Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
intel-trust-authority-as: add runtime data to attestation request
By adding runtime data to the appraisal request and having the reportdata correctly hashed in the quote, ITA returns it back in the token claims under attester_runtime_data. For this to work, the Kata rootfs must be built with a modified guest-components with sha512 hashing: --- a/attestation-agent/kbs_protocol/src/client/rcar_client.rs +++ b/attestation-agent/kbs_protocol/src/client/rcar_client.rs @@ -13,7 +13,7 @@ use log::{debug, warn}; use resource_uri::ResourceUri; use serde::Deserialize; use serde_json::json; -use sha2::{Digest, Sha384}; +use sha2::{Digest, Sha512}; use crate::{ api::KbsClientCapabilities, @@ -189,7 +189,7 @@ impl KbsClient<Box<dyn EvidenceProvider>> { nonce: String, ) -> Result<String> { debug!("Challenge nonce: {nonce}"); - let mut hasher = Sha384::new(); + let mut hasher = Sha512::new(); hasher.update(runtime_data); let ehd = match tee { Otherwise, ITA responds 400 / bad request. This change is still safe because ITA AS with KBS get-resource isn't working without this either. Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
- Loading branch information