github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1/attestation_domain.proto

github.com/cloudwan/edgelq-sdk@v1.15.4/iam/proto/v1/attestation_domain.proto (about)

     1  syntax = "proto3";
     2  
     3  package ntt.iam.v1;
     4  
     5  import "edgelq-sdk/iam/proto/v1/common.proto";
     6  import "google/api/resource.proto";
     7  import "goten-sdk/types/meta.proto";
     8  
     9  option go_package = "github.com/cloudwan/edgelq-sdk/iam/resources/v1/attestation_domain;attestation_domain";
    10  option java_multiple_files = true;
    11  option java_outer_classname = "AttestationDomainProto";
    12  option java_package = "com.ntt.iam.pb.v1";
    13  
    14  // AttestationDomain Resource
    15  message AttestationDomain {
    16    option (google.api.resource) = {
    17      type : "iam.edgelq.com/AttestationDomain"
    18      pattern : "projects/{project}/attestationDomains/{attestation_domain}"
    19    };
    20  
    21    // Name of AttestationDomain
    22    // When creating a new instance, this field is optional and if not provided,
    23    // it will be generated automatically. Last ID segment must conform to the
    24    // following regex: [a-z][a-z0-9\\-]{0,28}[a-z0-9]
    25    string name = 2;
    26  
    27    // Metadata is an object with information like create, update and delete time
    28    // (for async deleted resources), has user labels/annotations, sharding
    29    // information, multi-region syncing information and may have non-schema
    30    // owners (useful for taking ownership of resources belonging to lower level
    31    // services by higher ones).
    32    goten.types.Meta metadata = 1;
    33  
    34    // Display name
    35    string display_name = 3;
    36  
    37    // If false (default), attestation verifier SHALL check CA certificate chain
    38    // up to the TPM chip manufacturers CA (defined in manufacturer_ca_issuers).
    39    // This step is necessary to prove that the attestation request comes from a
    40    // genuine TPM device, and not a TPM emulator.
    41    //
    42    // If true, attestation verifier SHALL skip EKcert verification -
    43    // !!INSECURE!! Without this check, any keys may come from a simulated TPM
    44    // on the device. An attacker may therefore forge any key they want.
    45    // Therefore, this option should only be changed for development purposes.
    46    bool insecure_skip_manufacturer_ekcert_verification = 4;
    47  
    48    // Attestees wanting to attest under this attestation domain SHALL fulfill
    49    // requirements of at least one of attestation policies defined in this list.
    50    // Policies are checked in the order they appear on this list.
    51    repeated Policy policies = 5;
    52  
    53    // Attestation policy may require atestees pubkey to be present on
    54    // enrollment_list.
    55    repeated EnrolledKey enrollment_list = 6;
    56  
    57    // Policy defines a singular attestation policy, that should match a
    58    // homogenous class of device (i.e. hardware and firmware configuration) in
    59    // the fleet.
    60    message Policy {
    61      // List of acceptable manufacturer's root CAs certs (in PEM format).
    62      //
    63      // To obtain such a cert, run something like:
    64      // `tpm2_getekcertificate -o cert.bin`
    65      // `openssl x509 -inform der -in cert.bin -noout -text`
    66      // Then manually download certificate specified in Authority Information
    67      // Access (AIA). Repeat the above `openssl` command on the newly
    68      // downloadedfile (change the value of `-in` argument). Continue this until
    69      // you reach a certificate which does not have AIA. It's the root
    70      // certificate. Convert it to PEM like so: `openssl x509 -inform der -in
    71      // root.crt -out root.pem` Still, we need to encode newlines: `awk 'NF
    72      // {sub(/\r/, ""); printf "%s\\n",$0;}' root.pem` Then paste the output
    73      // here.
    74      //
    75      // Note: multiple PEM certificates may be included here by simple means of
    76      // concatenation.
    77      string manufacturer_root_ca_certs_pem = 1;
    78  
    79      // If true, the attestee's pubkey SHALL be present on this
    80      // AttestationDomain's enrollment list, otherwise fail the attestation.
    81      bool require_enrollment = 2;
    82  
    83      // If true, the verifier SHALL parse, replay and verify TPM event log
    84      // provided by the atestee, otherwise fail the attestation.
    85      // Note that requiring verification of event does not provide additional
    86      // security. See
    87      // https://github.com/google/go-attestation/blob/master/docs/event-log-disclosure.md#event-type-and-verification-footguns
    88      bool verify_event_log = 3;
    89  
    90      // List of expected PCR values.
    91      // All PCRs on this list SHALL match exactly the PCRs provided by the
    92      // atestee, otherwise the attestation SHALL be failed. The verifier SHALL
    93      // perform sanity checks: PCR index/digest pairs are unique and the size of
    94      // the list is sane (TODO).
    95      // They can be read from TPM by running something like `tpm2_pcrread`.
    96      repeated PCR expected_pcrs = 4;
    97    }
    98  
    99    // EnrolledKey defines an enrolled key.
   100    message EnrolledKey {
   101      // PEM encoded EK pubkey.
   102      // It can be read from TPM by running something like `tpm2_createek -G rsa
   103      // -u ek.pub -c key.ctx -f pem`.
   104      string pubkey_pem = 1;
   105  
   106      // User's comments for this entry
   107      string comment = 2;
   108    }
   109  }