
   • Supports various SPDM requests and responses, including version negotiation, capability negotiation, algorithm negotiation, and more.
2. IDE_KM and TDISP Protocols:
   • Implements protocols for secure communication and device management, enhancing the trust boundary of Confidential Virtual Machines (CVMs).
3. Cryptographic Algorithm Support:
   • Includes support for cryptographic algorithms such as SHA-256/384/512, RSA, ECDSA, AES-GCM, and ChaCha20Poly1305.
4. Cross-Platform Support:
   • Designed to work across different platforms, ensuring broad applicability in various confidential computing scenarios.

Conclusion

Attestation libraries and tools are vital for ensuring the trustworthiness of confidential computing environments. Projects like Veraison and SPDM Tools within the Confidential Computing Consortium provide essential components for building robust attestation solutions. By leveraging these tools, developers can create systems that securely verify and manage trust, protecting sensitive data and operations from potential threats.