@reclaimprotocol/attestor-core 5.0.6 → 5.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/lib/config/index.d.ts +2 -2
- package/lib/external-rpc/index.js +78 -29
- package/lib/index.js +78 -29
- package/lib/proto/api.d.ts +2 -0
- package/lib/proto/attest.d.ts +435 -0
- package/lib/proto/attestation.d.ts +261 -0
- package/lib/proto/google/protobuf/wrappers.d.ts +132 -0
- package/lib/proto/sevsnp.d.ts +144 -0
- package/lib/proto/state.d.ts +288 -0
- package/lib/proto/tdx.d.ts +165 -0
- package/lib/proto/tpm.d.ts +104 -0
- package/lib/providers/http/utils.d.ts +1 -2
- package/lib/server/utils/sev-snp/allowlist.d.ts +13 -0
- package/lib/server/utils/sev-snp/gcp.d.ts +15 -0
- package/lib/server/utils/sev-snp/nitrotpm.d.ts +19 -0
- package/lib/server/utils/sev-snp/sev-report.d.ts +11 -0
- package/lib/server/utils/sev-snp/verify.d.ts +59 -0
- package/lib/server/utils/sev-snp/verify.test.d.ts +1 -0
- package/package.json +6 -3
|
@@ -0,0 +1,435 @@
|
|
|
1
|
+
import { BinaryReader, BinaryWriter } from "@bufbuild/protobuf/wire";
|
|
2
|
+
import { NvidiaAttestationReport } from "./attestation.ts";
|
|
3
|
+
import { Attestation as Attestation1 } from "./sevsnp.ts";
|
|
4
|
+
import { QuoteV4 } from "./tdx.ts";
|
|
5
|
+
import { HashAlgo, Quote } from "./tpm.ts";
|
|
6
|
+
export declare const protobufPackage = "attest";
|
|
7
|
+
/** Type of hardware technology used to protect this instance */
|
|
8
|
+
export declare const GCEConfidentialTechnology: {
|
|
9
|
+
readonly NONE: 0;
|
|
10
|
+
readonly AMD_SEV: 1;
|
|
11
|
+
readonly AMD_SEV_ES: 2;
|
|
12
|
+
readonly INTEL_TDX: 3;
|
|
13
|
+
readonly AMD_SEV_SNP: 4;
|
|
14
|
+
readonly UNRECOGNIZED: -1;
|
|
15
|
+
};
|
|
16
|
+
export type GCEConfidentialTechnology = typeof GCEConfidentialTechnology[keyof typeof GCEConfidentialTechnology];
|
|
17
|
+
export declare namespace GCEConfidentialTechnology {
|
|
18
|
+
type NONE = typeof GCEConfidentialTechnology.NONE;
|
|
19
|
+
type AMD_SEV = typeof GCEConfidentialTechnology.AMD_SEV;
|
|
20
|
+
type AMD_SEV_ES = typeof GCEConfidentialTechnology.AMD_SEV_ES;
|
|
21
|
+
type INTEL_TDX = typeof GCEConfidentialTechnology.INTEL_TDX;
|
|
22
|
+
type AMD_SEV_SNP = typeof GCEConfidentialTechnology.AMD_SEV_SNP;
|
|
23
|
+
type UNRECOGNIZED = typeof GCEConfidentialTechnology.UNRECOGNIZED;
|
|
24
|
+
}
|
|
25
|
+
export declare function gCEConfidentialTechnologyFromJSON(object: any): GCEConfidentialTechnology;
|
|
26
|
+
export declare function gCEConfidentialTechnologyToJSON(object: GCEConfidentialTechnology): string;
|
|
27
|
+
/** Common, publicly-listed certificates by different vendors. */
|
|
28
|
+
export declare const WellKnownCertificate: {
|
|
29
|
+
readonly UNKNOWN: 0;
|
|
30
|
+
/**
|
|
31
|
+
* MS_WINDOWS_PROD_PCA_2011 - Microsoft certs:
|
|
32
|
+
* https://go.microsoft.com/fwlink/p/?linkid=321192
|
|
33
|
+
*/
|
|
34
|
+
readonly MS_WINDOWS_PROD_PCA_2011: 1;
|
|
35
|
+
/** MS_THIRD_PARTY_UEFI_CA_2011 - https://go.microsoft.com/fwlink/p/?linkid=321194 */
|
|
36
|
+
readonly MS_THIRD_PARTY_UEFI_CA_2011: 2;
|
|
37
|
+
/** MS_THIRD_PARTY_KEK_CA_2011 - https://go.microsoft.com/fwlink/p/?linkid=321185 */
|
|
38
|
+
readonly MS_THIRD_PARTY_KEK_CA_2011: 3;
|
|
39
|
+
/** GCE_DEFAULT_PK - GCE certs: */
|
|
40
|
+
readonly GCE_DEFAULT_PK: 4;
|
|
41
|
+
readonly UNRECOGNIZED: -1;
|
|
42
|
+
};
|
|
43
|
+
export type WellKnownCertificate = typeof WellKnownCertificate[keyof typeof WellKnownCertificate];
|
|
44
|
+
export declare namespace WellKnownCertificate {
|
|
45
|
+
type UNKNOWN = typeof WellKnownCertificate.UNKNOWN;
|
|
46
|
+
type MS_WINDOWS_PROD_PCA_2011 = typeof WellKnownCertificate.MS_WINDOWS_PROD_PCA_2011;
|
|
47
|
+
type MS_THIRD_PARTY_UEFI_CA_2011 = typeof WellKnownCertificate.MS_THIRD_PARTY_UEFI_CA_2011;
|
|
48
|
+
type MS_THIRD_PARTY_KEK_CA_2011 = typeof WellKnownCertificate.MS_THIRD_PARTY_KEK_CA_2011;
|
|
49
|
+
type GCE_DEFAULT_PK = typeof WellKnownCertificate.GCE_DEFAULT_PK;
|
|
50
|
+
type UNRECOGNIZED = typeof WellKnownCertificate.UNRECOGNIZED;
|
|
51
|
+
}
|
|
52
|
+
export declare function wellKnownCertificateFromJSON(object: any): WellKnownCertificate;
|
|
53
|
+
export declare function wellKnownCertificateToJSON(object: WellKnownCertificate): string;
|
|
54
|
+
/**
|
|
55
|
+
* The container's restart policy.
|
|
56
|
+
* See the following Kubernetes documentation for more details:
|
|
57
|
+
* https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy
|
|
58
|
+
* Note that these enum variants do not conform to the standard Protocol Buffers
|
|
59
|
+
* Style Guide so that RestartPolicy_name, RestartPolicy_value, and
|
|
60
|
+
* RestartPolicy.String() match the values used by Kubernetes and others.
|
|
61
|
+
*/
|
|
62
|
+
export declare const RestartPolicy: {
|
|
63
|
+
readonly Always: 0;
|
|
64
|
+
readonly OnFailure: 1;
|
|
65
|
+
readonly Never: 2;
|
|
66
|
+
readonly UNRECOGNIZED: -1;
|
|
67
|
+
};
|
|
68
|
+
export type RestartPolicy = typeof RestartPolicy[keyof typeof RestartPolicy];
|
|
69
|
+
export declare namespace RestartPolicy {
|
|
70
|
+
type Always = typeof RestartPolicy.Always;
|
|
71
|
+
type OnFailure = typeof RestartPolicy.OnFailure;
|
|
72
|
+
type Never = typeof RestartPolicy.Never;
|
|
73
|
+
type UNRECOGNIZED = typeof RestartPolicy.UNRECOGNIZED;
|
|
74
|
+
}
|
|
75
|
+
export declare function restartPolicyFromJSON(object: any): RestartPolicy;
|
|
76
|
+
export declare function restartPolicyToJSON(object: RestartPolicy): string;
|
|
77
|
+
/** Confidential Computing mode for GPU device. Reference for these CC mode values: https://developer.nvidia.com/blog/confidential-computing-on-h100-gpus-for-secure-and-trustworthy-ai/#hardware_security_for_nvidia_h100_gpus */
|
|
78
|
+
export declare const GPUDeviceCCMode: {
|
|
79
|
+
readonly UNSET: 0;
|
|
80
|
+
/** ON - The NVIDIA H100 hardware, firmware, and software have fully activated all the confidential computing features. */
|
|
81
|
+
readonly ON: 1;
|
|
82
|
+
/** OFF - None of the confidential computing-specific features are active. */
|
|
83
|
+
readonly OFF: 2;
|
|
84
|
+
/** DEVTOOLS - The GPU is in a partial CC mode that will match the workflows of CC mode ON, but with security protections disabled. */
|
|
85
|
+
readonly DEVTOOLS: 3;
|
|
86
|
+
readonly UNRECOGNIZED: -1;
|
|
87
|
+
};
|
|
88
|
+
export type GPUDeviceCCMode = typeof GPUDeviceCCMode[keyof typeof GPUDeviceCCMode];
|
|
89
|
+
export declare namespace GPUDeviceCCMode {
|
|
90
|
+
type UNSET = typeof GPUDeviceCCMode.UNSET;
|
|
91
|
+
type ON = typeof GPUDeviceCCMode.ON;
|
|
92
|
+
type OFF = typeof GPUDeviceCCMode.OFF;
|
|
93
|
+
type DEVTOOLS = typeof GPUDeviceCCMode.DEVTOOLS;
|
|
94
|
+
type UNRECOGNIZED = typeof GPUDeviceCCMode.UNRECOGNIZED;
|
|
95
|
+
}
|
|
96
|
+
export declare function gPUDeviceCCModeFromJSON(object: any): GPUDeviceCCMode;
|
|
97
|
+
export declare function gPUDeviceCCModeToJSON(object: GPUDeviceCCMode): string;
|
|
98
|
+
/**
|
|
99
|
+
* Information uniquely identifying a GCE instance. Can be used to create an
|
|
100
|
+
* instance URL, which can then be used with GCE APIs. Formatted like:
|
|
101
|
+
* https://www.googleapis.com/compute/v1/projects/{project_id}/zones/{zone}/instances/{instance_name}
|
|
102
|
+
*/
|
|
103
|
+
export interface GCEInstanceInfo {
|
|
104
|
+
zone: string;
|
|
105
|
+
projectId: string;
|
|
106
|
+
projectNumber: bigint;
|
|
107
|
+
instanceName: string;
|
|
108
|
+
instanceId: bigint;
|
|
109
|
+
}
|
|
110
|
+
export interface Attestation {
|
|
111
|
+
/** Attestation Key (AK) Public Area, encoded as a TPMT_PUBLIC */
|
|
112
|
+
akPub: Uint8Array;
|
|
113
|
+
/** Quotes over all supported PCR banks */
|
|
114
|
+
quotes: Quote[];
|
|
115
|
+
/**
|
|
116
|
+
* TCG Event Log, encoded in the raw binary format.
|
|
117
|
+
* Can be SHA-1 or crypto-agile.
|
|
118
|
+
*/
|
|
119
|
+
eventLog: Uint8Array;
|
|
120
|
+
/** Optional information about a GCE instance, unused outside of GCE */
|
|
121
|
+
instanceInfo: GCEInstanceInfo | undefined;
|
|
122
|
+
/** A COS event log using the TCG Canonical Event Log format */
|
|
123
|
+
canonicalEventLog: Uint8Array;
|
|
124
|
+
/**
|
|
125
|
+
* Attestation Key (AK) Certificate, encoded as ASN.1 DER.
|
|
126
|
+
* Optional.
|
|
127
|
+
*/
|
|
128
|
+
akCert: Uint8Array;
|
|
129
|
+
/**
|
|
130
|
+
* Intermediate Certificates for verifying the AK Certificate, encoded as
|
|
131
|
+
* ASN.1 DER. Optional.
|
|
132
|
+
*/
|
|
133
|
+
intermediateCerts: Uint8Array[];
|
|
134
|
+
sevSnpAttestation?: Attestation1 | undefined;
|
|
135
|
+
tdxAttestation?: QuoteV4 | undefined;
|
|
136
|
+
}
|
|
137
|
+
/**
|
|
138
|
+
* For VMs running SEV-SNP with an SVSM-based e-vTPM, this contains a TPM quote
|
|
139
|
+
* and all the information needed to verify it.
|
|
140
|
+
*/
|
|
141
|
+
export interface SevSnpSvsmAttestation {
|
|
142
|
+
attestation: Attestation | undefined;
|
|
143
|
+
sevSnpAttestation: Attestation1 | undefined;
|
|
144
|
+
/**
|
|
145
|
+
* vTPM service manifest is retrieved from configfs-tsm-report via manifest blob
|
|
146
|
+
* See https://github.com/torvalds/linux/blob/v6.16/Documentation/ABI/testing/configfs-tsm-report
|
|
147
|
+
* The manifest format is defined by the SVSM spec at https://www.amd.com/en/developer/sev.html
|
|
148
|
+
*/
|
|
149
|
+
vtpmServiceManifest: Uint8Array;
|
|
150
|
+
vtpmServiceManifestVersion: string;
|
|
151
|
+
/** This contains a launch endorsement for guest firmware that includes SVSM. */
|
|
152
|
+
launchEndorsement: Uint8Array;
|
|
153
|
+
}
|
|
154
|
+
/** The platform/firmware state for this instance */
|
|
155
|
+
export interface PlatformState {
|
|
156
|
+
/** Raw S-CRTM version identifier (EV_S_CRTM_VERSION) */
|
|
157
|
+
scrtmVersionId?: Uint8Array | undefined;
|
|
158
|
+
/** Virtual GCE firmware version (parsed from S-CRTM version id) */
|
|
159
|
+
gceVersion?: number | undefined;
|
|
160
|
+
/** Set to NONE on non-GCE instances or non-Confidential Shielded GCE instances */
|
|
161
|
+
technology: GCEConfidentialTechnology;
|
|
162
|
+
/** Only set for GCE instances */
|
|
163
|
+
instanceInfo: GCEInstanceInfo | undefined;
|
|
164
|
+
}
|
|
165
|
+
export interface GrubFile {
|
|
166
|
+
/** The digest of the file (pulled from the raw event digest). */
|
|
167
|
+
digest: Uint8Array;
|
|
168
|
+
/** The event data. This is not measured, so it is untrusted. */
|
|
169
|
+
untrustedFilename: Uint8Array;
|
|
170
|
+
}
|
|
171
|
+
export interface GrubState {
|
|
172
|
+
/** All GRUB-read and measured files, including grub.cfg. */
|
|
173
|
+
files: GrubFile[];
|
|
174
|
+
/**
|
|
175
|
+
* A list of executed GRUB commands and command lines passed to the kernel
|
|
176
|
+
* and kernel modules.
|
|
177
|
+
*/
|
|
178
|
+
commands: string[];
|
|
179
|
+
}
|
|
180
|
+
/**
|
|
181
|
+
* The state of the Linux kernel.
|
|
182
|
+
* At the moment, parsing LinuxKernelState relies on parsing the GrubState.
|
|
183
|
+
* To do so, use ParseOpts{Loader: GRUB} when calling ParseMachineState.
|
|
184
|
+
*/
|
|
185
|
+
export interface LinuxKernelState {
|
|
186
|
+
/** The kernel command line. */
|
|
187
|
+
commandLine: string;
|
|
188
|
+
}
|
|
189
|
+
/** A parsed event from the TCG event log */
|
|
190
|
+
export interface Event {
|
|
191
|
+
/** The Platform Control Register (PCR) this event was extended into. */
|
|
192
|
+
pcrIndex: number;
|
|
193
|
+
/**
|
|
194
|
+
* The type of this event. Note that this value is not verified, so it should
|
|
195
|
+
* only be used as a hint during event parsing.
|
|
196
|
+
*/
|
|
197
|
+
untrustedType: number;
|
|
198
|
+
/**
|
|
199
|
+
* The raw data associated to this event. The meaning of this data is
|
|
200
|
+
* specific to the type of the event.
|
|
201
|
+
*/
|
|
202
|
+
data: Uint8Array;
|
|
203
|
+
/**
|
|
204
|
+
* The event digest actually extended into the TPM. This is often the hash of
|
|
205
|
+
* the data field, but in some cases it may have a type-specific calculation.
|
|
206
|
+
*/
|
|
207
|
+
digest: Uint8Array;
|
|
208
|
+
/** This is true if hash(data) == digest. */
|
|
209
|
+
digestVerified: boolean;
|
|
210
|
+
}
|
|
211
|
+
export interface Certificate {
|
|
212
|
+
/** DER representation of the certificate. */
|
|
213
|
+
der?: Uint8Array | undefined;
|
|
214
|
+
wellKnown?: WellKnownCertificate | undefined;
|
|
215
|
+
}
|
|
216
|
+
/**
|
|
217
|
+
* A Secure Boot database containing lists of hashes and certificates,
|
|
218
|
+
* as defined by section 32.4.1 Signature Database in the UEFI spec.
|
|
219
|
+
*/
|
|
220
|
+
export interface Database {
|
|
221
|
+
certs: Certificate[];
|
|
222
|
+
hashes: Uint8Array[];
|
|
223
|
+
}
|
|
224
|
+
/** The Secure Boot state for this instance. */
|
|
225
|
+
export interface SecureBootState {
|
|
226
|
+
/** Whether Secure Boot is enabled. */
|
|
227
|
+
enabled: boolean;
|
|
228
|
+
/** The Secure Boot signature (allowed) database. */
|
|
229
|
+
db: Database | undefined;
|
|
230
|
+
/** The Secure Boot revoked signature (forbidden) database. */
|
|
231
|
+
dbx: Database | undefined;
|
|
232
|
+
/**
|
|
233
|
+
* Authority events post-separator. Pre-separator authorities
|
|
234
|
+
* are currently not supported.
|
|
235
|
+
*/
|
|
236
|
+
authority: Database | undefined;
|
|
237
|
+
/** The Secure Boot Platform key, used to sign key exchange keys. */
|
|
238
|
+
pk: Database | undefined;
|
|
239
|
+
/** The Secure Boot Key Exchange Keys, used to sign db and dbx updates. */
|
|
240
|
+
kek: Database | undefined;
|
|
241
|
+
}
|
|
242
|
+
export interface ContainerState {
|
|
243
|
+
imageReference: string;
|
|
244
|
+
/**
|
|
245
|
+
* Digest of the registry's image manifest, which contains a list of the
|
|
246
|
+
* layers comprising the image.
|
|
247
|
+
*/
|
|
248
|
+
imageDigest: string;
|
|
249
|
+
restartPolicy: RestartPolicy;
|
|
250
|
+
/**
|
|
251
|
+
* Digest of the local image configuration object, containing config items
|
|
252
|
+
* such as local layer digests.
|
|
253
|
+
*/
|
|
254
|
+
imageId: string;
|
|
255
|
+
args: string[];
|
|
256
|
+
envVars: {
|
|
257
|
+
[key: string]: string;
|
|
258
|
+
};
|
|
259
|
+
/**
|
|
260
|
+
* Record operator input Env Vars and Args, should be subsets of the above
|
|
261
|
+
* Env Vars and Args.
|
|
262
|
+
*/
|
|
263
|
+
overriddenArgs: string[];
|
|
264
|
+
overriddenEnvVars: {
|
|
265
|
+
[key: string]: string;
|
|
266
|
+
};
|
|
267
|
+
}
|
|
268
|
+
export interface ContainerState_EnvVarsEntry {
|
|
269
|
+
key: string;
|
|
270
|
+
value: string;
|
|
271
|
+
}
|
|
272
|
+
export interface ContainerState_OverriddenEnvVarsEntry {
|
|
273
|
+
key: string;
|
|
274
|
+
value: string;
|
|
275
|
+
}
|
|
276
|
+
export interface SemanticVersion {
|
|
277
|
+
major: number;
|
|
278
|
+
minor: number;
|
|
279
|
+
patch: number;
|
|
280
|
+
}
|
|
281
|
+
export interface HealthMonitoringState {
|
|
282
|
+
/** Whether memory monitoring is enabled. */
|
|
283
|
+
memoryEnabled?: boolean | undefined;
|
|
284
|
+
}
|
|
285
|
+
export interface GpuDeviceState {
|
|
286
|
+
/** Whether Confidential Computing mode is enabled for GPU. */
|
|
287
|
+
ccMode: GPUDeviceCCMode;
|
|
288
|
+
nvidiaAttestationReport: NvidiaAttestationReport | undefined;
|
|
289
|
+
}
|
|
290
|
+
export interface AttestedCosState {
|
|
291
|
+
container: ContainerState | undefined;
|
|
292
|
+
cosVersion: SemanticVersion | undefined;
|
|
293
|
+
launcherVersion: SemanticVersion | undefined;
|
|
294
|
+
healthMonitoring: HealthMonitoringState | undefined;
|
|
295
|
+
gpuDeviceState: GpuDeviceState | undefined;
|
|
296
|
+
}
|
|
297
|
+
export interface EfiApp {
|
|
298
|
+
/** The PE/COFF digest of the EFI application (pulled from the raw event digest). */
|
|
299
|
+
digest: Uint8Array;
|
|
300
|
+
}
|
|
301
|
+
/**
|
|
302
|
+
* The verified state of EFI Applications. Policy usage on this machine state
|
|
303
|
+
* should check the entire set of EFI App digests matches, not a subset.
|
|
304
|
+
*/
|
|
305
|
+
export interface EfiState {
|
|
306
|
+
/**
|
|
307
|
+
* UEFI's OS Loader code is required to measure attempts to load and execute
|
|
308
|
+
* UEFI applications.
|
|
309
|
+
* UEFI applications are typically bootloaders such as shim and GRUB.
|
|
310
|
+
* These run and are measured using the UEFI LoadImage() service.
|
|
311
|
+
*/
|
|
312
|
+
apps: EfiApp[];
|
|
313
|
+
/**
|
|
314
|
+
* The EFI drivers,
|
|
315
|
+
* obtained from https://trustedcomputinggroup.org/wp-content/uploads/TCG_EFI_Platform_1_22_Final_-v15.pdf#page=22.
|
|
316
|
+
* The EFI Boot Services Drivers from adapter or loaded bydriver in adapter.
|
|
317
|
+
*/
|
|
318
|
+
bootServicesDrivers: EfiApp[];
|
|
319
|
+
/** The EFI Runtime Drivers from adapter or loaded bydriver in adapter. */
|
|
320
|
+
runtimeServicesDrivers: EfiApp[];
|
|
321
|
+
}
|
|
322
|
+
/** The verified state of a booted machine, obtained from an Attestation */
|
|
323
|
+
export interface MachineState {
|
|
324
|
+
platform: PlatformState | undefined;
|
|
325
|
+
secureBoot: SecureBootState | undefined;
|
|
326
|
+
/**
|
|
327
|
+
* The complete parsed TCG Event Log, including those events used to
|
|
328
|
+
* create the PlatformState.
|
|
329
|
+
*/
|
|
330
|
+
rawEvents: Event[];
|
|
331
|
+
/**
|
|
332
|
+
* The hash algorithm used when verifying the Attestation. This indicates:
|
|
333
|
+
* - which PCR bank was used for for quote validation and event log replay
|
|
334
|
+
* - the hash algorithm used to calculate event digests
|
|
335
|
+
*/
|
|
336
|
+
hash: HashAlgo;
|
|
337
|
+
grub: GrubState | undefined;
|
|
338
|
+
linuxKernel: LinuxKernelState | undefined;
|
|
339
|
+
cos: AttestedCosState | undefined;
|
|
340
|
+
efi: EfiState | undefined;
|
|
341
|
+
sevSnpAttestation?: Attestation1 | undefined;
|
|
342
|
+
tdxAttestation?: QuoteV4 | undefined;
|
|
343
|
+
}
|
|
344
|
+
/** A policy dictating which values of PlatformState to allow */
|
|
345
|
+
export interface PlatformPolicy {
|
|
346
|
+
/**
|
|
347
|
+
* If PlatformState.firmware contains a scrtm_version_id, it must appear
|
|
348
|
+
* in this list. For use with a GCE VM, minimum_gce_firmware_version is
|
|
349
|
+
* often a better alternative.
|
|
350
|
+
*/
|
|
351
|
+
allowedScrtmVersionIds: Uint8Array[];
|
|
352
|
+
/**
|
|
353
|
+
* If PlatformState.firmware contains a minimum_gce_firmware_version, it must
|
|
354
|
+
* be greater than or equal to this value. Currently, the max version is 1.
|
|
355
|
+
*/
|
|
356
|
+
minimumGceFirmwareVersion: number;
|
|
357
|
+
/**
|
|
358
|
+
* The PlatformState's technology must be at least as secure as
|
|
359
|
+
* the specified minimum_technology (i.e. AMD_SEV_ES > AMD_SEV > NONE).
|
|
360
|
+
*/
|
|
361
|
+
minimumTechnology: GCEConfidentialTechnology;
|
|
362
|
+
}
|
|
363
|
+
/**
|
|
364
|
+
* A policy about what parts of a RIM to compare against machine state as
|
|
365
|
+
* reflected in a quote or (verified) event log. Reference measurements for
|
|
366
|
+
* a component are expected to be addressable by the machine state's reported
|
|
367
|
+
* digest, or otherwise presented as cached collateral with the attestation
|
|
368
|
+
* itself. The method of delivery is vendor-specific.
|
|
369
|
+
*/
|
|
370
|
+
export interface RIMPolicy {
|
|
371
|
+
/**
|
|
372
|
+
* If true, the signed measurement must be available (by means that can be
|
|
373
|
+
* vendor-specific), and the target measurement must be among the listed
|
|
374
|
+
* signed measurements. If false, then only error if there is a problem
|
|
375
|
+
* verifying the signed measurements when they are available.
|
|
376
|
+
*/
|
|
377
|
+
requireSigned: boolean;
|
|
378
|
+
/** x.509 certificates in ASN.1 DER format. */
|
|
379
|
+
rootCerts: Uint8Array[];
|
|
380
|
+
}
|
|
381
|
+
/**
|
|
382
|
+
* Represent minimal decisions about attestation fields until necessary to
|
|
383
|
+
* add for policy reasons.
|
|
384
|
+
*/
|
|
385
|
+
export interface SevSnpPolicy {
|
|
386
|
+
/** The policy for checking the signed reference values for the UEFI at launch. */
|
|
387
|
+
uefi: RIMPolicy | undefined;
|
|
388
|
+
}
|
|
389
|
+
/** A policy dictating which type of MachineStates to allow */
|
|
390
|
+
export interface Policy {
|
|
391
|
+
platform: PlatformPolicy | undefined;
|
|
392
|
+
/**
|
|
393
|
+
* When the attestation is on SEV-SNP, this is the policy. Unset means no
|
|
394
|
+
* constraints.
|
|
395
|
+
*/
|
|
396
|
+
sevSnp: SevSnpPolicy | undefined;
|
|
397
|
+
}
|
|
398
|
+
export declare const GCEInstanceInfo: MessageFns<GCEInstanceInfo>;
|
|
399
|
+
export declare const Attestation: MessageFns<Attestation>;
|
|
400
|
+
export declare const SevSnpSvsmAttestation: MessageFns<SevSnpSvsmAttestation>;
|
|
401
|
+
export declare const PlatformState: MessageFns<PlatformState>;
|
|
402
|
+
export declare const GrubFile: MessageFns<GrubFile>;
|
|
403
|
+
export declare const GrubState: MessageFns<GrubState>;
|
|
404
|
+
export declare const LinuxKernelState: MessageFns<LinuxKernelState>;
|
|
405
|
+
export declare const Event: MessageFns<Event>;
|
|
406
|
+
export declare const Certificate: MessageFns<Certificate>;
|
|
407
|
+
export declare const Database: MessageFns<Database>;
|
|
408
|
+
export declare const SecureBootState: MessageFns<SecureBootState>;
|
|
409
|
+
export declare const ContainerState: MessageFns<ContainerState>;
|
|
410
|
+
export declare const ContainerState_EnvVarsEntry: MessageFns<ContainerState_EnvVarsEntry>;
|
|
411
|
+
export declare const ContainerState_OverriddenEnvVarsEntry: MessageFns<ContainerState_OverriddenEnvVarsEntry>;
|
|
412
|
+
export declare const SemanticVersion: MessageFns<SemanticVersion>;
|
|
413
|
+
export declare const HealthMonitoringState: MessageFns<HealthMonitoringState>;
|
|
414
|
+
export declare const GpuDeviceState: MessageFns<GpuDeviceState>;
|
|
415
|
+
export declare const AttestedCosState: MessageFns<AttestedCosState>;
|
|
416
|
+
export declare const EfiApp: MessageFns<EfiApp>;
|
|
417
|
+
export declare const EfiState: MessageFns<EfiState>;
|
|
418
|
+
export declare const MachineState: MessageFns<MachineState>;
|
|
419
|
+
export declare const PlatformPolicy: MessageFns<PlatformPolicy>;
|
|
420
|
+
export declare const RIMPolicy: MessageFns<RIMPolicy>;
|
|
421
|
+
export declare const SevSnpPolicy: MessageFns<SevSnpPolicy>;
|
|
422
|
+
export declare const Policy: MessageFns<Policy>;
|
|
423
|
+
type Builtin = Date | Function | Uint8Array | string | number | boolean | bigint | undefined;
|
|
424
|
+
export type DeepPartial<T> = T extends Builtin ? T : T extends globalThis.Array<infer U> ? globalThis.Array<DeepPartial<U>> : T extends ReadonlyArray<infer U> ? ReadonlyArray<DeepPartial<U>> : T extends {} ? {
|
|
425
|
+
[K in keyof T]?: DeepPartial<T[K]>;
|
|
426
|
+
} : Partial<T>;
|
|
427
|
+
export interface MessageFns<T> {
|
|
428
|
+
encode(message: T, writer?: BinaryWriter): BinaryWriter;
|
|
429
|
+
decode(input: BinaryReader | Uint8Array, length?: number): T;
|
|
430
|
+
fromJSON(object: any): T;
|
|
431
|
+
toJSON(message: T): unknown;
|
|
432
|
+
create(base?: DeepPartial<T>): T;
|
|
433
|
+
fromPartial(object: DeepPartial<T>): T;
|
|
434
|
+
}
|
|
435
|
+
export {};
|
|
@@ -0,0 +1,261 @@
|
|
|
1
|
+
import { BinaryReader, BinaryWriter } from "@bufbuild/protobuf/wire";
|
|
2
|
+
import { GMESState } from "./state.ts";
|
|
3
|
+
export declare const protobufPackage = "confidential_space";
|
|
4
|
+
/** Enumerates the supported GPU architecture types. */
|
|
5
|
+
export declare const GpuArchitectureType: {
|
|
6
|
+
/** GPU_ARCHITECTURE_TYPE_UNSPECIFIED - Unspecified GPU architecture type. */
|
|
7
|
+
readonly GPU_ARCHITECTURE_TYPE_UNSPECIFIED: 0;
|
|
8
|
+
/** GPU_ARCHITECTURE_TYPE_HOPPER - Hopper GPU architecture type. */
|
|
9
|
+
readonly GPU_ARCHITECTURE_TYPE_HOPPER: 8;
|
|
10
|
+
/** GPU_ARCHITECTURE_TYPE_BLACKWELL - Blackwell GPU architecture type. */
|
|
11
|
+
readonly GPU_ARCHITECTURE_TYPE_BLACKWELL: 10;
|
|
12
|
+
readonly UNRECOGNIZED: -1;
|
|
13
|
+
};
|
|
14
|
+
export type GpuArchitectureType = typeof GpuArchitectureType[keyof typeof GpuArchitectureType];
|
|
15
|
+
export declare namespace GpuArchitectureType {
|
|
16
|
+
type GPU_ARCHITECTURE_TYPE_UNSPECIFIED = typeof GpuArchitectureType.GPU_ARCHITECTURE_TYPE_UNSPECIFIED;
|
|
17
|
+
type GPU_ARCHITECTURE_TYPE_HOPPER = typeof GpuArchitectureType.GPU_ARCHITECTURE_TYPE_HOPPER;
|
|
18
|
+
type GPU_ARCHITECTURE_TYPE_BLACKWELL = typeof GpuArchitectureType.GPU_ARCHITECTURE_TYPE_BLACKWELL;
|
|
19
|
+
type UNRECOGNIZED = typeof GpuArchitectureType.UNRECOGNIZED;
|
|
20
|
+
}
|
|
21
|
+
export declare function gpuArchitectureTypeFromJSON(object: any): GpuArchitectureType;
|
|
22
|
+
export declare function gpuArchitectureTypeToJSON(object: GpuArchitectureType): string;
|
|
23
|
+
export interface GpuInfo {
|
|
24
|
+
/** The unique identifier of the GPU. */
|
|
25
|
+
uuid: string;
|
|
26
|
+
/** Driver version obtained from the GPU's attestation report. */
|
|
27
|
+
driverVersion: string;
|
|
28
|
+
/** VBIOS version obtained from the GPU's attestation report. */
|
|
29
|
+
vbiosVersion: string;
|
|
30
|
+
/** The architecture type of the GPU. */
|
|
31
|
+
gpuArchitectureType: GpuArchitectureType;
|
|
32
|
+
/** The verified attestation certificate chain for the GPU device. */
|
|
33
|
+
attestationCertificateChain: Uint8Array;
|
|
34
|
+
/**
|
|
35
|
+
* This field contains SPDM request/response defined in
|
|
36
|
+
* https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_1.1.0.pdf
|
|
37
|
+
*/
|
|
38
|
+
attestationReport: Uint8Array;
|
|
39
|
+
}
|
|
40
|
+
/**
|
|
41
|
+
* An Nvidia attestation report for GPU and NVSwitch devices.
|
|
42
|
+
* Contains necessary attestation evidence that the client collects for
|
|
43
|
+
* verification.
|
|
44
|
+
*/
|
|
45
|
+
export interface NvidiaAttestationReport {
|
|
46
|
+
/** Single GPU Passthrough (SPT) attestation. */
|
|
47
|
+
spt?: NvidiaAttestationReport_SinglePassthroughAttestation | undefined;
|
|
48
|
+
/** Multi-GPU Secure Passthrough (MPT) attestation. */
|
|
49
|
+
mpt?: NvidiaAttestationReport_MultiGpuSecurePassthroughAttestation | undefined;
|
|
50
|
+
/** The nonce used for GPU attestation. */
|
|
51
|
+
nonce: Uint8Array;
|
|
52
|
+
}
|
|
53
|
+
/** Single GPU Passthrough (SPT) attestation. */
|
|
54
|
+
export interface NvidiaAttestationReport_SinglePassthroughAttestation {
|
|
55
|
+
/** Single GPU quote. */
|
|
56
|
+
gpuQuote: GpuInfo | undefined;
|
|
57
|
+
}
|
|
58
|
+
/**
|
|
59
|
+
* MultiGpuSecurePassthroughAttestation contains the attestation evidence
|
|
60
|
+
* for a Multi-GPU Secure Passthrough (MPT) attestation.
|
|
61
|
+
*/
|
|
62
|
+
export interface NvidiaAttestationReport_MultiGpuSecurePassthroughAttestation {
|
|
63
|
+
/** A list of GPU quotes. */
|
|
64
|
+
gpuQuotes: GpuInfo[];
|
|
65
|
+
}
|
|
66
|
+
export interface DeviceAttestationReport {
|
|
67
|
+
/** An Nvidia attestation report for GPU and NVSwitch devices. */
|
|
68
|
+
nvidiaReport?: NvidiaAttestationReport | undefined;
|
|
69
|
+
}
|
|
70
|
+
export interface TdxCcelQuote {
|
|
71
|
+
/**
|
|
72
|
+
* The CCEL event log. Formatted as described in the UEFI 2.10.
|
|
73
|
+
* Contains events for guest OS boot.
|
|
74
|
+
*/
|
|
75
|
+
ccelBootEventLog: Uint8Array;
|
|
76
|
+
/**
|
|
77
|
+
* Formatted as a Canonical Event Log.
|
|
78
|
+
* The event log containing Attested COS launcher events.
|
|
79
|
+
*/
|
|
80
|
+
celLaunchEventLog: Uint8Array;
|
|
81
|
+
/**
|
|
82
|
+
* The TDX attestation quote from the guest. A serialized Quote
|
|
83
|
+
* from https://github.com/google/go-tdx-guest/blob/main/proto/tdx.proto
|
|
84
|
+
*/
|
|
85
|
+
tdQuote: Uint8Array;
|
|
86
|
+
}
|
|
87
|
+
export interface VmAttestationQuote {
|
|
88
|
+
/** A TDX with CCEL and RTMR Attestation Quote. */
|
|
89
|
+
tdxCcelQuote?: TdxCcelQuote | undefined;
|
|
90
|
+
/** A standalone vTPM Attestation Quote. */
|
|
91
|
+
tpmQuote?: TpmQuote | undefined;
|
|
92
|
+
}
|
|
93
|
+
/** Represents an attestation over a challenge provided by the workload. */
|
|
94
|
+
export interface VmAttestation {
|
|
95
|
+
/** Chosen by WSD. */
|
|
96
|
+
label: Uint8Array;
|
|
97
|
+
/** Provided by the workload. */
|
|
98
|
+
challenge: Uint8Array;
|
|
99
|
+
/** Optional, provided by WSD. */
|
|
100
|
+
extraData: Uint8Array;
|
|
101
|
+
/** report_data is `SHA512(label || SHA512(challenge || SHA512(extra_data)))` */
|
|
102
|
+
quote: VmAttestationQuote | undefined;
|
|
103
|
+
/** Runtime attestations for attached devices. */
|
|
104
|
+
deviceReports: DeviceAttestationReport[];
|
|
105
|
+
}
|
|
106
|
+
export interface KeyAttestation {
|
|
107
|
+
/**
|
|
108
|
+
* label is "KEY_ATTESTATION" (defined as KeyAttestationLabel constant).
|
|
109
|
+
* extra_data is a binary-serialized instance of KeyClaims.
|
|
110
|
+
*/
|
|
111
|
+
attestation: VmAttestation | undefined;
|
|
112
|
+
}
|
|
113
|
+
/** Container for keys whose protection mechanism is KEY_PROTECTION_VM. */
|
|
114
|
+
export interface VmProtectedKeyEndorsement {
|
|
115
|
+
/** Contains a VmProtectionBindingClaims. */
|
|
116
|
+
bindingKeyAttestation: KeyAttestation | undefined;
|
|
117
|
+
/** Contains a VmProtectionKeyClaims. */
|
|
118
|
+
protectedKeyAttestation: KeyAttestation | undefined;
|
|
119
|
+
}
|
|
120
|
+
/** Container message for endorsing keys with various levels of protection. */
|
|
121
|
+
export interface KeyEndorsement {
|
|
122
|
+
vmProtectedKeyEndorsement?: VmProtectedKeyEndorsement | undefined;
|
|
123
|
+
}
|
|
124
|
+
/** Host and vTPM attestation evidence */
|
|
125
|
+
export interface TpmAttestationEndorsement {
|
|
126
|
+
/** An attestation key (AK) certificate and cert chain. */
|
|
127
|
+
akCertEndorsement?: TpmAttestationEndorsement_AkCertEndorsement | undefined;
|
|
128
|
+
/** Endorsement certificate chain for the Titan chip. */
|
|
129
|
+
titanEndorsement?: TpmAttestationEndorsement_TitanEndorsement | undefined;
|
|
130
|
+
}
|
|
131
|
+
/** An attestation key (AK) certificate and cert chain. */
|
|
132
|
+
export interface TpmAttestationEndorsement_AkCertEndorsement {
|
|
133
|
+
/** An attestation key (AK) certificate. */
|
|
134
|
+
akCert: Uint8Array;
|
|
135
|
+
/**
|
|
136
|
+
* List of DER-encoded X.509 certificates which, together with the ak_cert,
|
|
137
|
+
* chain back to a trusted Root Certificate.
|
|
138
|
+
*/
|
|
139
|
+
akCertChain: Uint8Array[];
|
|
140
|
+
}
|
|
141
|
+
export interface TpmAttestationEndorsement_TitanEndorsement {
|
|
142
|
+
/**
|
|
143
|
+
* Certificate signed by Titan's DICE alias key over the EK used to generate
|
|
144
|
+
* the quotes. On Titan, the EK is a signing key that can be used directly.
|
|
145
|
+
*/
|
|
146
|
+
ekCert: Uint8Array;
|
|
147
|
+
/** Certificate chain rooted by Titan's DeviceID public key. */
|
|
148
|
+
diceCertChain: Uint8Array;
|
|
149
|
+
}
|
|
150
|
+
export interface TpmQuote {
|
|
151
|
+
/** Generated by calling TPM2_Quote on each PCR bank. */
|
|
152
|
+
quotes: TpmQuote_SignedQuote[];
|
|
153
|
+
/**
|
|
154
|
+
* The binary TCG Event Log containing events measured into the TPM by the
|
|
155
|
+
* platform firmware and operating system. Formatted as described in the
|
|
156
|
+
* "TCG PC Client Platform Firmware Profile Specification" as a series of
|
|
157
|
+
* TCG_PCR_EVENT2 entries.
|
|
158
|
+
*/
|
|
159
|
+
pcclientBootEventLog: Uint8Array;
|
|
160
|
+
/**
|
|
161
|
+
* Formatted as a Canonical Event Log.
|
|
162
|
+
* The event log containing Attested COS launcher events.
|
|
163
|
+
*/
|
|
164
|
+
celLaunchEventLog: Uint8Array;
|
|
165
|
+
/** Endorsement for the TPM attestation. */
|
|
166
|
+
endorsement: TpmAttestationEndorsement | undefined;
|
|
167
|
+
}
|
|
168
|
+
export interface TpmQuote_SignedQuote {
|
|
169
|
+
/** Encoded as a TPM_ALG_ID. */
|
|
170
|
+
hashAlgorithm: number;
|
|
171
|
+
/** Raw binary values of each PCR being quoted. */
|
|
172
|
+
pcrValues: {
|
|
173
|
+
[key: number]: Uint8Array;
|
|
174
|
+
};
|
|
175
|
+
/** Contains a TPMS_QUOTE_INFO. */
|
|
176
|
+
tpmsAttest: Uint8Array;
|
|
177
|
+
/** Contains the signature. */
|
|
178
|
+
tpmtSignature: Uint8Array;
|
|
179
|
+
}
|
|
180
|
+
export interface TpmQuote_SignedQuote_PcrValuesEntry {
|
|
181
|
+
key: number;
|
|
182
|
+
value: Uint8Array;
|
|
183
|
+
}
|
|
184
|
+
/**
|
|
185
|
+
* Provides attestations for values not present in PCRs. For example, the Titan
|
|
186
|
+
* TPM on certain platforms is electrically integrated such that it can report,
|
|
187
|
+
* via reserved NV index, the number of warm resets the CPU has undergone since
|
|
188
|
+
* the last power cycle.
|
|
189
|
+
*
|
|
190
|
+
* Each signature within this message can be verified using the TpmQuote's
|
|
191
|
+
* `endorsement` field.
|
|
192
|
+
*/
|
|
193
|
+
export interface TpmAuxiliaryAttestation {
|
|
194
|
+
/** The signed attestations over the NV indices. */
|
|
195
|
+
signedNvs: TpmAuxiliaryAttestation_SignedNvCertify[];
|
|
196
|
+
}
|
|
197
|
+
export interface TpmAuxiliaryAttestation_SignedNvCertify {
|
|
198
|
+
/** Used to compute the Name of the NV index. */
|
|
199
|
+
tpmsNvPublic: Uint8Array;
|
|
200
|
+
/** Contains a TPMS_NV_CERTIFY_INFO. */
|
|
201
|
+
tpmsAttest: Uint8Array;
|
|
202
|
+
/** Contains the signature. */
|
|
203
|
+
tpmtSignature: Uint8Array;
|
|
204
|
+
}
|
|
205
|
+
export interface HostAttestation {
|
|
206
|
+
/** Shall be "HOST_ATTESTATION" (defined as HostAttestationLabel constant). */
|
|
207
|
+
label: Uint8Array;
|
|
208
|
+
/** Provided by the workload. */
|
|
209
|
+
challenge: Uint8Array;
|
|
210
|
+
/** Shall be empty (set by WSD, present for future expansion). */
|
|
211
|
+
extraData: Uint8Array;
|
|
212
|
+
/**
|
|
213
|
+
* Within each of the below fields, the TPMS_ATTEST's extraData contains
|
|
214
|
+
* `SHA256(label || SHA256(challenge || SHA256(extra_data)))`
|
|
215
|
+
*/
|
|
216
|
+
tpmQuote: TpmQuote | undefined;
|
|
217
|
+
/** Auxiliary information not stored in PCRs, such as warm reset data. */
|
|
218
|
+
auxAttestation: TpmAuxiliaryAttestation | undefined;
|
|
219
|
+
}
|
|
220
|
+
export interface HostACOSState {
|
|
221
|
+
/** The Google Measurement State of the host machine. */
|
|
222
|
+
gmes: GMESState | undefined;
|
|
223
|
+
/** The TDX CPU PIID. */
|
|
224
|
+
cpuPiid: Uint8Array;
|
|
225
|
+
/** Number of warm resets since the last power cycle. */
|
|
226
|
+
warmResetCount: bigint;
|
|
227
|
+
}
|
|
228
|
+
export declare const GpuInfo: MessageFns<GpuInfo>;
|
|
229
|
+
export declare const NvidiaAttestationReport: MessageFns<NvidiaAttestationReport>;
|
|
230
|
+
export declare const NvidiaAttestationReport_SinglePassthroughAttestation: MessageFns<NvidiaAttestationReport_SinglePassthroughAttestation>;
|
|
231
|
+
export declare const NvidiaAttestationReport_MultiGpuSecurePassthroughAttestation: MessageFns<NvidiaAttestationReport_MultiGpuSecurePassthroughAttestation>;
|
|
232
|
+
export declare const DeviceAttestationReport: MessageFns<DeviceAttestationReport>;
|
|
233
|
+
export declare const TdxCcelQuote: MessageFns<TdxCcelQuote>;
|
|
234
|
+
export declare const VmAttestationQuote: MessageFns<VmAttestationQuote>;
|
|
235
|
+
export declare const VmAttestation: MessageFns<VmAttestation>;
|
|
236
|
+
export declare const KeyAttestation: MessageFns<KeyAttestation>;
|
|
237
|
+
export declare const VmProtectedKeyEndorsement: MessageFns<VmProtectedKeyEndorsement>;
|
|
238
|
+
export declare const KeyEndorsement: MessageFns<KeyEndorsement>;
|
|
239
|
+
export declare const TpmAttestationEndorsement: MessageFns<TpmAttestationEndorsement>;
|
|
240
|
+
export declare const TpmAttestationEndorsement_AkCertEndorsement: MessageFns<TpmAttestationEndorsement_AkCertEndorsement>;
|
|
241
|
+
export declare const TpmAttestationEndorsement_TitanEndorsement: MessageFns<TpmAttestationEndorsement_TitanEndorsement>;
|
|
242
|
+
export declare const TpmQuote: MessageFns<TpmQuote>;
|
|
243
|
+
export declare const TpmQuote_SignedQuote: MessageFns<TpmQuote_SignedQuote>;
|
|
244
|
+
export declare const TpmQuote_SignedQuote_PcrValuesEntry: MessageFns<TpmQuote_SignedQuote_PcrValuesEntry>;
|
|
245
|
+
export declare const TpmAuxiliaryAttestation: MessageFns<TpmAuxiliaryAttestation>;
|
|
246
|
+
export declare const TpmAuxiliaryAttestation_SignedNvCertify: MessageFns<TpmAuxiliaryAttestation_SignedNvCertify>;
|
|
247
|
+
export declare const HostAttestation: MessageFns<HostAttestation>;
|
|
248
|
+
export declare const HostACOSState: MessageFns<HostACOSState>;
|
|
249
|
+
type Builtin = Date | Function | Uint8Array | string | number | boolean | bigint | undefined;
|
|
250
|
+
export type DeepPartial<T> = T extends Builtin ? T : T extends globalThis.Array<infer U> ? globalThis.Array<DeepPartial<U>> : T extends ReadonlyArray<infer U> ? ReadonlyArray<DeepPartial<U>> : T extends {} ? {
|
|
251
|
+
[K in keyof T]?: DeepPartial<T[K]>;
|
|
252
|
+
} : Partial<T>;
|
|
253
|
+
export interface MessageFns<T> {
|
|
254
|
+
encode(message: T, writer?: BinaryWriter): BinaryWriter;
|
|
255
|
+
decode(input: BinaryReader | Uint8Array, length?: number): T;
|
|
256
|
+
fromJSON(object: any): T;
|
|
257
|
+
toJSON(message: T): unknown;
|
|
258
|
+
create(base?: DeepPartial<T>): T;
|
|
259
|
+
fromPartial(object: DeepPartial<T>): T;
|
|
260
|
+
}
|
|
261
|
+
export {};
|