From 3eacf8059ac8e39aab1d42ab781d3193d5497189 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Fri, 17 Jan 2025 14:13:18 +0200 Subject: [PATCH] ear: add TDX sample policy checks Populate the default EAR policy with an initial TDX policy configuration. Co-developed-by: Jorge Almansa Signed-off-by: Mikko Ylinen --- .../src/token/ear_default_policy.rego | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/attestation-service/src/token/ear_default_policy.rego b/attestation-service/src/token/ear_default_policy.rego index 10fc2815d..f2c2c8036 100644 --- a/attestation-service/src/token/ear_default_policy.rego +++ b/attestation-service/src/token/ear_default_policy.rego @@ -86,7 +86,32 @@ else := 3 if { input.snp.policy_migrate_ma == 0 } -##### TDX TODO +##### TDX +executables:= 3 if { + # Check the kernel, initrd, and cmdline (including dmverity parameters) measurements + # TODO: add individual CCEL measurements from input.tdx.ccel instead + input.tdx.quote.body.rtmr_1 in data.reference.rtmr_1 + input.tdx.quote.body.rtmr_2 in data.reference.rtmr_2 +} + +hardware := 2 if { + # Check the quote is a TDX quote signed by Intel SGX Quoting Enclave + input.tdx.quote.header.tee_type == "81000000" + input.tdx.quote.header.vendor_id == "939a7233f79c4ca9940a0db3957f0607" + # Check TDX Module version and its hash. Also check OVMF code hash. + input.tdx.quote.body.mr_seam in data.reference.mr_seam + input.tdx.quote.body.tcb_svn in data.reference.tcb_svn + input.tdx.quote.body.mr_td in data.reference.mr_td +} + +configuration := 2 if { + # Check the TD has the expected attributes (e.g., debug not enabled) + # and features. + # TODO: split td_attribute bits to their own claims + input.tdx.quote.body.td_attributes in data.reference.td_attributes + input.tdx.quote.body.xfam in data.reference.xfam +} + ##### AZ SNP TODO ##### AZ TDX TODO ##### SE TODO