Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Remote Attestation in a Container

Since TEE OS 1.4.0, the QCA-daemon, QCA lib-report, and QTA-report are added to support remote attestation in a container. The QCA lib-report and QTA-report source code can be obtained from the itrustee_sdk repository, whereas the QCA-daemon is developed by users based on their own services. The following provides a brief overview of the remote attestation process in a container.

  1. Generate and save the attestation key and certificate on the host. For details, see Window 1 and Window 2.
  2. Start the container by following instructions in Container Deployment and start the QCA-daemon.
    Then the QCA-daemon can connect to the RA Service on the host in sock mode. It obtains the container ID and NSID and transfers them to the RA Service.
    • The container ID and NSID can be obtained by the QCA-daemon and transferred to the RA Service. Alternatively, the RA Service can obtain the container ID and NSID from the host.
    • Run the following commands to obtain the container ID and NSID:
      cat /proc/self/cgroup | head -1 |cut -d/ -f3 
ls -l /proc/1/ns/ | grep "pid ->" | awk -F"[][]" '{print $2}'
  3. After serializing the container information in JSON format, the RA Service calls the RegisterContainer API of the QCA lib to register the container information.
  4. Start the TA to be verified in the container.
  5. The RA Client initiates a remote attestation challenge, which carries the information about the container where the target TA is located, such as the container ID and type.
  6. After receiving the request, the RA Service forwards the request to the QCA-daemon in the associated container based on the container ID.
  7. The QCA-daemon calls the QCA lib-report in the container to initiate an attestation request.

    During the attestation process, the QTA-report in the container automatically checks with the QTA on the host whether the container NSID is the same as that used for the registration. Then, the QTA-report calls TEE OS APIs to obtain the measurement report and write the container ID, container type, and QTA-report measurement value to the ta_attrs field.

  8. The QCA-daemon returns the measurement report to the RA Service and then to the RA Client.
  9. The RA Client verifies the signature of the measurement report to confirm the report integrity.