// Copyright 2024 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
syntax = "proto3";
package device.enclave;
option optimize_for = LITE_RUNTIME;
// This proto defines the layered DICE Attestation Evidence.
//
// DICE provides a mechanism for combining software measurements and
// corresponding certificates into a chain, where each element (called layer)
// represents a piece of software loaded into the VMs memory. These layers are
// loaded sequentially, i.e. the previous layer loads the next layer. The
// previous layer is also responsible for measuring the next layer, generating
// a private key and a certificate for it.
//
// <https://trustedcomputinggroup.org/wp-content/uploads/TCG_DICE_Attestation_Architecture_r22_02dec2020.pdf>
// <https://trustedcomputinggroup.org/wp-content/uploads/DICE-Layering-Architecture-r19_pub.pdf>
enum TeePlatform {
TEE_PLATFORM_UNSPECIFIED = 0;
AMD_SEV_SNP = 1;
INTEL_TDX = 2;
TEE_PLATFORM_NONE = 3;
}
// Evidence generated by the Layer0.
//
// Since this layer is the initial layer for our architecture and it is
// measured during boot, its identity is represented by an attestation report.
message RootLayerEvidence {
// The platform providing the attestation report.
TeePlatform platform = 1;
// TEE-specific attestation report acting as a non-standard certificate for
// the Layer0 ECA public key.
bytes remote_attestation_report = 2;
// Serialized ECA public key for Layer0 that is signed by the remote
// attestation report.
//
// Represented as a SEC1 encoded point.
// <https://www.secg.org/sec1-v2.pdf#page=16>
bytes eca_public_key = 3;
}
// DICE layer evidence containing a certificate signed by the previous layer.
message LayerEvidence {
// Certificate signing current layer's measurements and the ECA key.
//
// Represented as a CBOR/COSE/CWT ECA certificate.
// <https://www.rfc-editor.org/rfc/rfc8392.html>
bytes eca_certificate = 1;
}
// Keys used by the application to derive encryption session keys and to sign
// arbitrary data. Each of the certificates contains the final layer's
// measurement as additional claims.
message ApplicationKeys {
// Certificate signing the encryption public key.
//
// Represented as a CBOR/COSE/CWT ECA certificate.
// <https://www.rfc-editor.org/rfc/rfc8392.html>
bytes encryption_public_key_certificate = 1;
// Certificate signing the signing public key.
//
// Represented as a CBOR/COSE/CWT ECA certificate.
// <https://www.rfc-editor.org/rfc/rfc8392.html>
bytes signing_public_key_certificate = 2;
// Certificate signing the group encryption public key as part of Key
// Provisioning.
//
// Represented as a CBOR/COSE/CWT ECA certificate.
// <https://www.rfc-editor.org/rfc/rfc8392.html>
bytes group_encryption_public_key_certificate = 3;
// Certificate signing the group signing public key as part of Key
// Provisioning.
//
// Represented as a CBOR/COSE/CWT ECA certificate.
// <https://www.rfc-editor.org/rfc/rfc8392.html>
bytes group_signing_public_key_certificate = 4;
}
// Attestation Evidence used by the client to the identity of firmware and
// software running inside a Trusted Execution Environment.
//
// The name is chosen to match the RATS terminology:
// <https://datatracker.ietf.org/doc/html/rfc9334#name-evidence>
message Evidence {
// Layer0 attestation evidence.
RootLayerEvidence root_layer = 1;
// Layer1..LayerN-1 attestation evidence.
repeated LayerEvidence layers = 2;
// Application keys signed by the penultimate layer’s ECA key.
//
// We are not signing these keys with the last layer's ECA key, because it
// is the application layer and the these keys are never shared with it.
// The last layer uses an API to the previous layer to:
// - Derive session keys from the encryption key
// - Sign arbitrary data with the signing key
ApplicationKeys application_keys = 3;
}